Nossa equipe de advogados altamente qualificados está pronta para ajudar em questões de Direito Digital, Empresarial ou Proteção de Dados. Fale Conosco 
Chapter 1 (Art. 1 – 6) Preliminary Provisions
Chapter 2 (Art. 7 – 16) Processing of personal data
Chapter 3 (Art. 17 – 22) Data Subjects’Rights
Chapter 4 (Art. 23 – 30) Rules
Chapter 5 (Art. 33 – 36) International transfer data
Chapter 6 (Art. 37 – 45) Personal data processing agents
Chapter 7 (Art. 46 – 51) Security and good pratices
Chapter 8 (Art. 52 – 54) Monitoring
Chapter 9 (Art. 55 – 59) The national data protection authority ("ANPD") and the nationalcouncil for protection of personal data and privacy
Chapter-10 (Art. 60 – 65) Final and transitional provisions

Art. 48 The controller must communicate to the national authority and to the data subject the occurrence of a security incident

Art. 48

The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects.

§1 The communication shall be done in a reasonable time period, as defined by the national authority, and shall contain, at the very least:

I – a description of the nature of the affected personal data;

II – information on the data subjects involved;

III – an indication of the technical and security measures used to protect the data, subject to commercial and industrial secrecy;

IV – the risks related to the incident;

V – the reasons for delay, in cases in which communication was not immediate; and

VI – the measures that were or will be adopted to reverse or mitigate the effects
of the damage.

§2 The national authority shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures, such as:

I – broad disclosure of the event in communications media; and

II – measures to reverse or mitigate the effects of the incident.

§3 When judging the severity of the incident, there will be an analysis of eventual demonstrations that, within the scope and the technical limits of the services, adequate technical measures were adopted to render the affected personal data unintelligible to third parties who were not authorized to access them.