See our Technology and Data Protection Bulletin on BACEN Resolution 342/2023, which addresses the obligation for Pix Participants to report security incidents and imposes penalties in the event of a security breach.
On September 26, 2023, the Central Bank of Brazil (“BACEN”) published Resolution no. 342/2023, that amends (i) the Pix regulation (Resolution BCB no. 1 of August 12, 2020); and (ii) the Manual relating to Pix Penalties (Resolution BCB no 177, of December 22, 2021).
Resolution no. 342/2023 regulates the communication to be sent to the data subjects when of the occurrence of data breaches affecting personal data and establishes the penalties applicable in case of non-compliance with Pix technical measure requirements.
We highlight the following aspects of Resolution no. 342/2023:
(i) “Pix Participants” (e.g. financial institutions, payment institutions authorized or not to operate and credit cooperatives) shall inform the holders of transaction accounts provided by them, about the occurrence of data breaches affecting the personal data of the data subjects, even if the breach does not imply in relevant risk or damage.
It is important to note that Resolution no. 342/2023 is stricter than the General Data Protection Law – “LGPD”, as the general rule relating to the communication of data breaches involving personal data established by article 48 of LGPD, is that the data subject has to be informed only about data breaches that may imply in relevant risk or damage.
(ii) the data breach has not be informed even if the participant provider of the account is not responsible for the breach.
(iii) BACEN shall issue a specific regulation about the to be observed relating to communications to be sent to the data subjects.
(iv) the Pix Participant may be subject to penalties if it fails to observe Pix technical measure requirements affecting (a) the implementation of Pix transactions involving final users, and (b) the confidentiality, integrity or availability of information linked to the Pix keys, to Pix transactions or to final users of Pix, except for events which consequences are restricted to the disclosure of information that may be made available in the conditions established by the Pix Regulation.
(v) in case of application of fines, the base-value attributed to the breach shall be multiplied by the result of the sum of factors based on the type of institution, the percentage of total Pix transactions of the participant in the Instant Payment System and the percentage of total Pix keys potentially compromised as a result of the data breach.
You may access Resolution no. 342/2023 here.
The Technology and Data Protection team of Cescon Barrieu may assist you in case you need any clarifications relating to the practical implementation of the new rules.
