ANPD Resolution CD/ANPD No. 2/2022 — Security Incident Reporting

Brazil's ANPD Resolution CD/ANPD No. 2/2022 establishes the procedures and timeframes for reporting security incidents involving personal data to the National Data Protection Authority (ANPD) under the Lei Geral de Proteção de Dados (LGPD). The Resolution requires controllers to notify ANPD within 72 hours of becoming aware of a security incident that may cause risk or harm to data subjects. Notification must include: description of the nature of the incident; categories and number of data subjects affected; categories and approximate number of personal data records affected; likely consequences of the incident; measures taken or proposed to address the incident; and contact information for the data protection officer. Controllers must also notify affected data subjects when the incident may cause significant harm. The Resolution establishes a two-phase reporting process: an initial notification within 72 hours followed by a supplementary report within 30 days. ANPD may impose fines of up to 2% of the company's revenue in Brazil, limited to BRL 50 million per violation.