Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

According to the Consumer Code, companies should take all reasonable measures to offer safe and free-of-defect products and services. The courts have been of the opinion that if companies do not implement appropriate security measures (normally based on industry standards), their product or service is considered defective and may trigger liabilities.

The regulation of the Internet Act imposes the following security measures for internet application providers:

  • strict control over access to personal data on the definition of responsibilities of the personnel who will have access to the stored data;
  • authentication mechanisms that must be used to allow access to stored personal data (eg, two-step verification should be used to ensure the identification of the employee with access to the stored personal data);
  • detailed data inventories that must be created to record access to personal data (eg, date, time and duration of access, identity of employee responsible for access and a record of the accessed files); and
  • use of IT solutions that ensure the inviolability of data (eg, encryption or equivalent protective measures).

In addition, the Internet Steering Committee may recommend the adoption of additional security measures and standards.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

There are no specific reporting obligations in the event of data incidents. However, in some specific cases (notably when the information leaked may cause a damage to the data subject), due to the principles of information and transparency imposed by the Consumer Code, affected individuals may have to be informed of data breaches. For regulated sectors, regulatory agencies overseeing the providers may also have to be informed (eg, the Central Bank, the Securities and Exchange Commission, the National Telecommunications Agency and the Private Insurance Superintendence). 

Are data owners/processors required to notify the regulator in the event of a breach?

Please see above.

Click here to view the full article.