This is required whenever a security incident related to personal data has occurred that may pose a relevant risk or damage to the individual rights and freedoms of the affected holders (more objective criteria will follow in the anticipated ANPD regulations).

From the law it is clear that the probability of significant risk or damage will be greater in certain types of cases (e.g. cases involving children, adolescents or vulnerable people – more details can be provided on request).