Cristiane Manzueto, Rodrigo Leal, Ana Letícia Allavato, and Diego Semeraro of Mayer Brown write:
Resolution No. 15, of April 24, 2024, of the Brazilian Data Protection Authority (“ANPD”), approved the Data Breach Notifying Regulation (the “Regulation”). The Regulation establishes procedures for data controllers to notify subjects of data breaches, as required by Article 48 of the Brazilian General Data Protection Law (LGPD).
WHAT IS CONSIDERED A DATA BREACH?
- Data breaches are any confirmed adverse event that impacts the confidentiality, integrity, availability, or authenticity of personal data.
DEADLINE
- Except in the case of small processing agents, pursuant to ANPD Resolution No. 2, the data breach must be reported to the ANPD and to the affected data subjects within three business days, starting from the date on which the controller confirms that the data breach affected personal data. If the report is made by an attorney-in-fact, the power-of-attorney must also be submitted within that period.
- Information provided to the ANPD may be supplemented within 20 business days from the date of the first notification.
Read more about the new regulation at Mayer Brown.