ANPD Regulates Communication on Security Incidents involving Personal Data 

24 de May de 2024 | News

On April 26, 2024, the National Authority for Data Protection (ANPD) published the long-awaited Resolution No. 15 regulating the form and deadline for reporting security incidents involving personal data. Resolution No. 15 is now available at ANPD’s website. 

A personal data security incident is understood as unauthorized access to personal data, or its unauthorized use, as well as situations that compromise the use of personal data, or affect its integrity or authenticity. 

One of the main issues that caused controversy was the deadline within which the incident had to be reported to the ANPD and to the data subjects.

In December 2022, the ANPD has already published on its website, a simple guidance on reporting security incidents. On that occasion, it was recommended that incidents be reported to the ANPD within two business days. 

However, the foregoing deadline has changed with Resolution No. 15. According to its Article 9, the deadline for communicating an incident to the ANPD and data subjects is now three business days, counting from controller’s awareness, with the possibility of complementing information within twenty business days, counting of the first communication made by the controller. 

There is an exception for small-sized companies, for which the deadline for reporting an incident to the ANPD is six business days

It is worth noting that reporting a security incident is only mandatory when it is found that it entails significant risk or damage to the data subject, as provided in Article 48 of the General Personal Data Protection Law (Law No. 13,709/18). In this regard, Resolution No. 15 established two cumulative criteria for assessing risk or damage, namely: 

A) a security incident that significantly affects fundamental interests and rights; and

B) a security incident that involves at least one of the following types of data: 

I – sensitive personal data; 

II – data on children, adolescents or elderly people; 

III – financial data; 

IV – system authentication data (such as logins and passwords); 

V – data protected by legal, judicial, or professional secrecy; or 

VI – large-scale data. 

IN PRACTICE, if the above criteria are met, the incident must be reported to the ANPD. Security incidents that should have been reported but for whatever reason were not reported, may subject the data controller to the imposition of fines and penalties provided for in Resolution No. 15. 

When communicating to the ANPD, the controller must inform, among others, the date and time of the incident, if known, the type of data involved and its volume, identify the data subject whose data were impacted, describe the incident and what technical and organizational measures were available to prevent it and what mitigation actions are being taken. 

The controller must also prepare a document called the Security Incident Record. Said document must be created in the event of any security incident, including those not reported to the ANPD as they do not characterize relevant risk or damage. The controller of personal data must keep such Record for a period of 5 years. 

This article is not intended as a legal opinion or advice. Each case must be analyzed based on its peculiarities.