‍

The Brazilian Data Protection Authority (ANPD), a public entity created by the General Data Protection Act (LGPD), responsible for regulating, supervising, guiding, educating, and acting on security incidents involving personal data, as well as for cooperating with other similar international entities, published CD/ANPD’s Rule #15, dated April 24, 2024, in the Federal Register on April 26, 2024. Taking advantage of the last public consultation on the topic, the Rule approved the Regulation on Security Incident Reporting.

Below are the main new features introduced by the regulation:

‍

WHEN REPORTING IS MANDATORY

The security incident reporting process begins:

‍

1. Sua sponte, in the case of a security incident investigation procedure.

2. Upon receipt of the report, duly formalized through an electronic form made available by the ANPD and completed by the Data Protection Officer, accompanied by a document proving contractual employment or functional relationship, or through a designated representative, accompanied by an instrument with specific powers of representation with the ANPD in the case of security incident reporting procedure.

‍

Security incidents involving personal data must always be reported to the ANPD. This can be done through its electronic form on the Internet and to the data subject when it involves one of the following criteria listed below:

‍

1. Sensitive personal data;

2. Data from children, adolescents, or the elderly;

3. Financial data;

4. Authentication data in systems;

5. Data protected by legal, judicial, or professional secrecy;

6. Large-scale data.

‍

DEADLINE FOR REPORTING A SECURITY INCIDENT INVOLVING PERSONAL DATA

The report of a security incident involving personal data must be made to the ANPD and the data subject within 3 working days from the moment the controller becomes aware that the incident has affected these data. For small agents (whether controllers or operators), the period is doubled.

If the extent of the problem and the number of personal data subjects is unidentifiable within this period, a preliminary report is recommended within the deadline, clarifying that the investigation is in progress to determine the data subjects who were impacted and the types of data inappropriately accessed or shared. Once the investigation has been carried out, the controller has 20 working days to complete this information.

The ANPD may also initiate administrative sanctioning proceedings to investigate the non-compliance with the deadlines mentioned above.

‍

WHAT MUST BE REPORTED TO THE ANPD

Security incident reporting involving personal data to the ANPD must contain the following information:

‍

1. A description of the nature and category of personal data affected;

2. The number of affected subjects, breaking down, where applicable, the number of children, teenagers, or elderly people;

3. The technical and security measures adopted before and after the incident used to protect personal data, observing commercial and industrial secrets;

4. The risks related to the incident with identification of possible impacts on data subjects;

5. The reasons for delay, in case the report was not carried out within 3 working days from the controller becoming aware that the incident had affected personal data;

6. The measures that have been or will be adopted to reverse or mitigate the effects of the incident on the data subjects;

7. The date the incident occurred, when possible to determine it, and the date on which the controller became aware of it;

8. The data of the data protection office in charge or whoever represents the controller;

9. The controller's identification and, if applicable, a declaration indicating that it is a small processing agent;

10. The processor's identification, when applicable;

11. Description of the incident, including the root cause, if it can be identified;

12. The total number of data subjects whose data is processed in the processing activities affected by the incident;

‍

The security incident reporting must be carried out by the controller, through the Data Protection Officer (DPO), and accompanied by a document that proves the contractual, employment or functional relationship, or through a designated representative, accompanied by an instrument with specific powers of representation before the ANPD. The controller may also request secrecy from the ANPD, in a well-founded manner, to information protected by law, in which access thereto must be restricted.

The ANPD may, at any time, request the controller to send the record of the processing operations of personal data affected by the incident, the personal data protection impact report (RIPD), and the incident processing report, establishing a deadline for sending this information.

‍

WHAT MUST BE REPORTED TO THE DATA SUBJECT

The report of a security incident involving personal data to the personal data subject must contain the following information:

‍

1. A description of the nature and category of personal data affected;

2. The technical and security measures taken to protect the data, ensuring compliance with commercial and industrial secrets;

3. The risks related to the incident with identification of possible impacts on data subjects;

4. The reasons for delay, in case the report was not carried out within 3 working days from the controller becoming aware that the incident had affected personal data;

5. The measures that have been or will be adopted to reverse or mitigate the effects of the incident, when applicable;

6. The date the security incident became known;

7. The contact for obtaining information and, when applicable, the contact information of the data protection officer.

‍

It is important to highlight that the report must use simple and easy-to-understand language, being direct and individualized to each personal data subject. If this is not possible, the controller must report the occurrence of the incident within the deadline and with the information defined in the caput through available means of dissemination, such as through its website, applications, social media, and data subject service channels. In such manner, the report will be extensively disseminated, with direct and easy visualization for a minimum period of three months.

For confirmation purposes with the ANPD, the controller must add a statement indicating that the report to data subjects was carried out in the incident reporting process. This confirmation must indicate the means used for reporting or disseminating, within three business days; or if deadline was not met, the reasons why the controller was unable to comply with such provision.

‍

SECURITY INCIDENT INTERNAL RECORD

The controller must maintain an internal record of the security incident, including those not reported to the ANPD and the data subjects, for a minimum period of five years, counting from the date of such record. There are exceptions if additional obligations are found that require a longer maintenance period.

The security incident record must contain, at a minimum:

‍

1. The date the incident was known;

2. A general description of the circumstances under which the incident occurred;

3. The nature and category of data affected;

4. The number of data subjects affected;

5. Assessment of risk and possible damage to subjects;

6. Measures to correct and mitigate the effects of the incident, when applicable;

7. The form and content of the report, and whether the incident has been reported to the ANPD and the data subjects;

8. The reasons for the lack of report, when applicable.

‍

AUDITS OR INSPECTIONS

The ANPD may, at any time, audit or inspect, or determine an audit or inspection of the processing agents (controller and operator) in order to collect additional information or validate the information received. This aims to support decisions within the security incident reporting process.

During the security incident reporting process, the ANPD may determine that the controller, with or without its prior manifestation, immediately adopt preventive measures necessary to safeguard the rights of data subjects. These measures aim to prevent, mitigate, or reverse the effects of the security incident, as well as to avoid the occurrence of serious and irreparable damage or damage that is difficult to repair to personal data subjects. The ANPD may also set a daily fine to ensure compliance with the determination.

It is also possible that ANPD orders the controller to adopt measures to safeguard the rights of subjects, which are not to be confused with penalties, such as:

‍

1. Wide publicity of the incident in the media, at the expense of the controller, when the report carried out by the controller proves to be insufficient to reach a significant portion of the data subjects affected by the security incident involving personal data, which must be compatible with the scope of action of the controller and the location of the personal data subjects affected by the incident. This may be through (i) printed written media, (ii) broadcasting of sounds and images, and (iii) disclosing information via Internet;

2. Measures to reverse or mitigate the effects of the incident being considered those that can guarantee confidentiality, integrity, availability, and authenticity of the personal data affected, as well as minimize the effects arising from the incident for the data subjects.

‍

TERMINATION OF THE SECURITY INCIDENT REPORTING PROCESS

The security incident reporting process will be declared terminated by the ANPD in the following cases:

‍

1. If there is insufficient evidence that the incident actually occurred, with the possibility of reopening if new facts emerge;

2. If the ANPD considers that the incident does not have the potential to cause significant risk or damage to data subjects;

3. If the incident does not involve personal data;

4. If all additional measures have been taken to mitigate or reverse the generated effects;

5. The controller has carried out the reporting to data subjects and adopted the relevant measures, in accordance with the LGPD, the provisions of this Rule, and the ANPD determinations.

‍