The administrative penalties provided by the Brazilian General Data Protection Law -LGPD, regarding the sanctions to data agents that fail to comply with the LGPD, have entered into effect on August 1st, 2021.
Although the LGPD is in effect since September 2020, articles 52, 53 and 54, providing specifically about the administrative penalties for LGPD’s infractions only now entered into effect. The administrative sanctions that might be applied are:
(i) warning, with an indication of the time period for adopting corrective measures;
(ii) disclosure and publicization of the infraction;
(iii) deletion of the personal data to which the infraction refers to;
(iv) blocking of the personal data to which the infraction refers to until its regularization;
(v) fine of up to two percent (2%) of company’s revenues in Brazil, for the prior financial year, up to a total maximum of fifty million reais (R$ 50,000,000.00) per infraction;
(vi) daily fine, subject to the total maximum of fifty million reais (R$ 50,000,000.00);
(vii) partial suspension of the operation of the database related to the infraction for a maximum period of 6 (six) months, extendable for the same period, until the normalization of the processing activity by the controller;
(viii) suspension of the personal data processing activity related to the infraction for a maximum period of 6 (six) months, extendable for the same period; and
(ix) partial or total prohibition of activities related to data processing.
The administrative sanctions will be applied according to the LGPD criteria, such as the severity of the infraction, the offender’s cooperation and advantage obtained or intended, its recurrence and the existence and extension of good practices and governance policies. Furthermore, please note that the sanctions provided in items “vii”, “viii” and “ix” will only be applicable after at least one of the other provided sanctions are applied to the same case.
The severity of the infraction and the damage cause will also be important when defining the daily fines’ values, which shall be grounded by the National Data Protection Authority – ANPD, agency responsible for, among other functions, analyze the LGPD’s infractions and apply the penalties. Please note that the ANPD can and shall provide subsidiary rules to the LGPD, such as the methodologies for the calculation of the base values of the fines
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.
Gustavo Flausino Coelho – email@example.com
Fernando Naegele – firstname.lastname@example.org