Continuing the development of its regulatory activities, the Brazilian National Data Protection Authority (“ANPD” or “Brazilian DPA”) issued recent news regarding the regulation of the filing of notices of security data incidents involving personal data.
Besides the new webpage to file complaints and petitions from data subjects, highlighted and analyzed in a previous newsletter, the Brazilian DPA is carrying a public consultation aiming to discuss a pending Resolution providing the rules regarding the submission of notices of data security incidents, as well as scheduled a public hearing on the same topic, to be held on 23 May 2023.
This public hearing will be broadcast live to the general public on the ANPD’s YouTube channel, allowing the participation of individuals who submitted a previous request for that. Regarding the public consultation, the Brazilian DPA will be open to the submission of inputs by the general public until 31 May 2023.
The pending Resolution text is available at the ANPD’s website. One of the more relevant topics being discussed is the establishment of clearer provisions on the cases where the notices will be deemed as necessary, when one of the criteria provided by the Resolution is fulfilled.
Another main aspect included in the Resolution is a deadline to file the aforementioned notices to the Brazilian DPA and the data subjects involved, a topic which is currently subject to several discussions on the Brazilian data protection scene, since the LGPD lacks a specific provision on this matter.
Hence, the pending Resolution aims to establish a deadline of three working days to file the notices to the ANPD and the data subjects, starting from the date when the controller became aware of the data security incident, similar to what is been provided in other countries’ regulations. Moreover, the controller, in the case of absence of all the information necessary on this timeframe, will be allowed to file a complementary notice on an extra period of twenty working days from the date of awareness of the data security incident.
It should be noted that the Resolution also provided the mandatory information that shall be addressed in the notifications to the data subjects and the ANPD, establishing a more extensive list of items to be included in the notices to the latter. However, the Resolution also provided that the notices to the data subjects shall be done individually, if possible, and in a clear and concise manner.
At last, the Resolution plans to create an obligation of keeping a record of the data security incidents faced by the controller on, at least, the past five years, besides providing details on the ANPD’s administrative procedures to investigate the data security incidents notified.
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br