It was published today in the Brazilian Official Gazette a decision enforcing a new sanction by the Brazilian National Data Protection Authority (“ANPD” or “Brazilian DPA”) for noncompliance with the General Data Protection Law (“LGPD”). Administrative Procedure no. 00261.001963/2022-73, involving a public entity from the state of Pernambuco as the controller, was included in the List of LGPD’s Sanctioning Administrative Procedures disclosed by the Authority last year.
In the case, the ANPD analyzed a data security incident involving personal data and issued two warnings due to the failure to report the incident as required by law to the Brazilian DPA and the affected data subjects, as well as the inadequacy of the controller’s security measures, governance, and compliance with LGPD principles. Notably, since the controller is a public entity, fines could not be imposed.
According to the administrative sanctions enforced, the controller must individually notify the 413 data subjects involved in the incident and update the public notice available on its website, as well as implement technical and administrative security measures for traffic monitoring, record-keeping, and restricted access control to the personal data processed. Additionally, the controller must prove to the ANPD, within the deadline set in the decision, the fulfilment of such measures.
Our team is at your disposal for further clarifications and to assist with complying with LGPD and ANPD regulatory requirements.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br