ANPD Approves the Regulation on Dosimetry and Application of Administrative Penalties of LGPD
The Brazilian National Data Protection Authority (“ANPD”) published yesterday the Resolution CD/ANPD Nr. 4, of February 24, 2023, which approves the long-awaited Regulation on Dosimetry and Application of Administrative Penalties (“Regulation”).
The Regulation’s aim is to establish parameters and criteria for the application of administrative penalties by ANPD, as well as the methods and dosimetry for calculation of fine’s base value.
In addition to the inclusion of certain definitions, the Regulation defined and established criteria for the administrative penalties provided for in article 52 of the LGPD, as summarized below:
- Warning: it may be applied for low and moderate level violations and does not characterize specific recurrence or whenever correctional measures are needed;
- Simple fine: it may be applied when the offender has not complied with preventive or correctional measures applied within ANPD´s deadlines; the violation is classified as high level; or whenever a different sanction is not suitable;
- Daily fine: it may be applied to ensure compliance within a specified period, with a non-pecuniary penalty or with a determination established by ANPD, or when the offender, after notification of the irregularities, fails to correct them within due time; obstructs the inspection activity ; or practices a permanent violation that has not ceased until the decision.
- Publication of the violation after its occurrence has been duly investigated and confirmed: it may be applied considering the relevance and public interest of the matter and consists of the disclosure of the violation by the offender.
- Blocking of personal data to which the violation refers to up to duly regularization: temporary suspension of any processing operation of the personal data to which the violation refers, up to the regularization of the conduct.
- Exclusion of personal data to which the violation refers: it consists of the exclusion of data stored in a database. The offender must immediately communicate the data exclusion to the treatment agents with whom he/she has shared the data, except in cases specified in the regulation.
- The partial suspension of the database operation to which the violation refers: it will be applied for a maximum period of six months, extended for an equal period until the processing activity is regularized by the controller. This penalty can only be applied if one of the other penalties, except for warning, has already been applied for the very same case.
- Suspension of the personal data processing activity to which the violation refers: it will be applied for a maximum period of six months, extended for an equal period. This penalty can only be applied if one of the other penalties, except for warning, has already been applied for the very same case.
- The exercise of activities related to partial or total ban of data processing: it consists of the partial or total ban of operations involving the personal data processing, and may be applied in cases where there is a recurrence of a violation punished with partial suspension of the database operation or suspension of the processing personal data activity; personal data processing occurs for illegal purposes or without legal support; or the offender loses or does not meet the technical and operational conditions to maintain the adequate personal data processing. This penalty can only be applied if the other sanctions, except for warning, has already been applied for the very same case.
The Regulation has also established (i.) a series of criteria to be observed in the administrative procedure; (ii.) the classification of violations; (iii.) method for calculating fines, including the incidence of aggravating and mitigating factors; (iv.) deadline for payment of fines among other factors relevant for the penalties under the LGPD application.
Regarding the calculation of fines’ amounts, the Regulation has established a specific methodology that can be accessed here, which takes into account the classification of the violation, the offender’s revenue at the last available fiscal year prior to the application of the penalty and the degree of the damage.
The maximum fines’ amounts remain limited to 2% of the revenue of the private legal entity, group or conglomerate of companies in Brazil in their last fiscal year, excluding taxes, or R$ 50,000,000.00. Minimum fines’ amounts were also defined.
Considering that the Regulation is already in force and that ANPD has already all the necessary parameters to start the application of penalties, it is relevant that companies comply with the LGPD to avoid the application of the penalties and future impacts, not only under a financial point of view, but also under a reputational one.
Contact our data protection experts for further information.