Brazil — Breach Notification

Brazil's data breach notification obligation is set out in Article 48 of Lei Geral de Proteção de Dados (LGPD, Law 13,709 of August 14, 2018). The controller (controlador) must notify both the Autoridade Nacional de Proteção de Dados (ANPD) and the affected data subjects of any security incident that may result in relevant risk or damage to the data subjects. Unlike the GDPR's bright-line 72-hour rule or the CCPA's event-driven triggers, LGPD imposes a risk-based materiality threshold: only incidents likely to cause significant harm trigger the dual notification duty.

Article 48 itself left the deadline open ("reasonable time, as defined by the national authority"), but ANPD closed that gap on April 24, 2024 with Resolution CD/ANPD No. 15/2024, approving the Regulamento de Comunicação de Incidente de Segurança (Security Incident Communication Regulation). Under Article 6 of the Regulation, the controller must notify ANPD within three business days from the date the controller became aware that the incident affected personal data. The same three-business-day clock applies to notification of affected data subjects under Article 9 of the Regulation.

"Relevant risk or damage" — the six-factor test. Resolution 15/2024 defines a notifiable security incident as one that (a) significantly affects the fundamental rights and interests of data subjects and (b) involves at least one of the following six data categories:

1. Sensitive data (dados sensíveis) under LGPD Article 5(II) — racial or ethnic origin, religious belief, political opinion, trade-union or religious/philosophical/political organization membership, health or sex life, genetic or biometric data for unique identification.
2. Data of children, adolescents, or elderly persons (dados de crianças, adolescentes ou idosos).
3. Financial data (dados financeiros) — bank accounts, credit/debit card numbers, transaction records.
4. Authentication data in systems (dados de autenticação em sistemas) — passwords, security tokens, biometric credentials.
5. Data protected by legal, judicial, or professional secrecy (dados protegidos por sigilo legal, judicial ou profissional).
6. Large-scale data (dados em larga escala) — the Regulation does not specify a numeric threshold; ANPD guidance recommends controllers assess volume, geographic scope, and the number of data subjects in the ordinary course of the affected processing.

The controller must evaluate both prongs cumulatively. If the breach involves one or more of the six data types but is unlikely to significantly affect fundamental rights (for example, encrypted payment-card data with keys held separately and no evidence of key compromise), notification may not be required. ANPD's published guidance expressly recommends controllers adopt a cautious posture and notify even when in doubt, because a demonstrated underestimation of risk can itself constitute a LGPD violation.

The three-business-day clock. The deadline runs from the controller's knowledge that the incident affected personal data, not from the date of the incident itself. If full information is unavailable within three business days, the controller must submit a preliminary notification with a reasoned justification and supplement it within twenty business days of the preliminary filing (Resolution 15/2024, Article 6, § 3). The same staged-notification procedure applies to data-subject communication.

Small processing agents as defined by Resolution CD/ANPD No. 2/2022 (startups, micro/small enterprises, and legal entities with gross revenue in Brazil below the statutory threshold) receive double the deadline: six business days for the initial notification and forty business days for the supplement. High-risk processing activities lose the benefit of the extended deadline even for otherwise qualifying small agents.

Form and content. Notification to ANPD must be made electronically through the agency's SEI!ANPD platform, submitted by the controller's Data Protection Officer (encarregado) or a legal representative with power of attorney. The notification must include (Article 6, § 2 of the Regulation):

• Description of the nature and categories of affected personal data, specifying whether sensitive data is involved;
• Number of affected data subjects, broken out by children, adolescents, elderly, when applicable;
• Technical and administrative security measures in place before and after the incident;
• Risk assessment and identification of possible impacts on data subjects (financial fraud, identity theft, reputational harm, inability to exercise rights);
• Date of the incident (if identifiable) and date the controller became aware;
• Reasons for any delay beyond the three-business-day deadline;
• Measures adopted or planned to reverse or mitigate harm;
• Contact information for the DPO or other point of contact.

Notification to data subjects must use simple, accessible language and should be individualized (email, SMS, letter, phone call) where feasible. If individual notification is impracticable, the controller must use broadcast channels — website banners, mobile-app notifications, social media, customer-service announcements — for at least three months and must file a declaration with ANPD within three business days of the authority notification confirming the broadcast and the channels used.

ANPD can compel broader disclosure. After receiving the controller's notification, ANPD may determine that the incident warrants ampla divulgação (broad disclosure) in mass media — print, radio, internet — at the controller's expense (LGPD Article 48, § 2). The authority may also order additional mitigation measures and can impose daily fines to secure compliance during the incident-response process. A failure to notify a clearly notifiable breach subjects the controller to administrative sanctions under LGPD Article 52, up to 2% of the legal entity's revenue in Brazil (capped at R$50 million per infraction).

Operator (processor) notification to controller. The duty under Article 48 runs to the controller, but Resolution 15/2024 clarifies that when an operator (operador) detects a breach, it must inform the controller without unjustified delay. The controller then assesses notifiability and makes the dual notification. ANPD has stated it will accept exceptional submissions from operators when circumstances warrant, but the legal obligation remains the controller's.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Art. 48 Source: Resolution CD/ANPD No. 15 of April 24, 2024 (Security Incident Communication Regulation) Source: ANPD — Comunicação de incidentes de segurança (guidance page)

Controllers that fail to comply with Brazil's breach-notification obligations under LGPD Article 48 face administrative sanctions imposed by the Autoridade Nacional de Proteção de Dados (ANPD), the national data protection authority established under Articles 55-A through 55-L of the LGPD. ANPD's sanctioning authority became operational on August 1, 2021, and the agency published its Regulation on Dosimetry and Application of Administrative Sanctions (Resolution CD/ANPD No. 4) on February 27, 2023, completing the enforcement framework required under Article 53 of the LGPD.

Article 52 sanction menu — twelve graduated tiers. LGPD Article 52 authorizes ANPD to impose administrative sanctions "after an administrative proceeding that ensures the opportunity for full defense." The statute enumerates twelve sanctions, arranged in rough escalation from admonitory through pecuniary to operational suspension:

I. Advertência (warning) with indication of the deadline for corrective measures; II. Multa simples (simple fine), up to 2% of the private legal entity's gross revenue in Brazil in its last fiscal year, excluding taxes, capped at R$50,000,000 (fifty million reais) per infraction; III. Multa diária (daily fine), observing the total ceiling in item II; IV. Publicização da infração (publication of the infraction) after due investigation and confirmation; V. Bloqueio dos dados pessoais (blocking of the personal data) subject to the infraction until regularization; VI. Eliminação dos dados pessoais (deletion of the personal data) subject to the infraction; VII. Suspensão parcial do funcionamento do banco de dados (partial suspension of the database) for a maximum of six months, renewable for an equal period, until the controller regularizes the processing activity; VIII. Suspensão do exercício da atividade de tratamento (suspension of the data processing activity) for a maximum of six months, renewable for an equal period; IX. Proibição parcial do exercício de atividades relacionadas a tratamento de dados (partial prohibition of activities related to data processing); X–XII. Expanded versions of suspension and full prohibition, applied only after at least one prior sanction from items II–VI for the same specific case (Article 52, § 6).

Sanctions are applied "gradually, in isolation or cumulatively, according to the peculiarities of the specific case" (Article 52, § 1), and ANPD may compel compliance during the incident-response process through daily fines accrued until the breach is remedied.

The eleven statutory dosimetry criteria — Article 52, § 1. ANPD must assess and weigh eleven factors when selecting the type and severity of sanction:

I. The severity and nature of the infractions and the personal rights affected; II. The good faith of the infringer; III. The advantage sought or obtained by the infringer; IV. The economic condition of the infringer; V. Recidivism (repeat violations); VI. The degree of damage; VII. The cooperation of the infringer; VIII. Demonstrated adoption of internal mechanisms and procedures capable of minimizing harm, focused on secure and adequate data processing (aligned with Article 48, § 2(II)); IX. Adoption of good-practice and governance policies; X. Prompt adoption of corrective measures; and XI. Proportionality between the gravity of the fault and the intensity of the sanction.

Resolution No. 4/2023 translates these statutory criteria into a structured dosimetry methodology. For legal entities with revenue in Brazil, the base fine is calculated by multiplying a base rate (ranging from 0.1% to 2.0% depending on infraction severity) by the entity's gross revenue in Brazil (net of taxes), then adjusted upward or downward by aggravating and mitigating circumstances (including cooperation, good faith, degree of damage, recidivism, and documented governance policies). For individuals and entities without revenue, ANPD applies fixed reais ranges scaled by infraction classification and degree of damage. The methodology's Appendix I classifies infractions as gravíssima (most serious), grave (serious), média (medium), or leve (light); breach-notification failures under Article 48 are typically classified as grave or gravíssima depending on the data categories involved and the harm to data subjects.

ANPD enforcement procedure — responsive regulation in practice. ANPD's enforcement model, codified in Resolution CD/ANPD No. 1 (October 28, 2021) and amended by Resolution No. 4/2023, follows responsive regulation principles. The Coordenação-Geral de Fiscalização (General Coordination for Enforcement, CGF) conducts a preparatory investigation upon receiving a complaint, a data subject's petition, or a controller's security-incident notification. If the CGF identifies evidence of an Article 48 violation, it may first issue a preventive determination ordering the controller to communicate the breach to data subjects and to adopt specific mitigation measures within a defined deadline. Failure to comply escalates the matter to a formal processo administrativo sancionador (administrative sanctioning proceeding), in which the CGF issues an auto de infração (infraction notice). The controller has the right to a full defense and administrative appeal; the final decision may impose one or more sanctions from the Article 52 menu.

ANPD has articulated that breach-notification failures carry reputational and legal weight beyond the immediate sanction: a demonstrated underestimation of risk — or a failure to communicate when the six-factor test under Resolution 15/2024 was clearly satisfied — is itself an aggravating circumstance under the dosimetry regulation, because it shows disregard for data subjects' fundamental rights and undermines the statutory purpose of notification (enabling subjects to protect themselves post-incident).

Documented enforcement precedents for Article 48 breach-notification failures. As of May 2026, ANPD has sanctioned at least two public-sector controllers for failing to comply with Article 48's notification duty:

1. Instituto Nacional de Seguro Social (INSS) — February 2024. INSS suffered a security incident in 2022 affecting its Sistema Corporativo de Benefícios (SISBEN), which exposed CPF numbers, bank account details, and birthdates of beneficiaries — data susceptible to fraud and identity theft. ANPD determined that the incident met the "relevant risk or damage" threshold under Article 48 and ordered INSS to notify the affected data subjects. INSS argued technical infeasibility of individualizing the affected persons and refused to perform broadcast notification. ANPD rejected that defense, finding that Article 48 and Resolution 15/2024 expressly authorize ampla divulgação (broad disclosure) when individual notification is impracticable. ANPD sanctioned INSS with publicização da infração (Article 52(IV)): INSS was ordered to publish the infraction notice on its website and in the Meu INSS mobile application for sixty consecutive days. ANPD also found INSS in violation of Article 32 of Resolution No. 1/2021 for failing to comply with a prior ANPD determination to remediate the breach.

2. Secretaria de Estado de Educação do Distrito Federal (SEEDF) — February 2024. SEEDF operated an online enrollment system for an early-education program that exposed personal data of approximately 3,030 applicants through a URL-manipulation vulnerability. ANPD's investigation concluded that SEEDF failed to: (a) maintain records of processing operations (Article 37); (b) prepare a Data Protection Impact Assessment (DPIA) when requested by ANPD (Article 38); (c) notify affected data subjects of the security incident (Article 48); and (d) deploy systems meeting LGPD security and good-practice requirements (Article 5 of Resolution No. 1/2021). The Coordenação-Geral de Fiscalização applied a sanction of advertência (warning) for the Article 48 failure and an additional advertência for obstruction of ANPD's enforcement activity under Article 5(I) of the Enforcement Regulation. On administrative appeal (Deliberative Circuit CD-16/2024), ANPD's Board of Directors upheld the Article 48 advertência and consolidated the other violations into a single advertência for enforcement obstruction, emphasizing that notification to data subjects is "a fundamental measure so they can protect themselves after a security incident" and that failure to communicate deprives subjects of the ability to take protective actions such as changing passwords and monitoring for suspicious contacts.

Both decisions underscore ANPD's position that breach notification is not a pro forma compliance box but a fundamental safeguard for data subjects' ability to mitigate post-incident harm. Controllers that delay, refuse, or inadequately execute the notification duty — especially when the statutory triggers are plainly met — face escalating sanctions, and ANPD will exercise its authority under Article 48, § 2 to compel ampla divulgação in mass media at the controller's expense when individual communication proves infeasible.

No private right of action for breach-notification failures; administrative-only enforcement. LGPD Article 52's sanctions are applied exclusively by ANPD. The statute does not create a standalone private cause of action for breach-notification failures. Data subjects harmed by a controller's failure to notify may, however, pursue civil damages for material and moral harm under Brazil's Civil Code (Lei nº 10.406/2002) and Consumer Protection Code (Lei nº 8.078/1990, the Código de Defesa do Consumidor, CDC), both of which recognize breach of a statutory duty (such as Article 48) as evidence of fault and causation in a tort claim. LGPD Article 52, § 2 expressly provides that ANPD's administrative sanctions "do not replace the application of administrative, civil, or criminal sanctions provided in Law 8.078/1990 [CDC] and in specific legislation." Controllers found liable in ANPD proceedings face both the administrative fine and potential exposure to individual and collective civil claims by affected data subjects and consumer-protection organs. The Ministério Público (Public Prosecutor's Office) and consumer-defense agencies (such as PROCONs and SENACON) retain parallel enforcement authority under their own statutes, and ANPD has stated publicly that its findings may be shared with those bodies when conduct implicates consumer rights or criminal provisions.

Criminal exposure remains theoretical. Brazil's Penal Code does not currently contain a specific offense for breach-notification failure. Controllers that willfully conceal a breach involving sensitive data or authentication credentials may face investigation under general fraud (estelionato, Article 171 of the Penal Code) or computer-crime provisions (Lei nº 12.737/2012, the "Lei Carolina Dieckmann"), particularly if the failure to disclose enables subsequent fraud against data subjects. ANPD has stated that when its enforcement investigations uncover evidence of criminal conduct, it will refer the matter to the Ministério Público or the Polícia Federal. As of May 2026, no criminal prosecutions have been publicly reported for standalone breach-notification failures under LGPD Article 48.

Fine proceeds — Fundo de Defesa de Direitos Difusos. All monetary fines collected by ANPD under Article 52 are directed to the Fundo de Defesa de Direitos Difusos (Diffuse Rights Defense Fund), established under Articles 13 of Law 7.347/1985 and Law 9.008/1995. The fund finances initiatives to repair harm to the environment, consumers, cultural heritage, and other collective rights. LGPD Article 52, § 5 (inserted by Law 13.853/2019) codifies this allocation, ensuring that breach-related fines fund broader societal remediation rather than general-budget revenue.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Art. 52 Source: Resolution CD/ANPD No. 4, of February 24, 2023 (Regulation on Dosimetry and Application of Administrative Sanctions) Source: ANPD — Sanções Administrativas: o que muda após 1º de agosto de 2021? Source: ANPD — ANPD sanciona INSS e Secretaria de Educação do DF por violações à LGPD (February 1, 2024) Source: ANPD Deliberative Circuit CD-16/2024 (SEEDF decision, August 2024)

Controllers must maintain internal records of all security incidents, whether or not the incident triggered the notification duty under Article 48 of the LGPD and Resolution CD/ANPD No. 15/2024. This universal recordkeeping requirement applies even to incidents that fall below the "relevant risk or damage" threshold and therefore were never communicated to ANPD or data subjects. Article 10 of Resolution 15/2024 imposes a five-year minimum retention period, measured from the date the controller creates the incident record, not from the date of the incident itself.

The recordkeeping obligation serves three compliance functions: (1) demonstrating to ANPD during inspections that the controller maintains a systematic incident-response process and has assessed notifiability rigorously; (2) preserving evidence of the controller's good faith and cooperation when ANPD retrospectively investigates whether a breach should have been notified; and (3) satisfying the controller's broader accountability obligations under Article 37 of the LGPD (records of processing operations) and Article 50 (governance and good-practice programs). ANPD has stated publicly that a demonstrated pattern of underreporting — evidenced by internal records showing incidents the controller dismissed as non-notifiable when the six-factor test under Resolution 15/2024 was clearly satisfied — constitutes an aggravating circumstance under the dosimetry regulation and can itself warrant sanctions.

Mandatory content — Article 10, § 1 of Resolution 15/2024. The incident record must contain at minimum:

I. Date and time the incident occurred, if identifiable, and the date the controller became aware that personal data were affected; II. Description of the nature of the security incident — unauthorized access, accidental disclosure, ransomware encryption, insider exfiltration, third-party vendor breach, or other compromise; III. Categories and volume of affected personal data, specifying whether the incident involved any of the six data types enumerated in Article 5(II) of the Regulation (sensitive data under LGPD Article 5(II), children/adolescent/elderly data, financial data, authentication credentials, legally protected data, or large-scale data); IV. Estimated number of affected data subjects, broken out by vulnerable populations (children, adolescents, elderly) when applicable; V. Technical and administrative security measures in place before and after the incident; VI. Risk assessment and identified potential impacts on data subjects — identity theft, financial fraud, reputational harm, inability to exercise rights, or other consequences; VII. Mitigation and remediation measures adopted or planned; VIII. Reasons for non-notification, when the controller determined that the incident did not meet the "relevant risk or damage" threshold and therefore was not communicated to ANPD or data subjects.

Item VIII is the accountability lever. When the controller decides an incident is non-notifiable, the internal record must document the analysis — which prongs of the six-factor test were not met, why the incident was unlikely to significantly affect fundamental rights, whether encryption or other safeguards mitigated exposure, and any contemporaneous guidance from the Data Protection Officer (encarregado) or legal counsel. ANPD's Enforcement Regulation (Resolution No. 1/2021) and the 2024 incident-communication guidance expressly recommend controllers adopt a cautious posture and notify even when in doubt. An internal record that shows the controller dismissed a plainly notifiable breach — for example, exposed CPF numbers and bank-account details labeled "low risk" because the dataset was "only" 5,000 records — exposes the controller to both the Article 48 notification-failure sanction and an elevated base fine under the dosimetry methodology.

Five-year retention, minimum. The record must be preserved for at least five years from the date it was created (Article 10, caput). If sector-specific regulation, contractual obligations, or ongoing litigation require longer retention, those obligations control. For example, financial institutions subject to Central Bank of Brazil regulations or healthcare providers subject to medical-record retention rules must retain incident records for the longer of the two periods.

Exception for public entities subject to permanent-record rules. Article 10, § 2 exempts entities listed in LGPD Article 23 — public bodies, entities, and authorities processing data in the performance of their legal competencies or statutory attributions — from the five-year floor when national archival regulations classify the incident record as permanent. The Conselho Nacional de Arquivos (CONARQ) publishes retention schedules (tabelas de temporalidade) for federal, state, and municipal government agencies. If the incident record relates to a processing operation tied to a public function for which CONARQ mandates permanent archiving, the entity must follow the archival schedule rather than the five-year minimum. In practice, most security-incident records for routine administrative processing are classified as temporary rather than permanent, so the five-year rule applies in the majority of public-sector cases.

Format and accessibility. Resolution 15/2024 does not prescribe a format — controllers may maintain incident records in a digital incident-response platform (Jira Service Management, ServiceNow, or a purpose-built LGPD-compliance tool), in a secured SharePoint folder, or in a paper logbook. ANPD's enforcement guidance recommends controllers adopt a centralized incident-response log indexed by incident ID, date, and data categories, with narrative summaries and supporting forensic reports attached. The record must be accessible on reasonable notice when ANPD requests it during a processo de fiscalização (enforcement inspection) or a procedimento de apuração de incidente de segurança (PAI, incident-investigation proceeding).

When ANPD receives a complaint from a data subject, a media report of a possible breach, or intelligence from another supervisory authority, it may initiate a PAI under Articles 16–17 of Resolution 15/2024. The Coordenação de Apuração de Incidentes (CAIS/CGIS) will request the controller's incident log and supporting documentation. Controllers that fail to produce the records, produce incomplete records, or produce records that contradict the controller's contemporaneous public statements face obstruction sanctions under Article 5 of the Enforcement Regulation, in addition to any substantive Article 48 violation.

Small processing agents receive no exemption from recordkeeping. Controllers qualifying as agentes de pequeno porte under Resolution CD/ANPD No. 2/2022 (startups, micro/small enterprises, legal entities with gross revenue in Brazil below the statutory threshold) receive double the notification deadline (six business days instead of three) but must still maintain the same five-year incident records. The only recordkeeping relief for small agents is the general exemption from maintaining a full Registro de Operações de Tratamento (ROPA) under Article 37 of the LGPD unless they perform high-risk or large-scale processing. Security-incident records, however, are mandatory for all controllers regardless of size, because they directly implement the Article 48 notification duty and Article 50 governance obligation.

Cross-reference to Article 37 ROPA obligation. Controllers subject to the full Article 37 duty (those not qualifying as small agents, or qualifying small agents performing high-risk processing) must maintain a Registro de Operações de Tratamento documenting each processing activity, the categories of data, retention periods, and security measures. When a security incident occurs, the controller should cross-reference the ROPA entry for the affected processing activity in the incident record. If the incident exposes a gap between the security measures documented in the ROPA and the measures actually deployed (for example, the ROPA states "encryption at rest" but the compromised database was unencrypted), ANPD will treat that discrepancy as evidence of breach of Article 46 (security measures) and Article 50 (governance), compounding the Article 48 notification failure.

ANPD may compel production at any time. Article 8 of Resolution 15/2024 authorizes ANPD to request additional information about a security incident at any time, including the internal incident record, forensic-investigation reports, and correspondence with affected data subjects. Failure to respond within the deadline ANPD sets (typically fifteen business days under the general enforcement regulation, doubled to thirty for small agents) subjects the controller to daily fines under Article 52(III) of the LGPD. ANPD's 2024 enforcement precedents (INSS and SEEDF) demonstrate the authority's willingness to sanction public-sector controllers that obstruct incident investigations or fail to maintain adequate records.

Operator (processor) recordkeeping. Resolution 15/2024 places the notification duty on the controller (Article 48 of the LGPD), but operators that detect a breach must inform the controller without unjustified delay. Best practice, endorsed by ANPD in published guidance, is for operators to maintain their own parallel incident log documenting the date of detection, the date and content of the notification to the controller, and any mitigation measures the operator took at the controller's direction. When the controller and operator disagree about whether an incident was timely escalated, the operator's contemporaneous record is critical evidence in an ANPD enforcement proceeding.

Records as evidence in civil litigation. Although Article 10 is an administrative recordkeeping obligation owed to ANPD, the incident record is discoverable in civil damages claims brought by affected data subjects under the Civil Code and Consumer Protection Code. A well-documented incident record showing prompt detection, rigorous risk assessment, and good-faith mitigation can support a controller's defense that it acted reasonably and minimized harm. Conversely, an incomplete record or a record showing the controller delayed notification or underestimated risk strengthens the plaintiff's case for fault and causation. Controllers must balance the transparency and accountability benefits of detailed incident documentation against the litigation-exposure risk of documenting internal debates and preliminary risk assessments that might later be characterized as reckless.

Source: Resolution CD/ANPD No. 15 of April 24, 2024 (Security Incident Communication Regulation), Art. 10 Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Arts. 37, 48, 50

Controllers must notify affected data subjects directly whenever a security incident meets the Article 48 / Resolution 15/2024 notifiability threshold, on the same three-business-day clock that applies to ANPD notification. The content of the data-subject communication is governed by Article 9 of Resolution CD/ANPD No. 15/2024 and differs materially from what the controller reports to the authority. Whereas ANPD notification emphasizes forensic detail and regulatory compliance evidence, the data-subject communication must be written in linguagem clara e acessível (clear and accessible language) and must enable the recipient to take immediate protective action.

Article 9 mandatory content — five core disclosures. The data-subject notification must contain at minimum:

I. Description of the nature of the affected personal data — the categories of data compromised (CPF, name, email, financial data, authentication credentials, health information, etc.), presented in terms a lay reader can understand. Controllers should avoid generic labels ("personal data") and instead specify the exact data elements exposed. For example: "Your CPF number, full name, email address, and bank account number were accessed by an unauthorized third party."

II. Information about risks related to the incident and possible impacts on the data subject — a concrete assessment of what the breach means for the individual. This must go beyond boilerplate warnings and identify the specific harms the exposed data could enable. If the incident involved CPF numbers and bank-account details, the notification should state that the subject is at risk of identity theft, fraudulent bank transfers, unauthorized credit applications, and phishing attempts. If the incident involved authentication credentials (passwords, security tokens), the notification should warn that the subject's account may be accessed by third parties and that any linked accounts using the same password are also at risk. ANPD enforcement guidance emphasizes that this element is the core accountability moment: the controller must demonstrate it has rigorously assessed impact rather than copied template language.

III. Technical and security measures used to protect the data, adopted before and after the incident — transparency about what safeguards were (or were not) in place. If the compromised data were encrypted at rest but the encryption key was also stolen, that fact must be disclosed. If the data were stored in plaintext, the notification should candidly state that no encryption was applied. Post-incident measures—password resets, temporary account suspensions, enhanced monitoring, forensic investigation—must also be described. Controllers may withhold details that would jeopardize commercial or industrial secrecy under Article 9, § 2, but the default is full disclosure.

IV. Measures that were or will be adopted to reverse or mitigate the effects of the damage — concrete steps the controller is taking to reduce harm and what the controller is asking or doing on behalf of the data subject. Common mitigation measures include: offering free credit-monitoring services for a defined period (typically 12–24 months for financial-data breaches); forcing password resets and invalidating active sessions; notifying financial institutions to flag the subject's CPF for heightened fraud scrutiny; providing a dedicated call center or email address for affected individuals to ask questions. If the controller cannot reverse the harm (for example, exposed sensitive health data cannot be "unexposed"), the notification should state that plainly and focus on what monitoring or support the controller will provide.

V. Contact information for the encarregado (Data Protection Officer) or other point of contact — a direct, functioning communication channel where the data subject can ask questions, request further information, or report suspicious activity that may be linked to the breach. The contact must be specific (a named person or dedicated email address / phone number), not a generic corporate switchboard. Article 9, § 5 requires the controller to respond to data-subject inquiries arising from the breach notification within a reasonable timeframe, and ANPD has indicated it will treat prolonged silence as evidence of failure to comply with the transparency principle under LGPD Article 6(VI).

**Plain-language obligation — Article 9, caput. Unlike the ANPD notification (which is drafted by the DPO or legal counsel for a regulatory audience), the data-subject communication must be written in linguagem clara e acessível**. ANPD's published guidance states that "clear language" means vocabulary and sentence structure comprehensible to individuals with basic literacy, avoiding legal jargon, technical acronyms, and passive-voice hedging. "Accessible" includes both linguistic accessibility (Portuguese as the primary language, with translations when the controller knows it serves a significant non-Portuguese-speaking population) and format accessibility (readable font sizes, high color contrast for vision-impaired readers, plain-text email or SMS rather than PDF attachments requiring specialized software). Controllers serving vulnerable populations—children, adolescents, elderly persons—should tailor the notification's reading level and format accordingly.

Individualized notification preferred; broadcast permitted when infeasible. Article 9, § 1 directs controllers to communicate the breach preferencialmente de forma direta e individualizada (preferably in a direct and individualized manner). Direct channels include:

• Email to the subject's registered email address;
• SMS or WhatsApp message to the subject's registered mobile number;
• Physical letter sent by registered mail to the subject's address on file;
• Phone call to the subject's registered number, with a follow-up written confirmation;
• In-app notification within a mobile application the subject has installed and authenticated.

Controllers must choose the communication channel most likely to reach the affected individual promptly. If multiple contact methods are available, best practice is to use at least two (email + SMS, or email + in-app push notification) to maximize the probability the subject sees the alert.

Broadcast notification — when individual communication is inviável. If individual notification is inviável (infeasible) because the controller lacks current contact information for affected subjects, the scale of the breach makes individualized outreach operationally impossible, or the compromised database did not include contact details, the controller must use broadcast channels (Article 9, § 3):

• The controller's website (homepage banner or dedicated breach-notification landing page);
• Mobile application notifications visible to all users upon login;
• Social media accounts operated by the controller (Facebook, Instagram, LinkedIn, Twitter/X);
• Customer service channels (call-center greeting, chatbot disclosure, in-store signage for retail locations).

The broadcast communication must remain visible and accessible for at least three months (Article 9, § 3). Within three business days of initiating the broadcast, the controller must file a declaração (declaration) with ANPD confirming the broadcast notification, listing the specific channels used, the start date, and the planned end date (Article 9, § 4). Failure to file the declaration subjects the controller to sanctions under Article 52 for incomplete notification.

ANPD guidance expressly warns that controllers may not use the infeasibility exception as a pretext to avoid individualized notification. If the controller's own data-processing practices caused the lack of contact information (for example, collecting CPF and financial data but not an email address or phone number), ANPD will treat that as evidence of a violation of the data-minimization and purpose-limitation principles (LGPD Article 6(III) and (I)), compounding the breach-notification failure.

Timing — same three-business-day clock as ANPD notification. Article 9, caput, requires data-subject notification within three business days from the date the controller became aware that the incident affected personal data—the same deadline that governs ANPD notification under Article 6. Controllers qualifying as agentes de pequeno porte receive double the deadline (six business days) for both notifications. The controller may send a preliminary notification to data subjects within the three-day window if full information is unavailable, and must supplement it within twenty business days of the preliminary communication (by analogy to Article 6, § 3, which governs ANPD notification; Article 9 does not explicitly address staged notification to subjects, but ANPD's published FAQ confirms the same framework applies).

Best practice is to notify ANPD and data subjects simultaneously or in immediate succession (ANPD first, subjects within hours). Notifying ANPD but delaying the data-subject communication for days invites the inference that the controller prioritized regulatory compliance over subject protection, which ANPD treats as an aggravating factor under the dosimetry regulation.

Language and tone — transparency over reputation management. ANPD's enforcement decisions (INSS, SEEDF) and published guidance emphasize that the data-subject notification is not a marketing opportunity or a reputation-repair exercise. Controllers may not bury the mandatory disclosures under apologetic corporate messaging, minimize the severity of the breach ("a small number of records"), or deflect accountability onto third parties ("our vendor experienced an incident") without also disclosing the controller's own role and responsibilities under LGPD. The notification must lead with the five mandatory elements in Article 9, presented in plain declarative sentences. Contextual or explanatory material (how the breach was detected, what the controller is doing to prevent recurrence) may follow, but the subject's immediate needs—what data were exposed, what risks the subject faces, what the subject should do now—come first.

No legal disclaimers or liability waivers. Controllers may not condition breach notifications on the data subject's agreement to a liability waiver, class-action waiver, or mandatory arbitration clause. Any such language in a breach notification is void under Brazilian consumer-protection law (CDC Article 51) and constitutes a separate LGPD violation (interference with the subject's exercise of rights under Article 18). If the controller anticipates civil claims, it should address those through its liability-insurance carrier and legal counsel, not through the breach-notification communication to affected individuals.

ANPD may compel revision or expanded disclosure. After receiving the controller's notification and reviewing the corresponding data-subject communication (which the controller should include as an exhibit in the ANPD filing), ANPD may determine that the communication was inadequada (inadequate) in form or content. Article 19 of Resolution 15/2024 authorizes ANPD to order the controller to corrigir (correct) the notification—for example, by reissuing it in plainer language, by adding missing risk disclosures, or by switching from broadcast to individualized channels if ANPD finds the infeasibility claim unsupported. ANPD may also invoke LGPD Article 48, § 2 to compel ampla divulgação (broad disclosure) in mass media—newspapers, radio, television, paid internet advertising—at the controller's expense, when the authority determines that existing communications are insufficient to protect affected subjects. Refusal to comply with an ANPD disclosure order triggers daily fines under Article 52(III) and potential operational sanctions (suspension of the processing activity under Article 52(VIII)).

Cross-border complications — notification in multiple jurisdictions. When the breach affects data subjects located in Brazil and in other jurisdictions (EU, UK, California, etc.), the controller must comply with all applicable notification regimes. LGPD Article 9 notification requirements are independent of and cumulative with GDPR Article 34 data-subject notification, CCPA § 1798.82 California breach-notification law, and other territorial rules. Controllers should draft a master notification satisfying the most demanding content requirements across all relevant regimes, then localize for language and jurisdiction-specific contact information. A notification that satisfies Article 9's five mandatory elements will typically also satisfy GDPR Article 34 (which requires similar disclosures of data categories, consequences, and mitigation measures) but may require supplementation for California (which mandates specific language about the subject's right to request a police report, Cal. Civ. Code § 1798.82(d)(1)(G)).

Operator (processor) coordination. Although the notification duty runs to the controller, when the breach originates in an operator's systems, the operator must provide the controller with all information necessary to complete the Article 9 notification—data categories affected, number of subjects, timeline, technical cause—without unjustified delay (Resolution 15/2024, Article 4, § 2). Well-drafted controller-processor contracts (LGPD Article 39) include a breach-notification annex specifying the operator's obligation to deliver a preliminary report within 24 hours of detection and a detailed forensic summary within 72 hours, enabling the controller to meet the three-business-day ANPD and data-subject deadlines. Operators that delay or withhold critical information, forcing the controller to file an incomplete or inaccurate notification, expose both parties to sanctions; ANPD has indicated it will treat such coordination failures as joint violations.

Recordkeeping — retain copies of all data-subject communications. Controllers must retain copies of the data-subject notifications (whether individualized emails, SMS messages, website screenshots, or social-media posts) as part of the five-year incident record required under Article 10 of Resolution 15/2024. If ANPD later investigates whether the controller satisfied Article 9, the authority will request proof that the communication was sent, that it reached the intended recipients (email delivery logs, SMS gateway confirmations, website analytics showing page views), and that it contained the five mandatory disclosures in clear language. Controllers using third-party notification vendors (email service providers, SMS platforms) should configure those systems to generate and archive delivery receipts and read confirmations (when technically feasible and not privacy-invasive).

Source: Resolution CD/ANPD No. 15 of April 24, 2024 (Security Incident Communication Regulation), Art. 9 Source: ANPD — Comunicação de incidente de segurança (guidance page) Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Art. 48

Controllers must file breach notifications electronically through ANPD's SEI!ANPD (Sistema Eletrônico de Informação) platform, a unified electronic-filing system for all administrative processes at the Autoridade Nacional de Proteção de Dados. The notification may not be submitted by email, postal mail, or in-person delivery; the SEI!ANPD peticionamento eletrônico (electronic petitioning) portal is the sole authorized channel. Controllers that fail to use the platform or that submit notifications outside the system face procedural rejection and potential obstruction sanctions under Article 5 of ANPD's Enforcement Regulation (Resolution CD/ANPD No. 1/2021).

Who may file — DPO or legal representative only (Article 6, § 5). Article 6, § 5 of Resolution CD/ANPD No. 15/2024 requires that breach notifications be filed by the encarregado (Data Protection Officer, the role defined in LGPD Article 5(VIII) and Article 41) or by a legal representative (representante constituído) with formal power of attorney to act on the controller's behalf before ANPD. The filing individual must submit documentary proof of the relationship:

• For the DPO: a copy of the employment contract, service agreement, or designation letter establishing the individual as the controller's encarregado, along with a corporate resolution or board minute confirming the appointment if the controller is a legal entity; or
• For a legal representative: a power-of-attorney instrument (procuração) conferring explicit authority to represent the controller in ANPD proceedings, signed by an authorized signatory of the controller (for a legal entity, typically a director or officer with corporate authority) and notarized or authenticated under Brazilian Civil Code formalities.

The documentary proof must be uploaded to the SEI!ANPD platform at the time of the initial notification, within the three-business-day deadline (Article 6, § 6). Controllers that submit the notification form but fail to attach the representation documents receive a procedural deficiency notice; if the omission is not cured within the cure period ANPD specifies (typically five business days), ANPD may initiate a Processo de Apuração de Incidente (PAI) — an investigation proceeding — to determine whether the breach was notifiable and whether the controller's failure to perfect the notification constitutes an Article 48 violation (Article 6, § 7).

SEI!ANPD platform access — user-external registration. The SEI!ANPD system distinguishes internal users (ANPD staff) from external users (controllers, data subjects, petitioners). The DPO or legal representative must register as a usuário externo (external user) before filing a breach notification. As of April 2026, ANPD migrated to a standalone SEI instance (sei.anpd.gov.br), separate from the federal government's legacy SUPER.BR system. External-user registrations created before January 15, 2024 are invalid and must be re-created in the new system.

Registration is a two-step process:

Step 1 — pre-registration (pré-cadastro). The individual navigates to the SEI!ANPD external-user login page (https://sei.anpd.gov.br/sei/controlador_externo.php?acao=usuario_externo_logar&id_orgao_acesso_externo=0) and clicks "Usuário Externo Não Cadastrado" (External User Not Registered). The system prompts for CPF (for Brazilian nationals) or passport number (for foreign nationals), full name, email address, and mobile phone number. ANPD sends a confirmation code to the email and SMS; the user enters both codes to verify identity.

Step 2 — approval by ANPD. After pre-registration, the individual's request enters a queue for manual review by ANPD's protocol team (Coordenação de Protocolo). ANPD typically approves registrations within two business days. Once approved, the user receives an email with login credentials and may access the SEI!ANPD peticionamento eletrônico portal. Users with a gov.br account (the federal government's single-sign-on identity system) may authenticate using their gov.br credentials as an alternative to the SEI-specific login and password.

Controllers should complete the external-user registration in advance of any anticipated breach. Waiting until an incident occurs to register may consume one or two business days of the three-business-day notification deadline, compressing the time available to gather information and complete the form.

Filing a new breach notification — "Novo" peticionamento. Once logged in to SEI!ANPD, the filer selects "Peticionamento" > "Novo" from the left menu. The system displays a drop-down list of process types; the filer selects "ANPD – Comunicados de Incidentes à Agência Nacional de Proteção de Dados" (ANPD — Incident Communications to the National Data Protection Authority). The platform then presents a structured form with two sections: "Documento Principal" (Main Document) and "Documentos Complementares" (Supplemental Documents).

Documento Principal — the structured breach-notification form. The platform auto-populates a Formulário de Comunicação de Incidente de Segurança (Security Incident Communication Form) as the main document. The form is a fillable PDF embedded in the SEI!ANPD interface. Controllers may choose between a preliminary notification (comunicação preliminar) or a complete notification (comunicação completa), depending on how much information is available within the three-business-day deadline. The form fields mirror the Article 6, § 2 content requirements and include:

Section 1 — Controller identification. Legal name, CNPJ (Cadastro Nacional de Pessoa Jurídica, the Brazilian tax ID for legal entities) or CPF (for individual controllers), registered address, primary business activity (CNAE code), contact email and phone number, and the name and contact information of the encarregado.

Section 2 — Incident description. Date and time the incident occurred (if identifiable), date and time the controller became aware that personal data were affected, estimated duration of the exposure, nature of the incident (structured checkboxes: unauthorized access, accidental disclosure, ransomware/encryption, insider exfiltration, third-party vendor breach, lost/stolen device, other), and a narrative description of the circumstances (free-text field, 500-character minimum recommended).

Section 3 — Affected data categories and volume. The form lists the six data categories from Article 5(II) of Resolution 15/2024 as checkboxes:

1. Sensitive data under LGPD Article 5(II) (racial/ethnic origin, religion, political opinion, trade-union membership, health, sex life, genetic/biometric data for unique ID);
2. Data of children, adolescents, or elderly persons;
3. Financial data;
4. Authentication credentials (passwords, tokens, biometric credentials);
5. Data protected by legal, judicial, or professional secrecy;
6. Large-scale data.

For each category checked, the form requires the estimated number of affected data subjects and the estimated volume of records. If the controller cannot provide a precise number (common in preliminary notifications), the form accepts ranges (< 100, 100–1,000, 1,000–10,000, 10,000–100,000, > 100,000).

Section 4 — Security measures. A matrix asking the controller to specify which technical and administrative safeguards were in place before the incident (encryption at rest, encryption in transit, access controls, multi-factor authentication, logging and monitoring, data-loss prevention, employee training, third-party audits) and which additional measures were adopted after detection (password resets, system isolation, forensic investigation, vendor contract termination, enhanced monitoring). For each safeguard, the form requests a brief description (100–200 characters) of its implementation.

Section 5 — Risk assessment and impacts. A structured risk matrix listing common harms (identity theft, financial fraud, reputational damage, inability to exercise LGPD rights, physical safety risk, discrimination risk, other) with severity ratings (low / medium / high / very high). The controller must assess each harm type and provide a narrative justification (200–500 characters per harm category checked as medium or higher). This section implements the "risco ou dano relevante" (relevant risk or damage) threshold from Article 48 of the LGPD; ANPD's enforcement guidance states that controllers should adopt a cautious posture and err on the side of notification when in doubt.

Section 6 — Mitigation and remediation measures. Free-text field (500-character minimum) describing steps the controller has taken or will take to reverse or mitigate harm, including timeline for completion. Common measures include: offering credit-monitoring services, forcing password resets, notifying financial institutions, providing a dedicated call center for affected individuals, conducting a post-incident DPIA, and revising security policies.

Section 7 — Reasons for delay (if applicable). If the notification is filed after the three-business-day deadline, the form requires a detailed explanation of the delay, including which facts were unavailable within the deadline and what steps the controller took to gather them. Unjustified delay exposes the controller to sanctions under Article 52 of the LGPD and is an aggravating factor under the dosimetry regulation.

Section 8 — Preliminary vs. final notification designation. The form asks whether the controller is filing a preliminary notification (because full information is unavailable) or a complete notification. If preliminary, the controller must specify which information is missing and commit to a timeline for the supplemental filing. Article 6, § 3 of Resolution 15/2024 requires the controller to supplement the preliminary notification within twenty business days of the initial filing (forty business days for small processing agents under Resolution No. 2/2022).

Documentos Complementares — required attachments. In addition to the structured form, the filer must upload the following in the "Documentos Complementares" section:

1. Proof of representation (required for all filings). Copy of the DPO designation letter or power-of-attorney instrument, as described above. ANPD accepts PDF, DOC/DOCX, or scanned image formats; the file size limit is 10 MB per document.

2. Forensic-investigation report or incident log (strongly recommended, mandatory if requested by ANPD under Article 8). A technical report documenting the incident timeline, root cause, affected systems, data-exposure pathway, and containment measures. If the controller engaged an external forensic firm, the firm's report should be attached. If the investigation is ongoing, the controller should attach a preliminary summary and commit to providing the final report in the supplemental filing.

3. Data-subject communication materials (required when the controller has notified or will notify data subjects). Copy of the email, SMS, letter, or website banner the controller sent to affected individuals, demonstrating compliance with Article 9 of Resolution 15/2024. If the controller has not yet notified data subjects (because it filed the ANPD notification first), the form should include a draft of the planned communication and the anticipated send date.

4. Corporate authorization or board resolution (recommended for legal entities). Evidence that the DPO or legal representative is authorized to bind the controller. For public entities, a designation order (portaria de designação) or administrative act appointing the encarregado. For private entities, a board resolution or executive authorization.

5. Formulário Complementar (optional, used when the standard form fields are insufficient). ANPD publishes a supplemental Formulário Complementar template on its guidance page (https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/comunicado-de-incidente-de-seguranca-cis). Controllers may download the editable Word document, fill it with additional narrative detail, and attach it to the SEI!ANPD filing when the structured form's character limits are inadequate to describe a complex incident.

Document-access classification — público vs. restrito. Since August 1, 2024, ANPD's SEI!ANPD platform includes a Módulo de Pesquisa Pública (Public Search Module) that makes documents classified as público (public) visible to anyone without login or password. Controllers must carefully select the access level for each document:

• Documents containing commercially sensitive information (trade secrets, proprietary security measures, vendor contract terms) or data subject personal information (names, CPFs, email addresses of affected individuals) should be classified as restrito (restricted).
• The structured notification form itself and high-level summaries may be classified as público if the controller wishes to demonstrate transparency; however, ANPD's guidance warns that any document marked público will be searchable and viewable by the general public, media, competitors, and plaintiffs' attorneys.

Best practice is to classify the notification form and all attachments as restrito unless the controller has a specific transparency objective, and to redact all personal data and commercially sensitive details from any público document.

Submitting the filing — system-generated process number. After completing the form, uploading all attachments, and reviewing the access classifications, the filer clicks "Peticionar" (Submit Petition). The SEI!ANPD system assigns a unique process number (número do processo) in the format XXXXX.YYYYYY/ZZZZ-AA (e.g., 00261.003456/2024-12). The controller receives an email confirmation with the process number and a link to track the filing's status. ANPD's protocol team reviews the submission for completeness within two business days; if the filing is deficient (missing representation documents, incomplete form fields, unreadable attachments), ANPD issues a notificação de saneamento (cure notice) via the SEI platform, and the controller must cure the deficiency within the specified period (typically five business days).

Supplemental filings — "Intercorrente" peticionamento. When a controller needs to add information to an existing breach notification — for example, to file the final notification after an earlier preliminary filing, to submit the forensic report that was unavailable at the initial deadline, or to respond to an ANPD request for additional information under Article 8 of Resolution 15/2024 — the filer must use peticionamento intercorrente (intercurrent petitioning), not a new petition. Filing a new petition creates a separate process and fragments the breach record, making ANPD's analysis more difficult and potentially triggering sanctions for non-cooperation.

To file intercorrently:

1. Log in to SEI!ANPD and select "Peticionamento" > "Intercorrente" from the left menu.
2. Enter the process number from the original notification in the search field and click "Validar" (Validate). If the number is valid and the filer has access rights to the process, the system displays an "Adicionar" (Add) button.
3. Click "Adicionar" and upload the supplemental document(s). The filer may attach the completed Formulário Complementar, the final forensic report, updated data-subject communication materials, or a narrative cover letter explaining the supplement.
4. Submit the intercurrent petition. The new documents are appended to the original process, and ANPD's review team is notified of the update.

Article 6, § 3 requires the controller to file the supplemental notification within twenty business days of the preliminary filing (forty for small agents). Missing that deadline without justification is an aggravating factor under the dosimetry regulation and may trigger a formal auto de infração (infraction notice) for incomplete notification.

ANPD review and response timeline. After the controller files the notification, the process is routed to the Coordenação de Tratamento de Incidentes de Segurança (CTIS) within the Coordenação-Geral de Incidentes de Segurança (CGIS). CTIS conducts an initial triage, assessing whether the incident meets the Article 48 threshold and whether the controller's risk assessment and mitigation measures are adequate. ANPD has no statutory deadline to respond; in practice, responses range from two weeks to three months depending on the severity and complexity of the incident and ANPD's enforcement workload.

ANPD may issue one of several responses:

• Acknowledgment of receipt (recibo de comunicação) with no further action, when the notification is complete, the incident appears to have been handled appropriately, and no enforcement investigation is warranted;
• Request for additional information under Article 8 of Resolution 15/2024, specifying which documents or clarifications ANPD requires and setting a deadline (typically fifteen business days, doubled to thirty for small agents);
• Determinação preventiva (preventive determination) under Article 15 of Resolution 15/2024, ordering the controller to adopt specific mitigation measures — notify data subjects, suspend processing, engage a third-party auditor, implement enhanced security controls — within a defined deadline, often with daily fines accruing until compliance;
• Initiation of a Processo de Apuração de Incidente (PAI) under Articles 16–17 when ANPD believes the controller underestimated risk, delayed notification unjustifiably, or failed to mitigate harm adequately;
• Instauração de processo administrativo sancionador (formal sanctioning proceeding) under Article 21 when the controller fails to comply with a preventive determination or when the breach and response evidence serious LGPD violations.

Controllers may track the process status through the Módulo de Pesquisa Pública (if documents are classified as público) or by logging in to SEI!ANPD as an external user and viewing the process timeline.

Contact for procedural questions — protocolo@anpd.gov.br and incidentes@anpd.gov.br. Controllers experiencing technical difficulties with the SEI!ANPD platform (login issues, file-upload errors, process-number validation failures) should email protocolo@anpd.gov.br. Substantive questions about whether an incident is notifiable, what information the form requires, or how to interpret Article 6 content requirements should be directed to incidentes@anpd.gov.br, the email address for the Coordenação de Tratamento de Incidentes de Segurança (CTIS/CGIS). ANPD typically responds to email inquiries within five business days; however, emailing ANPD does not extend the three-business-day notification deadline. Controllers uncertain whether an incident is notifiable should file the notification and note the uncertainty in the risk-assessment section of the form, rather than waiting for ANPD guidance and missing the deadline.

Public-sector special case — portarias and administrative acts. Public entities (órgãos públicos, entidades, and autoridades processing data under LGPD Article 23) must attach additional documentation when filing a breach notification: the portaria de designação (designation order) appointing the encarregado, issued by the entity's head or superior authority, and any administrative act authorizing the disclosure of information to ANPD (when internal regulations require such authorization for external communication). Failure to attach these documents subjects the public-sector controller to the same cure-notice procedure as private controllers, but ANPD's enforcement decisions (INSS, SEEDF) show the authority is less willing to accept procedural delays from government entities, which are presumed to have in-house legal and compliance resources.

Cross-border complications — Portuguese language and Brazil-domiciled representative. All SEI!ANPD filings must be in Portuguese. Foreign controllers without Portuguese-language capability should retain a Brazil-domiciled legal representative (typically a Brazilian law firm or compliance consultancy) to prepare and file the notification. ANPD does not accept filings in English, Spanish, or other languages, and machine-translated submissions are routinely rejected for incoherence. The legal representative must hold a valid procuração (power of attorney) executed under Brazilian formalities, authenticated at a Brazilian consulate if executed abroad, and apostilled under the Hague Convention if the controller's home jurisdiction is a party to the Convention.

Source: Resolution CD/ANPD No. 15 of April 24, 2024 (Security Incident Communication Regulation), Arts. 6–8 Source: ANPD — Comunicação de incidente de segurança (official guidance page, SEI!ANPD instructions) Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Art. 48