BCB Resolution No. 342 of 26/9/2023 and Normative Instruction No. 412 provide important elements on the duty to notify data subjects when a security incident involving personal data occurs, as well as on non-compliance with Pix's technical security requirements and the criteria for applying penalties.
We would like to highlight an important interface between this Resolution and the General Personal Data Protection Law (LGPD), insofar as in the latter, there is a duty to report a security incident involving personal data only when there is a possibility of causing significant risk or damage to the affected data subjects. This differs from the criterion presented in this BCB Resolution, which extends the scope of this communication to security incidents within PIX: the occurrence of a security incident involving personal data in a database related to a Pix component or infrastructure must always be communicated to the holders of transactional accounts provided by the participant who are natural persons. This obligation applies even in cases where the participant providing the account is not responsible for the incident.
Relevant changes have also been made to the Pix Penalties Manual (Annex I to BCB Resolution No. 177, of December 22, 2021), such as the possibility of an increase in the fine penalty, assessed according to the actions of the Pix participant and the types of data that may have been compromised. Our Payments and Privacy and Data Protection teams are available for further information and assistance in complying with these rules.