02.03.2023

ANPD publishes regulation on administrative sanctions involving data privacy

On February 27th, 2023, the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados – ANDP) issued CD/ANPD Resolution No. 04/2023, which approves the Regulation on Dosimetry and Application of Administrative Sanctions (“Regulation”).

The Regulation sets out the parameters and criteria for the application of pecuniary and non-pecuniary administrative sanctions by the ANPD, as well as establishing the forms and dosimetry for the application of fines sanctions.

With the edition of the Regulation, data processing agents who do not comply with the obligations set forth in Law No. 13,709/2018 (General Law for the Protection of Personal Data – LGPD) or in the regulations issued by the ANPD will be subject to the administrative penalties established in the Regulation.

The aim of the Regulation is to ensure proportionality between the sanction applied and the gravity of the conduct by the agent, stipulating correspondence between the type of infraction committed and the penalty imposed. In this respect, the infractions are classified as serious, medium or minor, as follows:

(i) Minor infractions are those that are not classified as medium or serious infractions;

(ii) Medium infractions are those in which the improper processing of data prevents or significantly limits the exercise of rights or the use of a service, or causes material or moral damages to the data subjects; and

(iii) Serious infractions are those that create obstruction to the oversight activity or that, in addition to the requirements of a medium infraction, also involve (iii.1) the processing of personal data on large scale , (iii.2) the obtainment or pretension of obtainment of an economic advantage by the offender as a result of the infraction committed; (iii.3) the risk to life of the data subjects; (iii.4) the processing of sensitive data or personal data of children, adolescents or the elderly; (iii.5) the processing of personal data in conflict with the provisions set forth in the LGPD; (iii.6) the processing of data for illicit or abusive discriminatory effects; or (iii.7) the systematic adoption of irregular practices by the offender.

The penalties imposed by the ANPD may consist of: warning, fine, publicizing the infraction, suspension of use or deletion of personal data from a given database; or the partial or total prohibition to engage in activities related to data processing.

These penalties will be applied in accordance with the peculiarities of each case, and after the exercise of full defense by the accused party. During the application of the penalties, the following criteria and parameters will be considered: (i) the gravity and nature of the infraction and of the personal rights affected; (ii) the good faith of the offender; (iii) the advantage obtained or sought by the offender; (iv) the economic condition of the offender; (v) the record of past conduct of the offender, in general or specifically; (vi) the degree of damage caused; (vii) the cooperation of the offender; (viii) the consistent and demonstrated application of internal mechanisms able to minimize the damage and ensure secure and adequate processing of data, in accordance with the LGPD; (ix) the adoption of a policy of good practices and governance involving data processing; (x) the prompt adoption of corrective measures; and (xi) the proportionality between the gravity of the infraction and the intensity of the sanction.

The Regulation took effect on the date of its publication.

More information, as well as the full text of the Regulation, can be found at the website of the ANPD (www.gov.br/anpd/pt-br).

Compartilhe:

Envie uma mensagem

Nós utilizamos cookies para melhorar a sua navegação. Ao navegar pelo site você concorda com a nossa Política de Privacidade.