Brazil: Consumer protection agency announces data incident affecting Enel
The Protection and Consumer Defence Foundation of the State of São Paulo ('PROCON-SP') announced, on 11 November 2020, that it had called on Enel Distribuição São Paulo to provide information on a data breach of customers' registration data. In particular, PROCON-SP highlighted that the affected information included full names, social security numbers, bank account numbers, addresses, and telephone numbers.
In addition, PROCON-SP called on Enel to demonstrate whether it adopts security, technical, and administrative measures to protect personal data from unauthorised access and accidental or unlawful situations of destruction, loss, alteration, communication, or any other form inadequate or illicit treatment. Moreover, PROCON-SP noted that Enel must provide information on whether their employees have been properly trained on the application of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and explain why the affected data was not encrypted in the processing of the data. Finally, PROCON-SP also requested that Enel outlined the procedures taken for analysing a data incident, the measures taken to mitigate possible damage, whether it has an incident response team statement, and whether it carried out a Data Protection Impact Assessment ('DPIA').