A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
While there is currently no data breach notification provision under Brazilian law that requires informing regulators, employees and others who may have been impacted by a breach should be notified. This is based on other rules and regulations relating to data protection and the right to be informed. In the event of a breach that results in damages, employees may be eligible to receive compensation.
Once Brazil’s General Data Privacy Law goes into effect in August 2020, employers (and other data controllers) will be required to inform the national authority and the data subject if a security incident which may create risk or damages to the data subjects occurs.
The communication must be completed in a reasonable timeframe (to be determined by the data protection authority) and include:
a description of the nature of affected personal information;Individual unauthorized information disclosures or access may be resolved directly between the employer (as the data controller) and the employee (as the impacted data subject). In the event that there is no agreement, the employer would be subject to the penalties. More detailed instructions relating to responding to a data breach may be announced by the national authority prior to the Law going into effect.
