Cristiane Manzueto, Rodrigo Leal, and Flavia Telles of Mayer Brown write:
The Brazilian National Data Protection Authority (ANPD) has published new guidelines on information security incident notifications, which are required whenever an incident is likely to create risks or cause significant damages to data subjects.
In summary, here are the new updates:
- A new form for Security Incident Notifications (CIS) has been made available for use as of January 1, 2023.
- It was confirmed that the obligation to report incidents directly to the ANPD is imposed only on the controllers—removing any doubt that this obligation could fall on the processors, but processors should always report the incidents to their controllers). ANPD also recommended that these duties be provided for in contracts signed between the parties…..
Read more about the new guidelines at Mayer Brown.