By ...
October 4, 2023
Central Bank publishes Resolution on information security incidents involving personal data in the PIX system
Last week, the Brazilian Central Bank (BACEN) published the Resolution 347 of September 26, 2023, which established the need of financial institutions to report security incidents involving personal data to data subjects. This Resolution establishes obligations and penalties for regulated institutions participating in the PIX arrangement regarding non-compliance with security requirements and the occurrence of incidents involving personal data.
The duty to notify account holders (natural persons) arises from the occurrence of any incident involving their personal data in databases related to the PIX infrastructure. Therefore, reporting is mandatory in cases where PIX’s database is involved, even if the financial or payment institution that is the participant providing the account is not responsible for the incident.
It is worth mentioning that the provisions of Bacen Resolution 347/2023 on security incidents are stricter than the provisions of the General Data Protection Law (Law No. 13,709/2018 – “LGPD”) regarding the same matter. This is because the Resolution establishes the obligation to communicate the incident to the data subject even if the incident does not entail a relevant risk or damage to the data subject, while under the LGPD, communication of the security incident is only mandatory if there is a risk or damage to the data subject.
The Resolution 347/2023 also establishes penalties for PIX institutions that do not meet the technical security requirements established. The penalties vary, among other factors, according to the consequences of the incident, the measures adopted by the participating institution to contain and minimize the effects of the incident, the type of institution affected, and the number of PIX keys potentially compromised by the incident.
The Resolution is already in force and its text can be accessed here.
If you wish to obtain more information on this matter, we are available at digital@kasznarleonardos.com.
Last by ...
December 18, 2023
ANPD releases the Priority Themes Map for the 2024-2025 biennium
Last Wednesday, December 13, 2023, the Brazilian National Data Protection Authority (“ANPD”) published the first Priority Themes Map (“MPT”) through Resolution CD/ANPD No. … ANPD releases the Priority Themes Map for the 2024-2025 biennium
October 30, 2023
ANVISA’s Personal Data Protection Policy is released
On October 19, 2023, the Federal Official Gazette (DOU) published Administrative Order 1,184/2023, which provides for the National Health Surveillance Agency’s (Anvisa) … ANVISA’s Personal Data Protection Policy is released
October 11, 2023
Brazilian Data Protection Authority applies the second penalty for non-compliance with LGPD
Three months after imposing the first fine on a company, the Brazilian Data Protection Authority (ANPD) issued last Friday (06/10) a new sanction … Brazilian Data Protection Authority applies the second penalty for non-compliance with LGPD