O logo ADNP é propriedade da autoridade nacional de proteção de dados.
From now on, the Data Protection Authority of Brazil-ANPD can apply administrative sanctions for violation of the General Data Protection Law-LGPD
1 - New resolution
The focal point for any organization subject to personal data protection legislation, such as the GDPR in Europe or the LGPD in Brazil, is the risk of being subject to a high administrative penalty. The monetary penalty can be up to 4% of the annual worldwide turnover of a company in Europe or 20,000,000.00 Euros for an organization without turnover. Brazilian law (LGPD) provides for a maximum of R$50,000,000.00 per offense (approx. 10,000,000.00 Euros).
While Brazil's National Data Protection Authority - ANPD has already received more than 7,000 complaints and eight procedures are awaiting the definition of sanctions, no sanction can be applied without the adoption of the regulation provided for in Article 53 of the LGPD, which reads as follows:
– "Art.53 . The National Data Protection Authority – ANPD will define, by means of its own Regulation on administrative penalties applicable to infringements of this Law, which will be subject to public consultation, the methods that will guide the calculation of the basic value of fines.
– § 1º The methodology referred to in this article must be published in advance, for the knowledge of the processing agents, and must objectively present the forms and dosimetry for the calculation of the basic value of penalties of fines, which must contain a detailed statement of reasons for all its elements, demonstrating compliance with the criteria provided for by this law.”
It is precisely this methodology for determining sanctions that is set out in the new resolution CD/ANPD n.4 of 24.02.2023. From the day of publication of this Resolution CD/ANPD n. 4 (27.02.2023), sanctions may therefore apply for infringement of LGPD.
Resolution No. 4 publishes "a regulation on the dosage and application of administrative sanctions".
2 - Nine administrative penalties are provided for in the LGPD:
I – warning;
II – simple fine;
III – daily fine;
IV – publication of the infringement;
V – blocking of personal data;
VI – elimination of personal data;
VII – suspension of the data bank;
VIII – suspension of data processing; and
IX – partial or total prohibition of activity relating to personal data.
Article 5 of the Regulation on the dosage of penalties specifies that sanctions will be applied gradually, individually or cumulatively, in accordance with the particularities of the specific case.
3 - Offences are classified into three categories:
(a) minor: when they are neither moderate nor severe
(b) moderate: when they can significantly affect the fundamental interests and rights of the holders.
(c) serious: when, in addition to the infringement of the interests and fundamental rights of the data subject
(i) they relate to large-scale processing; or
(ii) the offence was intended to obtain an economic advantage; or
(iii) the infringement poses a risk to the lives of the data subject; or
(iv) the breach involves sensitive data, or of children, adolescents or the elderly; or
(v) the data processing is not lawful; or
(vi) the processing is carried out with unlawful discriminatory effects; or
(vii) there are systematic irregular practices from the offender; or
(viii) in the event of obstruction of the ANPD's control activities.
A methodology for calculating fines is also foreseen.