top of page

Personal data violations become subject to administrative penalties in Brazil

Updated: Sep 22, 2021

At last, the General Data Protection Law (LGPD) reached its full effectiveness, with the coming into force, on August 1, 2021, of administrative sanctions. These sanctions, to be applied by the National Data Protection Authority (ANPD), in case of non-compliance, are as follows:

  • warning, indicating the deadline for taking corrective measures.

  • simple fine of up to 2% (two percent) of the revenue of the company, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in total, to R$ 50,000,000.00 (fifty million reais) per infraction.

  • daily fine, observing the total limit referred above.

  • publicizing the infringement after it has been properly investigated and confirmed.

  • blocking of the personal data to which the infringement refers until its regularization.

  • deletion of the personal data to which the infringement refers.

  • partial suspension of the functioning of the database related to the infringement refers for a maximum period of 6 (six) months, extendable for an equal period, until the regularization of the processing activity by the controller.

  • suspension of the exercise of data processing activities related to the infringement for a maximum period of 6 (six) months, extendable for an equal period.

  • partial or total prohibition of the exercise of activities related to data processing.

Sanctions will be applied after administrative procedure that ensures full opportunity of defense gradually, isolated or cumulatively, according to the peculiarities of the specific and considering the following parameters and criteria:

  • the seriousness and nature of the violations and affected personal rights.

  • the offender's good faith.

  • the advantage gained or intended by the offender.

  • the economic condition of the offender.

  • the recurrence.

  • the degree of damage.

  • the offender's cooperation.

  • the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage, aimed at the safe and adequate treatment of data, in accordance with the provisions of the LGPD.

  • the adoption of good practices and governance policy.

  • prompt adoption of corrective measures; and

  • the proportionality between the seriousness of the offense and the intensity of the sanction.

It is important to point out, the application of penalties provided for in the LGPD does not replace the application of administrative, civil or criminal sanctions defined in the Consumer Defense Code or other specific legislation.

Currently, the ANPD is holding public hearings to discuss the draft resolution that provides for the inspection and application of sanctions by ANPD.

By Renata Ciampi and Fernando Stacchini

Technology, Intellectual Property, Digital Law and Data Privacy team - Motta Fernandes

25 views0 comments


bottom of page