Brazil: ANPD Applies First Penalty For Violation Of The General Data Protection Law

In a recent decision published on July 6, 2023, the Brazilian Data Protection Authority ("ANPD") applied its first administrative sanction to a micro-enterprise for non-compliance with the provisions of Law No. 13,709/18, Brazilian General Data Protection Law ("LGPD").

After the disclosure of the administrative sanctioning process and the conclusion of its instruction phase, the ANPD applied the administrative penalty due to non-compliance with the obligations set forth in the LGPD. In its decision dispatch, the ANPD presented the following justifications:

• (a) The microenterprise was cautioned for not appointing a Data Protection Officer, as required by Article 41 of the LGPD. According to the ANPD's interpretation, due to the high-risk processing of personal data, the microenterprise could not benefit from the differentiated legal treatment, as stated in Article 4 of CD/ANPD Resolution No. 2, and should have appointed a Data Protection Officer.
• (b) Due to the non-compliance with Article 7 of the LGPD, regarding the absence of a legal basis to justify the conducted processing of personal data, a fine of seven thousand and two hundred Brazilian reais R$ 7,200.00 was imposed.
• (c) Furthermore, due to the non-compliance and failure to meet the ANPD's requests, as provided for in Article 5 of CD/ANPD Resolution No. 01/2021, which regulates the inspection process and administrative sanctioning process ("Regulation"), a fine of seven thousand and two hundred (R$ 7,200.00) was applied.

Thus, the total value of the penalties applied by the ANPD was fourteen thousand and four hundred reais (R$ 14,400.00). In the case that the microenterprise does not appeal the decision, a reduction of twenty-five percent (25%) in the total amount of the fine will be applied, according to the terms of articles 17 and 18 of the aforementioned Regulation.

The advancements in the activities of the ANPD demonstrate its commitment and diligence in safeguarding the rights and guarantees provided by the LGPD. Once again, it is emphasized the importance of processing agents adopting a proactive stance to ensure compliance with the law and mitigate potential penalties resulting from non-compliance with the obligations stated in the LGPD.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.