Brazil LGPD Incident Reporting To Anpd

Start by deciding whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.

For incident reporting, the practical trigger is a confirmed security incident involving personal data that may cause risk or relevant damage to data subjects. Article 48 of the LGPD requires the controller to communicate the incident to the ANPD and to the holder, and ANPD guidance says not every incident qualifies; the report is for events such as unauthorized, accidental, or illicit access, destruction, loss, alteration, leakage, or other inadequate or illicit treatment that can create risk or relevant damage. If the incident qualifies, the report should also be sent within the deadline defined by the ANPD guidance source.

Keep the LGPD source, role map, lawful basis analysis, data-subject-right record, transfer basis, incident assessment, and ANPD-facing evidence together.

Ownership should sit with the team that controls the processing purpose, data-subject channel, vendor relationship, transfer mechanism, security incident response, or ANPD communication.

Evidence should show controller/operator mapping, lawful basis, transparency notice, rights response, transfer analysis, incident decision, DPO involvement, and ANPD remediation record where applicable.

Most LGPD mistakes happen at the boundary between controller and operator duties, consent and other lawful bases, academic or public-interest processing, international transfers, and incident notification thresholds.

Apply this section before approving a processing activity, vendor arrangement, transfer, rights workflow, child-data handling, or incident response under LGPD. If evidence is missing, block progression and raise a review task.

Use an LGPD workflow that captures role, purpose, lawful basis, data category, data-subject right, transfer or incident trigger, DPO review, evidence, and review date.

The output should be a lawful-basis memo, role map, privacy notice update, DSAR record, transfer note, incident assessment, or ANPD response pack.