ANPD Updates Information Security Incident Notification Guidelines | Perspectives & Events | Mayer Brown

The Brazilian National Data Protection Authority (ANPD) has published new guidelines on information security incident notifications, which are required whenever an incident is likely to create risks or cause significant damages to data subjects.

In summary, here are the new updates:

A new form for Security Incident Notifications (CIS) has been made available for use as of January 1, 2023.
It was confirmed that the obligation to report incidents directly to the ANPD is imposed only on the controllers—removing any doubt that this obligation could fall on the processors, but processors should always report the incidents to their controllers). ANPD also recommended that these duties be provided for in contracts signed between the parties.
The notification must be made by the data protection officer (DPO) of the affected company or instead by a representative who must demonstrate their powers by means of a power of attorney and appropriate corporate documents.
The communication must be filed digitally via the website of the Single Electronic Process Network System.
It was confirmed that the deadline for communicating security incidents to the ANPD and the data subject should be two working days from the time that the company became aware of the event.
Only incidents that have been confirmed internally need to be notified. That is, the mere suspicion of an incident is not notifiable.
Specific criteria should be considered by the controllers in evaluating risk or significant related damage to the data subjects:
(i) The context of the data processing activity;
(ii) The categories of and number of affected data subjects;
(iii) The types and amount of data breached;
(iv) The potential material, moral, reputational damage caused to the data subjects;
(v) Whether the breached data was protected in a way that makes it impossible to identify its data subjects; and
(vi) The mitigation measures taken by the controller after the incident.

The inability to file a full communication of the incident within two working days must be duly justified by the controller. The additional notification must be submitted as soon as possible and no later than 30 calendar days from the initial (preliminary) communication.
The communication to the data subjects:
(i) Must be made individually and directly to the affected data subjects, as a rule;
(ii) Can be sent by any means (email, SMS, a mail letter or any electronic message);
(iii) If it is not possible to identify those affected, a general communication must be made to all data subjects who have personal data in the affected database;
(iv) Exceptionally, insofar as controller is able to justify such exception, indirect communication may be made by means of publication in a media outlet capable of reaching the greatest possible number of data subjects; and
(v) It is not necessary to send the ANPD the list of affected data subjects or their contact details for proof of notification.

The notice to data subjects must contain at least:
(i) Summary and date of occurrence of the incident;
(ii) Description of personal data affected;
(iii) Risks and other consequences to the data subjects;
(iv) Measures taken by the controller and measures that the data subjects should take to mitigate the effects of the incident, if applicable; and
(v) Contact details of the controller's DPO so that data subjects can request additional information regarding the incident.

After the notification to the ANPD, in the administrative proceeding, the ANPD shall assess the severity of the incident and may also determine that the controller send the notification to the data subjects, if this has not yet been done; modify the notification to the data subjects; widely disclose the incident; or adopt additional measures to mitigate the effects of the incident. Finally, the ANPD will assess whether there has been a violation of the LGPD and, if appropriate, apply the sanctions provided in Article 52 of that legislation.