Breach Notification decisions under the Brazil LGPD should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.
Use this section to define scope, owner, evidence inputs, and the review outcome before execution.
Structured answer sets in this page tree.
Cited legal and guidance references.
Brazil LGPD breach notification turns on a simple question: did a security incident create a relevant risk or damage to individuals? Use this page to identify when the controller must notify the ANPD and affected data subjects, what the notice must cover, and how to document the decision.
Under Article 48 of the LGPD, the controller must communicate a security incident to the ANPD and to the data subject when the incident may create relevant risk or damage. The practical question is not whether there was any issue at all, but whether the event crosses that notification threshold.
Use the decision record to capture the incident type, affected systems and data, the risk assessment, whether the ANPD and data subjects must be notified, and the timing used for the notice. The ANPD incident form also expects the controller to record when it learned of the incident, when it notified the ANPD, and when it notified the data subjects.
Ownership should sit with the team that controls the processing purpose, data-subject channel, vendor relationship, transfer mechanism, security incident response, or ANPD communication.
Evidence should show controller/operator mapping, lawful basis, transparency notice, rights response, transfer analysis, incident decision, DPO involvement, and ANPD remediation record where applicable.
Most LGPD mistakes happen at the boundary between controller and operator duties, consent and other lawful bases, academic or public-interest processing, international transfers, and incident notification thresholds.
Apply this section before approving a processing activity, vendor arrangement, transfer, rights workflow, child-data handling, or incident response under LGPD. If evidence is missing, block progression and raise a review task.
Use an LGPD workflow that captures role, purpose, lawful basis, data category, data-subject right, transfer or incident trigger, DPO review, evidence, and review date.
The output should be a lawful-basis memo, role map, privacy notice update, DSAR record, transfer note, incident assessment, or ANPD response pack.
This artifact page provides practical inputs, owner roles, required outputs, and evidence checkpoints for breach notification.
Turn Breach Notification into scoped questions, evidence fields, and review tasks.
Use Research Copilot to answer follow-up questions with cited source material.
Review scope, evidence, owners, and the next compliance actions with operational practice.
"a comunicação à ANPD e ao(s) titular(es) deverá ser realizada pelo controlador no prazo de três (3) dias útis"
"Quando tomou ciência"
"O controlador deverá comunicar à autoridade nacional e ao titular a ocorrência de incidente de segurança"
"Agenda Regulatória da Autoridade Nacional de Proteção de Dados - ANPD para o biênio 2023-2024"
"Seção III Do Recebimento de Requerimentos [FOOTER/URL] Page 7/14 RESOLUÇÃO CD/ANPD Nº 1, DE 28 DE OUTUBRO DE"
"Aprovar o Regulamento de Dosimetria e Aplicação de Sanções Administrativas"