Alerts
Publication of the First Sanction Imposed by the Brazilian National Data Protection Authority
Today (July 6, 2023), the first administrative sanction imposed by the National Data Protection Authority (“ANPD”) was published in the Official Gazette of the Union (DOU). The sanction was imposed by the Inspection Coordination of the ANPD on a microenterprise of the private sector of the telemarketing industry for non-compliance with the rules set forth in Law 13,709/14 (Brazilian General Data Protection Law – “LGPD”).
What triggered the ANPD investigation?
According to a previously issued report by the ANPD on companies undergoing sanctioning processes, the investigation was initiated to assess the following: lack of evidence of legal basis; absence of records of operations; failure to submit a Data Protection Impact Assessment (DPIA or RIPD); absence of a Data Protection Officer (DPO or “Encarregado”); and non-compliance with ANPD’s requests.
However, access to the proceedings has not been granted yet, preventing us from fully understanding the rationale and criteria adopted by the ANPD.
What sanctions were imposed and their reasons?
| Penalty | Triggering Event |
| Warning | Non-appointment of a Data Protection Officer (Article 41 of the LGPD) |
| A Simple fine of R$ 7,200.00 BRL | Non-indication of a legal basis for data processing (Article 7 of the LGPD) |
| A Simple fine of R$ 7,200.00 BRL | Violation of ANPD’s inspection rules (Article 5 of the ANPD Inspection Regulation) |
Total fines: 14,400.00 BRL
What can be concluded after the first fine imposed by the ANPD?
It is still too early to draw a definitive conclusion regarding this matter. However, by strictly examining the content of the sanctions imposed and the monetary value, it can be seen that the ANPD has complied with expectations, which include considering the size of the company when determining the fine amount. What is certain is that the authority has initiated its sanctioning role, paving the way for future penalties.
