The Brazilian Data Protection Authority (ANPD) issues its first Fine for Data Protection Violation

On 6 July 2023, the ANPD issued its first fine against a small processing agent (as defined by the Brazilian Data Protection Law, “LGPD”), who in the agency’s decision violated data subjects’ rights.

The data breach

The company operates in the telemarketing sector and it was the subject of a data breach administrative proceeding, as a result of its activities of offering data of thousands of citizens of São Paulo to political candidates, to be used in the mass transmission of the candidates' political campaign in 2020.

The fine

Article 52 of the LGPD states that, as a result of a late unjustified notification or of any other non-compliance with the LPGD regarding a data breach incident, the data controller may face a simple fine of up to two percent (2%) of the company’s revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of fifty million reais (R$ 50,000,000.00) per infraction.

Given that the legal entity is of small/medium size, the value of the fine was BRL 14,400.00/ circa USD 3,000.
The calculation of the fine was also based on a new resolution from the ANPD ( Resolution CD/ANPD nº 4/2023) on the parameters to ascertain the value of the penalties for data breach.

The above resolution classifies offences based on their severity, nature and the extent to which personal rights are infringed. 

The ANPD highlighted the occurrence of the following infractions in their decision:

• Lack of legal basis for the treatment of personal data (violation of Article 7 of the LGPD). 
• Failure to indicate a responsible party for the processing of personal data (violation of Article 41 of the LGPD). 
• Failure to comply with the authority's requests for documents and support during the investigations over the incident (violation of article 5 of the Inspection Regulation).

Remarks

This decision established that the ANPD's jurisdiction extends to small companies as much as it does to larger corporations. 

This serves as a reminder for all businesses to approach data protection matters with unwavering care and responsibility. 

By making the sanctioning process public, companies gained a valuable opportunity to observe the evolution of administrative case law, enabling them to comprehensively assess potential risks and devise effective mitigation strategies. 

Furthermore, this transparency offers a vital avenue for challenging the ANPD's decisions if they exceed their authority under the law. 

For more information on the decision and on the Brazilian Data Protection law, please contact the authors below.