ANPD publishes the Regulation on Dosimetry and Application of Administrative Sanctions for non-compliance with LGPD

On February 27, 2023, the National Data Protection Authority (“ANPD”) published Resolution CD/ANPD No. 4, which approves the Regulation on Dosimetry and Application of Administrative Sanctions relating to punishments for non-compliance with the Brazilian General Data Protection Law (“LGPD”).

This Regulation aims to establish parameters and criteria for the application of the administrative sanctions provided for in Article 52 of the LGPD, as well as the forms and dosimetry for the calculation of the base amount for fine sanctions.

As provided in Article 52 of the LGPD, personal data processing agents will be subject to the following administrative sanctions applicable by the ANPD, due to violations of the LGPD:
(i) warning;
(ii) simple fine;
(iii) daily fine;
(iv) publicizing the infringement;
(v) blocking of the personal data to which the infringement relates;
(vi) deletion of the personal data to which the infringement relates;
(vii) partial suspension of the operation of the database to which the infringement relates;
(viii) suspension of the personal data processing activity to which the infringement relates; and
(ix) partial or total prohibition of activities related to data processing.

The Resolution provides that the sanctions of partial suspension of the operation of the database, suspension of the personal data processing activity and of partial or total prohibition of activities related to data processing will only be applied after any of the other sanctions relating to the imposition of fines, publicizing the infringement, and blocking or deletion of the personal data have already been imposed. If the ANPD decides to adopt such measures, the authority shall notify the main sectorial regulatory agency or entity, with sanctioning powers, to which the offender is subject to, during the instruction phase of the administrative proceeding, so that the agency may provide its opinion on possible consequences of the imposition of sanctions for the exercise of regulated economic activities developed by the offender, especially in the provision of public services, as well as other information it may deem relevant.

An important point to be noted is that the sanctions will be applied by the ANPD gradually, either separately or cumulatively, according to the peculiarities of each case, not excluding the possibility of adoption of other administrative measures by the ANPD. However, failure to comply with the applied sanction or the absence of regularization of the infringing conduct within the stipulated period will lead to the application of more serious sanctions, without prejudice to the adoption of other applicable legal measures.

The definition of the sanction to be applied by the ANPD will take into consideration several criteria, such as (i) the seriousness and nature of the violations and the personal rights affected; (ii) the good faith of the offender; (iii) the economic condition of the offender; (iv) cases of recurrence; (v) the degree of damage caused by the offender; (vi) the cooperation of the offender; and (vii) the adoption of a good practices and governance policy, among others.

The Resolution also provides that the violations may be classified as light, medium and serious, depending on the interests and fundamental rights of the affected data subjects and on the characteristics of the processing that caused the violation, such as the volume of data processed, whether the processing involved sensitive personal data or personal data of children, adolescents or of elderly people, or whether the processing was carried out with illicit or abusive discriminatory effects, among others.

In this sense, the sanction of a warning may be applied to light and medium offenses, when it is not a case of specific recurrence or there is a need to impose corrective measures.

The infraction of simple fine, on its turn, shall be applied (i) when the offender does not comply with the preventive or corrective measures imposed, within the established deadlines; (ii) when the violation is classified as serious; or (iii) if it is not appropriate to apply another sanction, considering the nature of the violation, the processing activity or the personal data.

For the definition of the base amount for the simple fine, the ANPD shall use the methodology described in the Resolution’s Appendix I and will take into consideration (i) the classification of the infringement; (ii) the turnover of the offender in the last available year prior to the application of the sanction; and (iii) the degree of damage caused by the offender.

In addition, cases of recurrence and failure to comply with preventive measures and corrective measures shall be considered as aggravating circumstances for the definition of the base amount.

On the other hand, the base amount of the fine may be reduced if mitigating circumstances are observed, such as the cessation of the violation before the conclusion of the administrative proceedings by the ANPD, the implementation of a good practices and governance policy, or the repeated and proven adoption of internal mechanisms and procedures capable of minimizing the damages to the data subjects until a first instance decision is rendered in the sanctioning administrative proceeding.

The Resolution further provides that the daily fine sanction shall be applied by the ANPD when it is necessary to ensure compliance with a non-monetary sanction or with a determination made by the ANPD within a certain deadline, subject to the classification of the violation, the degree of the damage and the limit of up to 2% (two percent) of the offender’s revenues, limited to R$50,000,000.00 (fifty million reais).

As to the partial or total prohibition of activities related to data processing, the sanction may be applied when (i) there is a recurrence of an infraction punished with partial suspension of the operation of the database or suspension of the personal data processing activity; (ii) processing of personal data occurs for illicit purposes or without an appropriate legal basis; or (iii) the offender loses or does not meet the technical and operational conditions to maintain the appropriate processing of personal data.

The other administrative sanctions provided by the LGPD, such as publicizing the infringement, blocking or deletion of personal data and suspension of the personal data processing activity may be applied by the ANPD according to the characteristics of specific cases.

Finally, in addition to providing legal security to the sanctioning processes and guaranteeing the right of the data processing agent to right to adversarial proceedings, full defense and to the due process, the Regulation determines that the proportionality between the sanction applied, and the seriousness of the agent’s conduct must be guaranteed.

Main contacts:
Paula Mena Barreto
Partner
E: paula.menabarreto@cmalaw.com

Ricardo Caiado Lima
Partner
E: ricardo.caiado@cmalaw.com

Antonio Tovo
Partner
E: antonio.tovo@cmalaw.com