ANPD Approves Data Breach Notifying Regulation

Resolution No. 15, of April 24, 2024, of the Brazilian Data Protection Authority ("ANPD"), approved the Data Breach Notifying Regulation (the “Regulation”). The Regulation establishes procedures for data controllers to notify subjects of data breaches, as required by Article 48 of the Brazilian General Data Protection Law (LGPD).

What is considered a data breach?

• Data breaches are any confirmed adverse event that impacts the confidentiality, integrity, availability, or authenticity of personal data.

Notification Triggers

• Only data breaches that may entail a relevant risk or damage to the data subjects must be reported. These reports must be made to the affected data subjects and to the ANPD.
• According to the ANPD, there is "relevant risk or damage to the data subjects" when a data breach may significantly affect the interests and fundamental rights of the data subjects, in addition to at least one of the following criteria:
  • sensitive personal data;
  • personal data of children, adolescents, or the elderly;
  • financial data (related to financial transactions, including for contracting services and purchasing products);
  • authentication data in systems (access credentials, such as login, password or tokens);
  • data protected by legal, judicial, or professional secrecy; or
  • large-scale data (when it involves a great number of data subjects, data volume, duration, frequency and geographic extent—ANPD has provided a preliminary study with methodology to identify large-scale processing).

• The ANPD identifies several potential consequences for data subjects resulting from a data breach, which may hinder the subjects’ rights and interests or use of services, or which may inflict moral and material damages on data subjects. These include financial fraud, identity theft, and damage to the image or reputation of affected individuals.

Deadline

• Except in the case of small processing agents, pursuant to ANPD Resolution No. 2, the data breach must be reported to the ANPD and to the affected data subjects within three business days, starting from the date on which the controller confirms that the data breach affected personal data. If the report is made by an attorney-in-fact, the power-of-attorney must also be submitted within that period.
• Information provided to the ANPD may be supplemented within 20 business days from the date of the first notification.

What should be included in notifications to the ANPD and data subjects?

• The ANPD’s notification must include, among other points:
  • whether there is sensitive data and the categories of affected data;
  • the number of affected subjects, distinguishing, where possible, the number of minors and elderly people affected. In addition, the number of data subjects whose data is processed in the affected activities by the data breach must be indicated;
  • any technical measures that have been, and will be, adopted to reverse or mitigate the data breach;
  • related risks, indicating the impacts on the data subjects; and
  • a description of the data breach, including the root cause, if one can be identified.
• The data subjects’ notification must indicate the data affected, the risks arising from the data breach, and the measures to reverse or mitigate the data breach. However, controllers should emphasize a point of contact for further information, such as a Data Protection Officer. The notification to the data subjects should also include recommendations to reverse or mitigate the effects of the data breach.
  • The notification to the data subjects should be, if possible, individualized and direct and may be communicated by telephone, e-mail, electronic message, or mail, provided that the controller is able to document data subjects receipt of the notification.
  • If it is not possible to individually address affected data subjects, this notification can be posted to the controller's website, applications, social media, or other service channels. If the ANPD determines that such notification was not sufficient to reach the affected subjects, the controller will need to further disseminate notice of the data breach through other methods, including print, radio, and internet media, at the expense of the controller.
• The data breach notification process is not automatically confidential; however, confidential treatment may be requested by the controller.

Mandatory Documentation

• It is mandatory to prepare a data breach processing report describing the data breach, alongside the measures taken to reverse or mitigate its effects. The ANPD may request this document at any time.
• It is also mandatory to maintain a record of all data breaches, regardless of whether such breaches were reported to the ANPD and/or the data subjects, for a minimum period of five years. This record must contain, among other information, dates of the data breaches, a general description of how the data breaches occurred, the type of data affected, the number of data subjects affected, risks arising from the breach, measures taken to mitigate it, and reasons for non-notification, if applicable.

ANPD’s powers during the administrative proceeding

• Once the administrative proceeding with the ANPD begins with the notification of the data breach, the ANPD may, at any time, carry out inspections and request additional information from the controller to clarify its decisions. Additionally, the ANPD may mandate that the controller implement certain preventive measures . The controller may also be subject to a daily fine if it fails to comply with the ANPD’s requests.
  • These safeguard measures are not sanctions, and are intended only to prevent or cease further damage to data subjects. A controller’s non-compliance, however, may lead to an administrative sanctioning proceeding, opening the door to various sanctions, such as a fine of 2% of the private entity's revenue, or even total interruption of internal data processing.
• The Regulation allows the ANPD to begin investigating data breaches it becomes aware of without being notified by the controller. In this case, it may make formal requests for documentation and/or information to the controller under investigation.
  • Likewise, non-cooperation with the ANPD, or failure to notify the ANPD of a data breach when required to do so, may lead to administrative sanctions.

The Resolution is binding and took effect immediately. It is also applicable to ongoing data breach notification proceedings.