The General Personal Data Protection Law - Law no. 13.709/18 (LGPD) was published in 2018 and came into force in 2020. This deadline was given to public and private legal entities (processing agents) that collect, store or process personal data of individuals, in Brazil or abroad, to comply with the new regulations.

Initially, sanctions and administrative fines were imposed by consumer protection agencies (PROCON), the Public Prosecutor's Office, as well as labor and civil lawsuits, until the National Data Protection Authority (ANPD) began its inspection activities in 2021.

At first, the ANPD worked to raise awareness and educate data processors about the importance of applying good practices in the processing of personal data, in the pursuit of the fundamental right to informational self-determination (EC No. 115/22).

The personal data protection system was put into effect when the first administrative sanctions were applied by the regulatory agency.

The first company fined is a provider of telephony services, such as telemarketing and self-service via the messaging service WhatsApp. Because it is a micro-enterprise, the amount for each infraction was limited to 2% of its gross revenue, totaling R$7,200.00 per infraction.

The company was fined for failing to appoint the person responsible for processing personal data, as required by art. 41 of the LGPD, and for processing personal data without a legal basis: the company processed voters' personal data for the purposes of an election campaign, without the express consent of the data subjects, as required by art. 7, II, of the LGPD.

The Santa Catarina State Health Department (SES-SC) was the second public company to receive sanctions from the ANPD. Four warning sanctions were imposed for leaking personal data.

SES-SC infringed art. 49 of the General Personal Data Protection Act (LGPD) by neglecting the security of systems for storing and processing personal data, and by the lack of clarity, inadequacy and timeliness of the notice to data subjects, which was considered an infringement of art. 48 of the LGPD. In addition, the agency failed to submit the Personal Data Protection Impact Report (RIPD) requested by the Authority.

It should be noted that the sanctions imposed on companies are attributed to the lack of proper documents and procedures.

Thus, contractual compliance and the creation of standardized documents, without the implementation of effective practices, are not enough to guarantee compliance with the law and avoid sanctions.

The application of sanctions by the ANPD is an important instrument for the protection of personal data in Brazil. Companies must be vigilant in complying with the legislation to avoid the risk of administrative sanctions.

By: Juliana Bloise

Civil Law | CPDMA Team