Today, Resolution CD/ANPD no. 15, dated April 24, 2024 ("Regulation"), was published by the Brazilian National Data Protection Authority ("ANPD" or "Brazilian DPA"), regulating the rules regarding the notification of security incidents involving personal data within the scope of the ANPD. The Regulation is important since it provides further details on various aspects applicable to the theme of data security incident’s notification, which still lacked attention by the Brazilian DPA.
The Regulation established that a data security incident must be reported when it may significantly affect the interests and fundamental rights of data subjects and involves one of the following data categories: (i) sensitive data; (ii) data of minors or elderly individuals; (iii) financial data; (iv) authentication data in systems; (v) data protected by legal, professional, or judicial secrecy; and (vi) large-scale data.
Additionally, the Regulation determines that notifications to the data subjects and the Authority must be made within 3 business days from the knowledge that the incident involved personal data, and provided a deadline of 20 business days for the submission of additional information, if necessary. The Regulation also listed the information that should be included in the notifications for both the data subject and the Authority, expanding the list already existing in the LGPD.
Specifically regarding communication to data subjects, the norm established that this notification should be individualized, if possible, through means such as mail, email, telephone, or electronic message. In cases where individual notification to all data subjects is not possible, the controller must maintain a public notice, for a minimum period of 90 days, on its website, applications, social networks, and/or customer service channels.
Another relevant aspect established in the Regulation was the obligation to maintain records of data security incidents, even if they were not notified to the ANPD, for a minimum period of 5 years, containing information as listed in the norm’s text.
The Regulation also determined that the Authority may request immediate measures to be taken by the controller, even during the data incident notification procedure. If the controller does not comply with such measures, the Authority may impose daily fines for noncompliance.
Finally, the Regulation anticipated that the ANPD may, after the investigation of the data incident notification procedure, request the controller to take actions, that will not be considered applied sanctions but preventive measures, such as implementing measures to reverse or mitigate the effects generated, as well as widely publicizing the incident through printed media, radio, and/or internet channels.
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br