Brazil’s data protection authority publishes resolution on security incident reporting

On April 26, 2024, the Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 15/2024, which approves the Security Incident Reporting Regulation (Regulation) under the Brazilian Data Protection Law (Law No. 13,709/2018 or LGPD).

The Regulation came into effect on the date it was published and applies to ongoing security incident processes without prejudice to procedural acts conducted and consolidated beforehand.

Among other provisions, it establishes relevant definitions, criteria and deadlines for reporting security incidents to the ANPD and to data subjects, criteria for assessing relevant risk or damage to data subjects, criteria for preparing security incident records, and the activities to be adopted by the ANPD upon communication.

The ANPD’s main statement on the topic to date was the non-binding general guidelines it published in 2022. Additionally, a public consultation on the matter was held in 2023, the results of which contributed to the development of the Regulation.

Assessment of risk or relevant damage to data subjects

Controllers must notify both the ANPD and data subjects if a security incident occurs that could entail a relevant risk or damage to the data subjects.

The security incident may entail a relevant risk or damage to the data subjects when it both could significantly affect the interests and fundamental rights of the data subjects and involves at least one of the following criteria:

• Sensitive personal data;
• Data of children, adolescents, or the elderly;
• Financial data;
• System authentication data;
• Data protected by legal, judicial or professional confidentiality; or
• Large-scale quantities of data.

Upon being notified of a potential incident, the ANPD will also analyze these criteria to assess the severity of the incident within the scope of the security incident reporting procedure.

Criteria for reporting a security incident

Reporting to the ANPD

As per the resolution, incident reports to the ANPD must contain the following:

• A description of the nature and category of personal data affected;
• The number of data subjects affected, specifying (when applicable) the number of children, adolescents, or elderly people involved;
• The technical and security measures used to protect personal data, implemented both before and after the incident, respecting commercial and industrial secrecy;
• The risks related to the incident, including the identification of possible impacts on the data subjects;
• The reasons for any delay if the ANPD was not notified within three (3) business days;
• Measures that have been or will be adopted to reverse or mitigate the incident’s effects on data subjects;
• The date the incident occurred (when this can be determined) and the date the controller became aware of it;
• The contact details of the Data Protection Officer (DPO) or someone representing the data controller;
• Information identifying the data controller and a declaration that it is a small-scale data processing agent (if applicable);
• Information identifying the data processor (when applicable);
• A description of the incident, including the main cause if it can be identified; and
• The total number of data subjects whose data was processed in the processing activities linked to the incident.

Incidents must be reported by the controller, the DPO, or via an authorized legal representative. When reported by the DPO, documentary evidence of contractual, employment or functional ties must be submitted, while a legal representative must provide a document demonstrating their power to represent in relation to ANPD matters. In the event this obligation is not met, the ANPD may investigate the alleged security incident through an official investigation procedure.

Reporting to data subjects

Security incident reports to data subjects must contain the following information:

• A description of the nature and category of personal data affected;
• The technical and security measures used to protect the data, respecting commercial and industrial secrets;
• The risks related to the incident, including the identification of potential impacts on data subjects;
• Reasons for any delay in reporting if this was not done within three (3) business days;
• Measures that have been or will be adopted to reverse or mitigate the effects of the incident (when applicable);
• The date the processing agent became aware of the security incident; and
• Contact details for subjects to obtain further information and, when applicable, the contact details of the DPO.

Incident reporting must also use simple, direct and easily understandable language. If it is possible to identify the data subjects, reporting must also be individualized.

If direct and individualized reporting is proven to be unfeasible or it is impossible to partially or fully identify the data subjects affected, the controller must report the occurrence of the incident via available means of disclosure for at least three (3) months. Such means could include the controller’s website, applications, social media, and data subject service channels that allow for broad awareness and easy, direct visualization,

The controller must also attach a declaration to the process that the incident has been reported to the data subjects (stating the form of disclosure used) within three (3) business days, in line with the stipulated deadline for notifying data subjects.

When possible, including recommendations for data subjects that can reverse or mitigate the effects of the incident should be considered as a best practice. This can also be considered within the ANPD’s parameters in relation to applying possible administrative penalties.

Requests for confidentiality

The controller is responsible for requesting confidentiality from the ANPD, indicating the information that access should be restricted to – such as that whose disclosure may violate the commercial or industrial secrecy of its business activities.

Deadlines for incident reporting

• The ANPD: the controller must report the incident within three (3) business days, except where a specific legal timeframe for reporting is established. The deadline begins from the moment the controller becomes aware of the incident affecting personal data.
• Supplementary information: Additional information may be provided (in a reasoned manner) within twenty (20) business days from the date of reporting.
• Data subjects: the controller must report incidents within three (3) business days of becoming aware of the incident affecting personal data.

Recording security incidents

Data controllers must maintain a record of their security incidents – including those not reported to the ANPD and data subjects – for a minimum of five (5) years, unless additional obligations require a longer period. The ANPD can also request incident records at any time.

The records must contain, at a minimum:

• The date the incident was discovered;
• A general description of the circumstances in which the incident occurred;
• The nature and category of data affected;
• The number of data subjects affected;
• An assessment of the risk and potential damage to data subjects;
• Correction and mitigation measures taken in relation to the incident, when applicable;
• The form and content of the reporting, if the incident has been reported to the ANPD and data subjects; and
• The reasons for not reporting the incident, if applicable.

The ANPD’s role in the context of security incidents

• Security incident proceedings: The ANPD opens an administrative proceeding that encompasses both the investigation and the reporting of the security incident. The purpose of the proceeding is to oversee actions related to the security incident (and the response to it) that may cause significant risk or damage to data subjects, aiming to safeguard their rights. The ANPD may carry out audits or inspections of data processing agents (or order them to be carried out) at any time in order to collect additional information or validate the information received. This process may be initiated ex officio in the case of the investigation procedure, or in the case of the reporting procedure, upon receiving a formal notification from the processing agent.
• Security incident investigation procedure: Opened by the ANPD to investigate if the data controller has failed to report the occurrence of a security incident. The ANPD may request information from the data controller to investigate whether the security incident occurred. The ANPD will evaluate the incident based on the same criteria outlined for assessing risk or relevant damage to data subjects. If the ANPD confirms a security incident occurred, it will require the data controller to formally report it to the ANPD and to the data subjects in line with the deadlines and conditions set out in the Regulation.
• Security incident reporting procedure: Opened after the ANPD is formally notified of a security incident. After assessing the severity of the incident, the ANPD may order the controller to adopt measures to safeguard the rights of the data subjects, such as widely publicizing the incident in the media (not to be confused with the official penalty of publicizing the incident), and measures to reverse or mitigate the effects of the incident.

Terminating the security incident reporting process

The security incident reporting process will be terminated in the following situations:

• When there is insufficient evidence that the incident occurred (the process may be reopened if new facts arise);
• The ANPD’s view of the incident is that it does not have the potential to cause relevant risk or damage to the data subjects;
• The incident does not involve personal data;
• All additional measures have been taken to mitigate or reverse the effects created; or
• The incident is reported to the data subjects, and relevant measures are taken by the controller in accordance with the LGPD, the Regulation’s provisions and the ANPD’s decisions.

The resolution’s application to small processing agents

The deadline for small processing agents (as defined in ANPD Resolution No. 2/2022) to report incidents to the ANPD (including supplementary reporting) and to data subjects is twice as long as for other agents. Moreover, when reporting to the ANPD, small processing agents must submit a declaration confirming that they meet the criteria to be considered as such.

For further information, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.