LGPD Data Breach Notification Rules (Articles 46-49)

Security Incidents and the Brazilian Framework

Brazil's LGPD (General Data Protection Law) establishes strict protocols for handling security incidents[cite: 4]. The core directive requires that the controller shall notify the national authority and the data subject of the occurrence of a security incident that may result in relevant risk or damage to the data subjects[cite: 366].

Data breaches can expose organisations to significant regulatory scrutiny and financial liability. Processing agents shall adopt technical and administrative security measures able to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of improper or unlawful processing[cite: 361].

These requirements are not merely an afterthought. The measures referred to in the head provision of this article shall be complied with as from the design phase of the product or service until its implementation[cite: 364]. Security by design is a foundational expectation.

When Do You Need to Report a Breach?

Not every minor technical glitch requires a formal notification to the authorities. The trigger for mandatory reporting hinges on the potential consequences for the individuals whose information was compromised. The controller must evaluate if the event may result in relevant risk or damage to the data subjects[cite: 366].

Once this threshold is met, the clock starts ticking. Communication shall be made as soon as reasonably feasible, as defined by the national authority[cite: 367]. Delaying the reporting process can compound the regulatory penalties, especially if the delay exacerbates the harm to affected individuals.

What Must the Notification Contain?

The LGPD outlines explicit requirements for the content of the breach notification. Providing a vague statement is insufficient. The communication shall contain, at least:

Description of the nature of the affected personal data [cite: 368].
Information on the data subjects involved [cite: 369].
Indication of the technical and security measures used for data protection, complying with trade and industrial secrets [cite: 370, 371].
The risks related to the incident [cite: 372].
The reasons for delay, in cases in which communication was not immediate [cite: 373].
The measures that have been or shall be adopted to reverse or mitigate the effects of the damage[cite: 374].

Transparency is required regarding what happened and what the organisation is doing to fix it. This comprehensive documentation helps the regulator assess the competence and good faith of the processing agents involved.

The Role of the National Data Protection Authority (ANPD)

After receiving the notification, the regulatory body takes an active role in managing the fallout. The national authority shall determine the severity of the incident[cite: 375]. This assessment dictates the next steps the controller must take.

If required for safeguarding the data subjects' rights, the authority may order the controller to adopt measures such as full disclosure of the event in the media[cite: 375, 376]. They can also mandate specific measures to reverse or mitigate the effects of the incident [cite: 377].

When assessing the severity of the incident, consideration shall be given to any evidence that appropriate technical measures were taken to render the affected personal data unintelligible, within the scope and technical limits of its services, to third parties who were not authorized to access them[cite: 378]. Encryption and pseudonymisation can significantly reduce the regulatory blowback if the raw data remains inaccessible to attackers.

Liability and Damage Compensation

Failing to protect data has direct financial consequences under the law. The controller or the processor that, when performing personal data processing activities, causes any pecuniary, moral, individual or collective damage to others, in violation of the personal data protection legislation, shall be required to compensate for such damage[cite: 339].

Processors cannot simply hide behind the controller. The processor shall be jointly liable for the damages caused by the processing when it fails to comply with the obligations of the data protection legislation or acts contrary to lawful instructions of the controller [cite: 341].

Party	Responsibility During a Breach
Controller	Must notify the ANPD and data subjects of relevant risks[cite: 366]. Evaluates the incident and implements mitigation strategies [cite: 374].
Processor	Jointly liable if they fail to follow the law or the controller's lawful instructions[cite: 341]. Must support the controller in identifying affected data.
ANPD	Determines the severity of the incident and may order public disclosure or further mitigation measures[cite: 375, 376, 377].

System Structure and Ongoing Security

Compliance is a continuous obligation. Processing agents or any other person involved in one of the processing phases shall be required to ensure the information security provided for in this Law in relation to personal data, even after the conclusion of the processing in question[cite: 365].

The infrastructure housing the data must reflect these legal demands. The systems used for personal data processing shall be structured as to meet the security requirements, the good practices and governance standards, and the general principles provided in this Law and in other regulatory rules[cite: 379]. Maintaining a basic consent banner is just the start; the underlying databases and data flows must be secure against external and internal threats.

Frequently Asked Questions

Who do I need to notify if a data breach occurs under the LGPD?

The controller shall notify the national authority (ANPD) and the data subject of the occurrence of a security incident that may result in relevant risk or damage to the data subjects [cite: 366].

How quickly must the notification be sent to the ANPD?

Communication shall be made as soon as reasonably feasible, as defined by the national authority[cite: 367]. If the communication is not immediate, you must provide the reasons for the delay[cite: 373].

Does every minor security event require reporting?

No. The LGPD specifies that notification is required for a security incident that may result in relevant risk or damage to the data subjects[cite: 366]. Minor incidents with no risk to individuals may not trigger this obligation.

What happens if data is stolen but it was encrypted?

When assessing the severity of the incident, the ANPD will give consideration to any evidence that appropriate technical measures were taken to render the affected personal data unintelligible to unauthorized third parties[cite: 378]. Encryption heavily mitigates the severity of the breach.

Can the ANPD force a company to go to the press about a breach?

Yes. If required for safeguarding the data subjects' rights, the ANPD may order the controller to adopt measures such as full disclosure of the event in the media[cite: 375, 376].

Take Control of Your Cookie Compliance

If you are collecting personal data through your website, you need clear visibility into what tracking technologies are active. Kukie.io detects, categorises, and helps you manage every cookie, providing a solid foundation for your overall data governance and security strategy.

Start Free - Scan Your Website to verify your data collection practices.

Europe

United States

Brazil

Canada

Asia-Pacific

Middle East & Africa

Categories

Latest Articles

Cookie Consent Laws by Country: A Beginner's World Map

GDPR for Beginners: What Every Website Owner Must Know About Cookies

What Happens When a User Rejects All Cookies on Your Website

LGPD Data Breach Notification: Rules and Timelines