Since August 1st, 2021, Articles 52, 53 and 54 of the Brazilian General Data Protection Law (“LGPD”), which establish administrative sanctions for violations to the Law, are enforceable.
In accordance with Article 52, the following sanctions are provided:
- warning, with indication of a term for adoption of corrective measures;
- fine of up to two percent (2%) of the company, group or conglomerate’s revenue, in Brazil, in the last fiscal year, excluded taxes, limited to BRL 50 million per violation;
- daily fine, considering the limitation above;
- publishing of the violation;
- blockage of personal data relating to the violation until its regularization;
- erasure of personal data relating to the violation;
- partial suspension of the functioning of the database relating to the violation for six (6) months (extendable for additional six months) until the regularization of the personal data processing activity;
- suspension, for the same period, of the personal data processing activity relating to the violation; and
- partial or total prohibition of personal data processing activities.
The sanctions may only be applied after an administrative proceeding conducted by the National Data Protection Authority (“ANPD”) granting the full right of defense to the personal data processing agent, who, at that moment, will be able to demonstrate (i) the adoption of policies for good practices and privacy and data protection governance; (ii) the adoption of internal mechanisms and procedures capable of minimizing the damage to the data subject; and (iii) the prompt adoption of corrective measures to prevent further similar violations.
Such criteria may serve as mitigating factors for any administrative sanction and are directly related to the companies’ data protection program, including all their documentation related to the subject, such as (i) privacy and data protection policy for data subjects who have their personal data processed by the company; (ii) incident response plan involving personal data; (iii) data retention policy; (iv) contracts with third parties that process data on behalf of the company (data processors) containing data protection provisions and definition of responsibilities; (v) data protection impact assessment reports; among others.
It is important to emphasize that ANPD will still define the methodologies that will guide the calculation of the base value of the fine. This definition will take place through its own regulation on administrative sanctions for violations of the LGPD, which shall be subject to public consultation.
It is expected, therefore, that, with the entry into force of the administrative sanctions, and their subsequent regulation by ANPD, practices aimed at the protection of personal data in Brazil will have greater adherence to the LGPD, under penalty of initiating administrative proceedings and the imposition of administrative sanctions on those who demonstrably fail to comply with its provisions. ANPD has demonstrated that the enforcement of the LGPD will be based on dialogue, collaboration and promotion of a culture of personal data protection, although it also has, from now on, the appropriate legal means to fully enforce the LGPD.