The Brazilian National Data Protection Authority (ANPD in Portuguese) approved, through Resolution CD/ANPD No. 4, of February 24th, 2023, the Regulation on Dosimetry and Application of Administrative Sanctions (“Regulation”), improving the sanctioning administrative process of the ANPD, which may impose penalties for non-compliance with the General Personal Data Protection Law (LGPD in Portuguese), reinforcing its supervisory role.
The LGPD listed through articles 52 and 53, in force since August 2021, the administrative sanctions applicable by the ANPD to offenders who act in disagreement with the principles and provisions imposed by the privacy law. However, for the effective applicability of the penalties, there was still pending regulation regarding the dosimetry and the form of application of such sanctions.
In this sense, pursuant to the provisions of art. 1 of the regulatory rule: “this regulation aims to establish parameters and criteria for the application of administrative sanctions by the National Data Protection Authority (ANPD), as well as the forms and dosimetry for calculating the base value of fine sanctions”.
The regulation establishes clear and objective requirements for the ANPD to apply the most appropriate sanctions for each concrete case in which there is a violation of the LGPD, considering, among other aspects, the damage or loss caused to the holders of personal data, also bringing, methods, conditions, and circumstances that allow the ANPD to calculate the base value of the fine applicable in proportion to the offender’s conduct.
In this context, in order to guarantee the reasonableness and effectiveness of sanctions, the ANPD regulated the classification of infractions according to the seriousness and nature of the violations, as well as the personal rights affected, the infraction is considered light, medium, or serious.
In the event of a violation considered serious, the fine will be up to 2% of the organization’s revenues, being able to reach the amount of 50 million BRL, around US$ 10 million, per violation, when the preventive or corrective measures are not met or, in the reason for the nature of the infringement, the processing activity, the personal data involved, as well as the circumstances of the specific case.
In addition to fines, the ANPD may apply other very severe sanctions to violators who do not comply with the rules of compliance and the principles of the LGPD, such as the blocking or definitive elimination of personal data improperly processed by the organization.
The regulation expressly provides for mitigating and aggravating hypotheses of the sanctions imposed, determining that in cases of mitigation of the infraction, the simple fine may be reduced as a result of the cessation of the infraction, the implementation of measures capable of reversing or mitigating its effects on the holders of affected personal data, as well as through the implementation of a policy of good practices and privacy governance.
Thus, in any administrative inspection process, the ANPD will certainly consider the fact that the organization demonstrates genuine care with the preventive and effective protection of personal data processed in its business activities, proving to be a transparent and diligent organization.
The publication of the ANPD dosimetry regulation further reinforces the necessary compliance with data protection legislation, being an important milestone in terms of the Brazilian authority’s sanctioning and supervisory action, which will now impose the appropriate penalties for violations of the LGPD based on clear methods and duly regulated, in addition to guaranteeing due legal and contradictory process, to provide legal certainty and transparency to the parties.
It is worth mentioning that the damage to the image and credibility of a company that demonstrates that it does not consider the protection of fundamental rights is, without a doubt, the most serious negative impact that an organization can suffer, with consequences that are often irreversible for the preservation of that company.
Finally, we emphasize that it is strongly recommended that companies intensify the process of implementing compliance with the LGPD, taking into account its basic principles and good privacy practices, in order to guarantee citizens, the correct and adequate protection of the fundamental right to the protection of your personal data.
The Dosimetry Regulation entered into force on the date of its publication on February 27, 2023.
To access the official document, in Portuguese, click on the link below: https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-4-de-24-de-fevereiro-de-2023-466146077