Alerts
Changes to the data protection realm were introduced at the end of 2022 and in the very first day of 2023
On December 23, 2022, the Brazilian National Data Protection Authority (“ANPD”) released a new form for reporting data breaches in accordance with the provisions of the Brazilian General Data Protection Law (Law No. 13,709/2018 – “LGPD”). The new form is available on ANPD’s website and must be filed electronically through the electronic petition of SUPER.BR (Single System of Electronic Process in Network).
In the new communication template, the ANPD also clarified that “a data breach needs to be reported if it meets, cumulatively, the following criteria: (i) has an occurrence confirmed by the agent; (ii) involves personal data subject to the LGPD; (iii) entails risk or relevant damage to data subjects”.
In addition, the ANPD pointed out that not all data breaches must be reported. According to the authority, it will be up to the data controller to assess the risks, and impacts on the data subjects, and verify the need or not to communicate. Also, the authority mentioned which aspects should be considered in the risk assessment, such as the context of the data processing activity; the category and number of data subjects affected; the types of data involved; the potential material damage, reputational damage caused to the data subjects, etc.
It is noteworthy that, to preserve the data subject’s rights, the ANPD recommends that the communication of data breaches must be made within 2 (two) business days of becoming aware of the fact. In case of unjustified delay, the administrative sanctions provided for in the LGPD may be applied. It is also important to point out that the ANPD determined that, if the data controller does not have enough information within the recommended period, the communication can be done in stages: preliminary and complementary communication.
Additionally, the ANPD determined that the data breach be communicated individually and directly to the data subjects, in clear language, containing: (i) summary information about what happened; (ii) the description of the affected data; (iii) the risks involved and the consequences for the data subjects; (iv) the measures adopted by the data controller and the recommendations to the data subjects to mitigate the effects of the incident, if applicable; and (v) information about the controller’s data protection officer. If it is impossible to individualize the data subjects, it may be necessary to notify all data subjects who appear in the violated database. The ANPD also determined that, only exceptionally and justifiably, communication may be done indirectly through publication in the media.
The new communication template, also has fields to fill in related to the security measures taken prior to the data breach, that is, the security measures that show the Controller’s diligence regarding data processing, as well as the security measures taken after the date breach.
The ANPD’s General Inspection Coordination (“CGF”) will be responsible for receiving and handling data breach reports. If CGF verifies that there was no violation of the LGPD, nor the need to adopt additional measures, the procedure may be archived. However, if the CGF understands that the data controller has not adopted the necessary measures, it may determine the adoption of other measures.
Furthermore, on 1st of January, President Lula signed the Decree 11.348/23, which establishes that the ANPD is no longer linked to the General Office of the President branch of the Executive power. Now the ANPD is officially linked to the Ministry of Justice, under Minister Flávio Dino’s responsibility. Thus, the Ministry of Justice is now charged with the obligation of establishing policies for data processing and developing a strategy to integrate and ensure the interoperability of the state’s IT systems in matters related to justice and public security.
Our Data Protection team remains at your disposal for any questions and clarifications.
