On February 27, 2023, the Brazilian Data Protection Authority ("ANPD") published the Resolution CD/ANPD No. 4, presenting the long-awaited Dosimetry and Administrative Sanctions Regulation, in addition to submitting amendments to the Inspection Process and Sanctioning Administrative Procedure Regulation.

The regulation addresses the application of the provisions of Articles 52 and 53 of Federal Law No. 13709/18 ("the Brazilian Data Protection Law" or "LGPD"), which establishes administrative sanctions that the ANPD may impose after the inspection and sanctioning process due to non-compliance with the LGPD.

Its objective is to define the criteria and parameters to be considered by the ANPD for the application and dosimetry of sanctions, guaranteeing the right to due process and contradictory to the supervised processing agents. With its immediate validity, the ANPD may apply the sanctions provided by the law that lacked the regulation for its application.

Below, we present the main points of the Dosimetry and Application of Administrative Sanctions Regulation and the amendments to the Inspection Process and Sanctioning Administrative Procedure Regulation.

1. DOSIMETRY AND APPLICATION OF ADMINISTRATIVE SANCTIONS REGULATION

With the publication of the Dosimetry and Administrative Sanctions Regulation, the ANPD establishes under what circumstances the sanctions described in the LGPD will be applied, which are:

Types of penalties:

  • Warning;
  • Simple fine, up to two percent (2%) of the company's revenue, limited to fifty million reais (BRL 50,000,000.00) for each infringement;
  • Daily fine, with a limit of fifty million reais (BRL 50,000,000.00);
  • Publicized infringement;
  • Blocking of personal data;
  • Deletion of personal data;
  • Partial suspension of database operations for a maximum of six (6) months, extendable for the same period, until the situation is remedied;
  • Suspension of personal data processing for a maximum of six (6) months, extendable for the same period;
  • Partial or total prohibition from carrying out its activities related to data processing.

Types of infringement: the ANPD divided the infringements into degrees of Minor, Moderate, and Severe, establishing objective criteria for the categorization of each type of infringement, and informing for which types of infringement each penalty can be applied.

– Minor infringements: situations that are not considered moderate or severe infringements.

– Moderate infringements: situations in which the data subject's interests and fundamental rights are affected, characterized by situations when the processing activity can significantly prevent or limit the exercise of rights or the use of a service, as well as cause material or moral damage to the data subjects, such as discrimination; bodily harm; the right to privacy and reputation; fraud or misapplication of identity, provided that they are not classified as Severe.

– Severe infringements: situations when Moderate infringements are verified, cumulatively to one of the following situations: (i) involvement of large-scale processing of personal data, characterized when covering a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency and geographical extent of the performed processing activity; (ii) the infringing party gains or intends to gain economic advantage as a result of the infringement committed; (iii) involves a risk to the lives of the data subjects; (iv) involves processing sensitive data or personal data of children, adolescents or the elderly; (v) the infringing party performs processing of personal data without being subjected to one of the legal basis provided for in the LGPD; (vi) the infringing party performs processing activities with unlawful or abusive discriminatory effects; or (vii) the infringing party is verified to have systematically adopted irregular practices; or situations that may constitute obstruction of the inspection activity.

Definition of the penalty imposed: the ANPD has defined the type of infringement for which the penalty should be applied for some sanctions, which is the case of the Warning, which should be applied in cases when (i) the infringement is Mild or Moderate and does not characterize specific recurrence; or (ii) there is a need to impose corrective measures, and the Simple Fine, which should be applied in cases where (i) the infringing party has not fulfilled the preventive or corrective measures imposed on them, within the established deadlines, when applicable; (ii) the infringement is classified as Severe; or (iii) due to the nature of the infringement, the processing activity or personal data, and the circumstances of the specific case, it is not appropriate to apply another sanction.

The Regulation sets forth the mitigating and aggravating circumstances that will be considered by ANPD in the sanctioning process, in accordance with articles 12 and 13 of the Regulation.

Furthermore, it was established that the deadline for paying the fine sanction must occur within 20 (twenty) business days from the notification of the decision to apply the sanction, except for small-scale processing agents, who will have a period of 40 days.

For all other sanctions not mentioned above, the ANPD merely informed what the characteristics of the sanction are and, in some cases, the situations that would warrant such application, without indicating whether they would apply to Minor, Moderate, or Severe infringements.

Definition of the amount of the fine: the ANPD has established in the Regulation how the base value of the Simple Fine is defined for each infringement committed, and the following elements should be taken into account according to the methods included in the Appendix to the Regulation: (i) the classification of the infringement (whether Minor, Moderate, or Severe); (ii) the invoicing of the infringing party in the last available fiscal year before the application of the sanction; and (iii) the degree of the damage.

Recurrence: It is important to note that in the case of recurrences, which are grouped as generic or specific, the ANPD established that the fine could incur an aggravating rate, increasing from 20% (twenty per cent) to 30% (thirty per cent), and it can accumulate up to 90% (ninety per cent) of its total value. Generic recurrences occur when the same infringing party does not comply with some legal or regulatory standard, regardless of which, in the same period. Alternately, specific recurrences occur when the same agent does not comply with the same rule within five years, counted from the date of the final judgment in court until the date of the new infringement.

2. SUPERVISORY PROCEDURE AND SANCTIONING ADMINISTRATIVE PROCEDURE REGULATION:

The following changes were made to the Inspection Process and Sanctioning Administrative Procedure Regulation:

Sanctions for non-compliance with preventive measures: the ANPD has included in the process the provisions on cases of non-compliance with preventive measures, in which case (i) the ANPD may adopt other measures or act in a more repressive manner; (ii) non-compliance will be considered an aggravating factor in the event of administrative proceedings.

The ANPD Oversight Body (Coordenação-Geral de Fiscalização) decision-making phase: the procedure now includes specifying the obligation to do or not to do regarding (i) the deadline for execution and demonstration of compliance with the measure; (ii) the amount of the fine and the payment deadline.

Rehearing judgment: the need for admission analysis of the general assumptions was added to the process for the ANPD Oversight Body to accept the appeal before submitting it to the Board of Directors.

The punitive nature of the sanctions provided for in the LGPD further reinforces the importance of ensuring compliance with the Law. This continuous process is necessary to keep up with all updates and changes to the internal organizational processes of Data Processing Agents involving Data Subjects.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.