ANPD updates instructions on personal data breach reporting

December 27, 2022

On December 23, 2022, the National Data Protection Authority ("ANPD") released new instructions for data breach reporting. The new guidelines update a previous guide that had been released on February 22, 2021, which provides orientations on (i) the measures that shall be taken when a data breach is identified, (ii) the information that must be reported to the ANPD, (iii) the situations in which data subjects must be  notified of a data breach, and (iv) the deadline and the means to report a data breach to the ANPD.  

Among the new instructions, the ANPD reinforces that not every data breach must be reported, the controller is responsible for assessing the risks and impacts to the data subjects in order to verify the necessity of reporting. When assessing the risks related to the data breach, controllers shall consider the following aspects:

  • The context of the data processing activity;
  • The categories and the number of affected data subjects;
  • The types and amount of data breached;
  • The potential material, moral, and reputational damages caused to data subjects;
  • Whether the data breached were protected in such a way as to make it impossible to identify the data subjects;
  • The mitigation measures adopted by the controller after the data breach.

The ANPD yet reinforces that data breach reporting shall be also addressed to data subjects involved, and not only to the Authority.

In addition, according to the new instructions, data breaches reporting is a responsibility of the controller. The processor is only responsible for informing the identification of data breaches and cooperating with any necessary measures. This point had been criticized in the guide released in 2021, which admitted the possibility of the processor reporting data breaches to the ANPD and data subjects. The new ANPD instructions even recommends to establish in the contract the processor’s obligation to notify the controller without unjustified delay if any indication of a data breach is identified.

Another significant update is that, from now on, communications shall be forwarded by Electronic Petitioning on the SUPER.BR website, and no longer on the SEI System. The form to be submitted has also been updated.

The suggested deadline for notification remains 2 working days, starting from the moment the controller becomes aware of the data breach.

Our team is closely monitoring any measures regarding the LGPD and assisting clients on this matter. For more information on the subject, please e-mail us at dataprivacy@lickslegal.com.