The National Data Protection Authority (ANPD) released through Resolution CD/ANPD No. 04 of 24.02.2023, the “Regulation of Dosimetry and Application of Administrative Penalties“, with guidelines and criteria for the application of administrative penalties in cases of violation of the rules of Law No. 13.709/2018 (General Law of Data Protection – LGPD).

This is an extremely important regulation, especially for public and private entities that still need to adapt their internal policies and processes to the data protection legislation.

According to the Regulation, ANPD will apply the administrative penalties gradually, considering, among other requirements, the nature, gravity, and extent of the violation, as well as the violator’s good faith, cooperation, and economic capacity.

The following sanctions are provided for:

  1. warning;
  2. blocking or deletion of the personal data to which the infraction refers;
  3. simple or daily fine of up to 2% of the violating company’s revenues, limited to BRL 50 million per violation;
  4. public disclosure of the violation committed; and
  5. partial or total suspension or prohibition of the exercise of activities related to data processing.

The dosimetry of the fines will be done individually, case-by-case, considering the particularities and circumstances involved, including aggravating or attenuating ones.

Compared with other countries, the penalties provided in Brazil are not high. However, it is worth noting that other more severe and, eventually, unavoidable consequences may arise from non-compliance with LGPD, such as damage to the entity’s image in case of security incidents or data leakage and difficulty in doing business with some commercial partners.

The Resolution did not objectively define some of the concepts considered to determine the sanction. That is the case of concepts such as “data volume”, “large-scale data” or “relevant damage”. The ANPD announced that a new draft, with more clarified concepts, will be released to eliminate gaps and reduce highly subjective analyses.

A point of attention is that, according to the Regulation of the Inspection Process and the Sanctioning Administrative Process, the ANPD can initiate a sanctioning administrative process ex officio; thus, once it finds a violation of the LGPD, sanctions can be applied regardless of a formal complaint.

The ANPD also announced, through a live meeting held on February 28th, 2023, that the inspection processes will be disclosed in the Federal Official Gazette and ANPD website, without identifying the data subjects or the companies involved. The publications will be educational in nature, not punitive, seeking to guide companies on best practices for applying data protection legislation and other ANPD regulations.

As disclosed, the ANPD will initially focus its inspection on the largest data processing agents, such as those that handle high volumes of data, even if they are not large companies. In all cases, the ANPD signaled that adopting effective measures to reverse any damage to the data subject is essential in mitigating sanctions and quantifying any fine to be imposed.

The LGPD team at Fraga, Bekierman and Cristiano Advogados is available to clarify doubts and advise on the necessary steps to comply with the LGPD.