On April 24, by means of Resolution CD/ANPD No. 15/2024, the National Data Protection Authority (“ANPD”) approved the Regulation on the Reporting of Security Incidents (“Regulation”), establishing the procedures to be adopted in the event of security incidents which may cause substantial risk or damage to data subjects.
The Regulation, whose provisions also apply to ongoing reporting proceedings, sets out definitions and clarifies important points that will support data controllers to assess incidents, to decide whether incidents must be reported to ANPD and to data subjects, the content and form of the communications, records of incidents (which must be kept even in cases where the incident is not reported to ANPD nor to data subjects), among other relevant aspects.
Under the Regulation, security incidents that may cause substantial risk or damage to data subjects are those that (a) may significantly affect the fundamental rights and interests of data subjects and (b) cumulatively, involve at least one of the following criteria: (i) sensitive data; (ii) data of children, teenagers or elderly; (iii) financial data; (iv) authentication data in systems; (v) data protected by legal, judicial or professional secrecy; or (vi) large-scale data.
According to the Regulation, security incidents that may significantly affect the fundamental rights and interests of data subjects will be characterized, among others, by situations where the processing activity may prevent the exercise of rights or the use of a service, or cause material or moral damage to data subjects (such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft).
The incident must be reported to the ANPD and to data subjects within three business days from the data controller becoming aware that the incident affected personal data (except in case of different reporting deadlines established by specific legislation). The report to ANPD may be complemented with additional information, with justification, within twenty business days from the date of the initial report. Small processing agents benefit from longer reporting periods (double the abovementioned timeframes).
The Regulation also provides for the possibility of ANPD initiating proceedings to investigate the occurrence of a security incident which has not been communicated by the data controller.
The full wording of the Regulation in Portuguese is available on ANPD’s website (https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-15-de-24-de-abril-de-2024-556243024).
For more information, please contact the leaders of our Privacy and Data Protection team, Adriano Chaves and Marcia Issler Mandelbaum.
This bulletin is for information purposes only and should not be relied upon to obtain legal advice on any of the topics dealt with here.
CGM Advogados. All rights reserved.
