The National Data Protection Authority (ANPD) approved, at the end of April, the Security Incident Communication Regulation (Resolution No. 15), which aims to establish the procedure for communicating incidents that personal data controllers must follow.

We highlight the following points:

 

  • What is an incident? Any confirmed adverse event that impacts the confidentiality, integrity, availability, or authenticity of personal data. 
  • Reporting criteria: Only incidents posing a significant risk to data subjects should be reported. A risk is deemed significant if, besides affecting the fundamental interests or rights of data subjects, it involves sensitive personal data, data of minors or the elderly, financial data, system authentication data, legally, professionally, or judicially confidential data, or large-scale data. 
  • Reporting deadline: Incidents must be reported within three business days of the controller confirming their impact on personal data, with exceptions for small-scale processing entities. 
  • Information to be provided: Reports should include details such as the presence of sensitive data, categories of affected data, the number of affected individuals, technical measures taken by the controller, risks and impacts to data subjects, and a description of the incident, including its root cause. 
  • To data subjects, in addition to the affected data, risks of the incident, and measures taken, the communication should primarily aim to inform the DPO’s data and how to obtain more information. 
  • Required documentation: Incident treatment report, describing the measures taken to reverse or mitigate the effects; and record of all security incidents that occurred, for a minimum period of 5 years. 
  • ANPD authority during the process: ANPD is empowered to conduct inspections, request additional information from controllers, prescribe preventive measures, and impose daily fines for non-compliance.

Campos Thomaz Advogados specializes in law and technology. We have a team available to answer any questions and provide legal advice regarding the subject of this alert.

download the booklet
*

share

LinkedInFacebookTwitterWhatsApp
*

related content

Electronic Judicial Domicile – Register regularization and verification

read more
alert

New Regulations for PDPs and PDIL

read more
alert

Brazilian DPA issues guidelines on Data Protection Officers (DPO)

read more

related professionals

Alan Campos Elias Thomaz

partner

newsletter

Subscribe our newsletter and receive first-hand our informative

    For more information on how we handle your personal data, see our Privacy Policy.
    contato@camposthomaz.com
    *

    R. Funchal, 551, conjunto 51
    Vila Olímpia, São Paulo – SP
    04551-060

    11 3044-4906

    © Campos Thomaz & Meirelles Advogados privacy policy