On August 1, 2021 the provisions related to oversight and application of administrative sanctions for infraction of Law 13,709/2018 (General Data Protection Law – LGPD), which establishes rules for the protection of personal data of individuals, including by digital means, will take effect.
As reported in the Moreira Menezes, Martins Newsletter no. 69 (June 2020), the date when the administrative sanctions for infraction of the LGPD take effect was postponed until August 1, 2021 by Law 14,010/2020, which established the Emergency and Temporary Legal Regime of Private Law (RJET), in reaction to the COVID-19 pandemic.
The penalties defined in the LGPD for its violation apply to the controllers and/or operators that treat individuals’ personal data. The controllers are defined as all individuals or legal entities that make decisions regarding the treatment of personal data, while operators are defined as the individuals or legal entities that treat personal data on behalf of the controller.
In this scenario, Art. 52 lists the following administrative sanctions that can be applied for violation of the LGPD:
(i) warning, with indication of the deadline to adopt corrective measures;
(ii) one-time fine, of up to 2% of the gross revenue of the legal entity, business group or conglomerate in the previous financial year, excluding taxes, capped at R$ 50 million per infraction;
(iii) daily fine, with observance of the limit on the total amount defined in item (ii) above;
(iv) publication of the infraction after its occurrence has been investigated and confirmed;
(v) blocking of personal data involved in the infraction until regularization of the situation;
(vi) deletion of the personal data involved in the infraction;
(vii) partial suspension of functioning of the database involving the infraction for a maximum period of 6 months, extendable for equal periods until regularization of the treatment activity by the controller;
(viii) suspension of the activities of treating the personal data involved in the infraction for a maximum period of 6 months, extendable for equal periods; and
(ix) partial or total prohibition of the activities related to treatment of data.
According to Art. 52, § 1, the referred sanctions will only be applied after a guilty verdict in an administrative proceeding conducted by the National Data Protection Authority (ANPD). That proceeding must allow the controller and/or operator to exercise ample defense.
The provision in question also defines the parameters and criteria that must be observed by the ANPD when applying the administrative penalties, such as the gravity and nature of the violation and the personal rights affected, the recidivism of the offender, the level of damage, the good faith of the offender, and its adoption of compliance procedures aimed to assure adequate treatment of personal data in the future.
More information, along with the full text of the LGPD (in Portuguese) can be found at the website of the Presidency of the Republic (www.planalto.gov.br).