Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: ANPD publishes Data Breach Notification Regulation

On April 26, 2024, the Brazilian data protection authority (ANPD) published Resolution CD/ANPD No. 15 of April 24, 2024 (the Resolution), approving the Data Breach Notification Regulation (the Regulation).

What are the main aspects of the Regulation?

The Regulation notes that controllers are obligated to notify the ANPD of data breaches that may lead to significant risk or damage to data subjects.

The Regulation further provides that a data breach may represent a significant risk or damage to individuals when it:

  • significantly affects the interests and fundamental rights of data subjects; and
  • includes the processing of:
    • sensitive data;
    • minors' or elderly persons' personal data;
    • financial data;
    • authentication data;
    • data protected by legal, judicial, or professional secrecy; or
    • large-scale data.


The ANPD must be notified of data breaches within three working days from the moment the data controller becomes aware of the data breach, except as otherwise provided by law. The deadline is doubled for small processing agents.

The same deadline applies for notifications to data subjects.

Content of the notification

The Regulation states that the data breach notification to the ANPD must contain:

  • a description of the nature and category of personal data affected;
  • the number of affected data subjects, including, when applicable, the number of affected minors and elderly persons;
  • the technical and security measures adopted before and after the breach;
  • identification of the risks and possible impact on data subjects;
  • justification in case of late notification;
  • measures adopted to revert or mitigate the effects on data subjects;
  • the date when the incident occurred;
  • contact details of the controller or declaration in case of small processing agents;
  • identification of the data processor, when applicable;
  • description of the incident, including the main cause, when it's possible to identify it; and
  • the total number of data subjects whose data is processed in activities affected by the data breach.

The abovementioned information can be complemented within 20 working days from the data breach notification.

The Regulation also provides for the necessary content of the notification to data subjects.

How to make a data breach notification?

The data breach notification to the ANPD must be made via a dedicated form available on the ANPD's website. The communication to data subjects must be made directly to each individual and in simple and easily understandable language.


The Regulation also provides that controllers must keep registers of data breaches for five years, with exceptions.

Entry into force

The Regulation provides that the new rules are immediately applicable to ongoing data breach investigations, except for procedural acts already practiced.

You can read the Resolution, only available in Portuguese, here.