ANPD publishes regulation on the calculation and application of administrative sanctions

On February 27, 2023, the Brazilian National Data Protection Authority (“ANPD”) published, through Resolution CD/ANPD nº 4, the regulation on the calculation and application of administrative sanctions (“Resolution”).

The Resolution establishes the criteria and parameters for the application of both financial and non-financial sanctions as well as the forms and calculation method for the base value of financial sanctions. In addition, the Resolution amends and introduces new provisions for the sanctioning administrative proceeding provided for in the Regulation of the Inspection and Sanctioning Administrative Proceedings (CD/ANPD Resolution No. 1).

The possible sanctions are:

i. a warning;

ii. a simple fine, of up to two percent (2%) of the company’s revenues, limited, in total, to fifty million reais (BRL 50,000,000.00), per infraction;

iii. a daily fine, with a total limit of fifty million reais (BRL 50,000,000.00);

publicizing the infraction;

iv. blocking of personal data;

v. deletion of personal data;

vi. partial suspension of database operation for a maximum of six (6) months, extendable for an equal period, until the situation is rectified;

vii. suspension from the activity of processing personal data for a maximum of six (6) months, extendable for an equal period; and

viii. partial or total prohibition from carrying out activities related to data processing.

According to the Resolution, infractions can be classified as low, medium or serious.

The infractions will be considered serious when they encompass the requirements of a medium infraction, combined with one of the following requirements:

i. processing of personal data on a large scale;

ii. the offender earns or intends to gain economic advantage as a result of the committed infraction;

iii. the infraction implies risk to the life of the data subjects;

iv. the infraction involves the processing of sensitive personal data or personal data of children, adolescents or elderly people;

v. the offender processes personal data without the support of one of the legal basis provided in the LGPD;

vi. the offender performs the processing of personal data with illicit or abusive discriminatory effects; or

vii. proven systematic adoption of irregular practices by the offender. The infraction will also be considered serious when there is obstruction to the inspection activity of the ANPD.

Infractions that significantly affect the interests and fundamental rights of the data subjects will be considered medium, characterized by situations in which the processing activity can significantly prevent or limit the exercise of rights or the use of a service, as well as cause material or moral damages to the data subjects, such as discrimination, violation of physical integrity, violation of the right to image and reputation, financial fraud, or misuse of identity, as long as it is not classified as serious.

As a result, the Resolution considers infractions that are not classified as medium or serious to be low.

Application of financial sanctions

Simple Fine

ANPD will apply the sanction of a simple fine:

i. when the offender has not complied with the preventive or corrective measures imposed on him, within the established deadlines;

ii. when the infraction is classified as serious; or

iii. when, due to the nature of the infraction, the processing activity or personal data, and the circumstances of the specific case, it is not appropriate to apply another infraction.

In order to calculate the base value of the simple fine, some elements will be considered, such as:

i. the classification of the infraction;

ii. the offender’s revenue in the last fiscal year and;

iii. the degree of damage.

Aggravating and mitigating circumstances, provided in articles 12 or 13, which can increase or decrease the amount of the fine, will also be considered. For example, the ANPD may reduce the amount of the fine by 20% in cases where the offender has implemented good practices and governance policies or repeatedly adopted internal mechanisms and procedures capable of minimizing damage to the data subjects, aimed at the safe and appropriate processing of personal data, until a trial court decision of the sanctioning administrative proceeding is rendered.

Daily Fine

A daily fine will be applied when:

i. it is necessary to ensure compliance, within a certain period, with a non-financial sanction or determination established by the ANPD,

ii. even after being notified of irregularities that have been carried out, the offender fails to regularize them within the established period,

iii. to the offender obstructs inspection activities, provided that the application of a daily fine is necessary to clear it, or

iv. the offender is involved in a permanent infraction that does not cease until a decision is rendered.

The application of the daily fine will also comply with the total limit of fifty million reais (BRL 50,000,000.00) per infraction, the classification of the infraction and the degree of damage.

Payment of Financial Sanction

The sanction must be paid within a period of up to twenty (20) business days, counted from the official acknowledgment of the decision to apply the sanction. Small processing agents are given a double payment term.

The offender who waives the right to appeal the trial court decision will be entitled to a 25%reduction on the amount of the fine imposed, provided that the payment is carried out within the period of 20 business days.

The collection of fines imposed by the ANPD will be allocated to the Fund for the Defense of Diffuse Rights, which aims to repair damage caused to the environment, the consumer, goods and rights of artistic, aesthetic, historical, touristic, landscape value, by violation of the economic order and other diffuse and collective interests.

What can we expect from the ANPD?

The Resolution entered into force on February 27. 2023, and the ANPD can now apply administrative sanctions to data processing agents who commit infractions. The sanctions will only be applied after the conclusion of an administrative proceeding based on a decision provided by the ANPD, ensuring the right to full defense, adversarial proceedings and due process of law.

Demarest’s Privacy, Technology and Cybersecurity team is available to provide any further clarifications that may be necessary.