• Warning: it may be applied for low and moderate level violations and does not characterize specific recurrence or whenever correctional measures are needed;
• Simple fine: it may be applied when the offender has not complied with preventive or correctional measures applied within ANPD´s deadlines; the violation is classified as high level; or whenever a different sanction is not suitable;
• Daily fine: it may be applied to ensure compliance within a specified period, with a non-pecuniary penalty or with a determination established by ANPD, or when the offender, after notification of the irregularities, fails to correct them within due time; obstructs the inspection activity ; or practices a permanent violation that has not ceased until the decision.
• Publication of the violation after its occurrence has been duly investigated and confirmed: it may be applied considering the relevance and public interest of the matter and consists of the disclosure of the violation by the offender.
• Blocking of personal data to which the violation refers to up to duly regularization: temporary suspension of any processing operation of the personal data to which the violation refers, up to the regularization of the conduct.
• Exclusion of personal data to which the violation refers: it consists of the exclusion of data stored in a database. The offender must immediately communicate the data exclusion to the treatment agents with whom he/she has shared the data, except in cases specified in the regulation.
• The partial suspension of the database operation to which the violation refers: it will be applied for a maximum period of six months, extended for an equal period until the processing activity is regularized by the controller. This penalty can only be applied if one of the other penalties, except for warning, has already been applied for the very same case.
• Suspension of the personal data processing activity to which the violation refers: it will be applied for a maximum period of six months, extended for an equal period. This penalty can only be applied if one of the other penalties, except for warning, has already been applied for the very same case.
• The exercise of activities related to partial or total ban of data processing: it consists of the partial or total ban of operations involving the personal data processing, and may be applied in cases where there is a recurrence of a violation punished with partial suspension of the database operation or suspension of the processing personal data activity; personal data processing occurs for illegal purposes or without legal support; or the offender loses or does not meet the technical and operational conditions to maintain the adequate personal data processing. This penalty can only be applied if the other sanctions, except for warning, has already been applied for the very same case.

The Regulation has also established (i.) a series of criteria to be observed in the administrative procedure; (ii.) the classification of violations; (iii.) method for calculating fines, including the incidence of aggravating and mitigating factors; (iv.) deadline for payment of fines among other factors relevant for the penalties under the LGPD application.

Regarding the calculation of fines’ amounts, the Regulation has established a specific methodology that can be accessed here, which takes into account the classification of the violation, the offender’s revenue at the last available fiscal year prior to the application of the penalty and the degree of the damage.

The maximum fines’ amounts remain limited to 2% of the revenue of the private legal entity, group or conglomerate of companies in Brazil in their last fiscal year, excluding taxes, or R$ 50,000,000.00. Minimum fines’ amounts ​​were also defined.

Considering that the Regulation is already in force and that ANPD has already all the necessary parameters to start the application of penalties, it is relevant that companies comply with the LGPD to avoid the application of the penalties and future impacts, not only under a financial point of view, but also under a reputational one.

Contact our data protection experts for further information.

O post ANPD Approves the Regulation on Dosimetry and Application of Administrative Penalties of LGPD apareceu primeiro em Souto Correa Advogados.

O post Global Data Review 2023 apareceu primeiro em Souto Correa Advogados.

Definition of Cookies

The guide defines Cookies as “files installed in a user’s device that allow the gathering of certain information, that may include personal data, to meet several purposes” and clarifies that, through the use of Cookies, it is possible, for example, to register information of a user in a certain website, such as his credit card number, his login, or a product previously added to his shopping cart.

Attribution of a Lawful Basis

According to the guide, the attribution of a lawful basis provided in the Brazilian General Data Protection Law (“LGPD”) is necessary to enable the use of Cookies. In this sense, consent and legitimate interest are the most relevant ones.

Consent 

The guide exemplifies cases in which the use of consent is not appropriate. These include:

• Strictly Necessary Cookies – since in these cases, the processing of the information is essential for the functioning of the website or service, and therefore there is no effective condition for the free manifestation of the data subject; and 

• Cookies that are strictly necessary to comply with legal obligations and duties, especially in cases with a clear and direct link between data processing through Cookies and the exercise of typical state prerogatives by public entities and bodies.

Legitimate Interest

As for legitimate interest, the guide informs that it may be employed when the use of Cookies is strictly necessary and in the case of analytical Cookies, which are responsible for measuring audience. However, in cases of Cookies used for advertising purposes, the ANPD reinforces that this lawful basis may not always be used and recommends applying the balancing test to determine the prevalence of the fundamental rights and freedoms of the data subjects concerning the legitimate interests of the controller or third parties.

Good Practices

Not exhaustively, the guide exposes good practices to be considered when setting up Cookie Banners, such as

• The provision of a button that allows rejecting all cookies that are not necessary;

• The provision of an access link for the data subjects to exercise their rights, such as obtaining details about the use of their data, the retention period, requesting the disposal of data, and revoking consent;

• The classification of Cookies into categories;

• The description of the categories of Cookies according to their uses and purposes, with a simple explanation of these purposes;

• Obtaining consent for each specific purpose;

• Disabling Cookies based on consent by default; and

• The provision of information on whether browser settings can block cookies.

Unadvised Practices 

Also, the guide lists some inadvisable practices in the elaboration of Cookies banners, for example:

• The use of a single button, with no management option, in the case of using the legal basis of consent;

• The impossibility or impediment in the visualization of the buttons to reject or configure Cookies, emphasizing the acceptance button;

• The impossibility or impediment of rejecting all Cookies that are not necessary;

• The activation of Cookies that are not necessary by default so that the user must manually deactivate them;

• The non-availability of second-level Cookie Banners;

• The failure to provide information and direct, simplified, and proper mechanisms for the exercise of the data subject’s rights to revoke consent and object to the processing of their data;

• The difficulty in managing Cookies;

• The display of information on the Cookie policy in a foreign language only;

• The display of the Cookie list in an exaggeratedly granular manner;

• Linking the obtaining of consent to the full acceptance of the conditions of use of Cookies without providing effective options to the data subject.

Although the guide deals primarily with processing personal data by Cookies in the electronic environment, its guidelines apply to processing personal data through similar tracking technologies, observing the particularity of the case in question.

Furthermore, even though the guide exposes good practices to be followed by processing agents, it is emphasized that compliance with the guidelines contained therein does not exempt agents from observing the LGPD instructions. 

Access the full guide by clicking here.

For more information, please contact our Data Protection team.

O post ANPD publishes a guide on cookies and personal data protection apareceu primeiro em Souto Correa Advogados.