Search for:

In brief

On 6 July 2023, the Brazilian National Data Protection Authority (ANPD) issued its first sanction for non-compliance with the Brazilian General Data Protection Law (LGPD). The ANPD’s General Supervision Coordination (CGF/ANPD) determined the penalties in conclusion to the administrative sanctioning process against a small business entity (microempresa – “Company”), due to violation of articles 7 and 41 of the LGPD, and article 5 of Resolution CD/ANPD No. 1/2021.


In depth

The administrative proceeding was introduced on 28 February 2021 and began due to a complaint that the Company was offering a list of contacts of voters in Ubatuba/SP, in the context of the 2020 Municipal Election, through a messaging app. The proceeding initiated by CGF, which requested documents and clarifications to the Company, in order to better understand the composition and functioning of its database, as well as who was the Encarregado (similar to DPO) responsible for its activities.

Despite the opportunities for clarification, CGF understood that the Company did not provide satisfactory responses. As such, the Administrative Sanctioning Process No. 00261.000489/2022-62 was instated. The Company was notified of the infraction notice and presented its defense on 04 August 2022. The sanctioning decision was published in the Federal Official Journal (DOU) on 06 July 2023, of which the following main points below are highlighted:

  1. ANPD classified the Company as a data controller, considering it as the legal entity responsible for decisions related to the processing of personal data. This was due to the activities of building a database and offering it to its customers.
  2. It was recognized that the Company did not appoint the Encarregado in due time, with said appointment occurring solely after the Company presented its defense. As such, ANPD considered that the Company violated article 41 of the LGPD.
  3. The ANPD understood that the Company was idle in answering the official requests, not providing documents and information in the first opportunity. As a result, ANPD considered that the Company violated article 5 of Resolution CD/ANPD No. 1/2021, which determines the processing agents to provide to the ANPD copies of relevant documents and information, as required by the authority to conduct the analysis of the case. The lack of compliance of this requirement was considered an obstruction to the authority inspection activities and it was characterized as a severe violation.
  4. The Authority observed that there was a secondary use of manifestly public data by the Company, with no appropriate legal basis for said processing. In addition, the ANPD considered that there was an intention to obtain economic advantage through these processing activities and, therefore, the Company was considered to have infringed article 7 of the LGPD, which lists all legal bases for processing personal data.
  5. Regarding the absence of a legal basis, the ANPD highlighted the need for transparency (to the data subjects) in the processing activities of publicly available personal data, which did not occur in this case, as there was no transparency to data subjects regarding how their data was being processed. With this, the Authority emphasized the need to take special care for the adoption of the legitimate interest as legal basis and, hence, rejected, in this case, the possibility of appointing the legitimate interest as legal basis for purposes other than the original purposes for which the personal data was originally made public by the data subject.
  6. In addition, the ANPD made public the full report that provided grounds for its sanctioning decision. 

As such, the ANPD decided to sanction the Company with a warning and two simple fines. Since the Company is classified as a small business entity, the LGPD limits the fine to 2% of revenue and, thus, the Company must pay the amount of BRL 7,200 for each fine, totaling BRL 14,400 (approximately USD 2,986).

This is an extremely important decision as it is the first case of a sanction imposed by the ANPD for non-compliance with the LGPD, since this decision serves as an indication of how ANPD will handle similar cases, including for companies of different sizes.

Our data protection team is following the updates on the subject and is available to answer any questions related to the ANPD’s decision and regulation of the LGPD.

* * * * *

LOGO_TrenchRossiWatanabe_Brazil

Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author

Flavia Rebello joined the Firm in 1999. She is a partner in the Intellectual Property, Technology and Data Protection Team. Her practice includes data protection, licensing, sourcing and transactions, franchising and e-commerce and Internet. She has a wide breadth of experience in drafting, negotiating and reviewing agreements involving intellectual property, including supply of technology, trademark license, patent license, franchise, copyright license, software license and distribution, SaaS outsourcing. She also has expertise in data protection and privacy issues, including implementation projects, review of policies, and data breaches. Legal advice in various aspects of e-commerce, Internet and social media.
*Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Author

Flavia Amaral is a Partner at Trench, Rossi e Watanabe Advogados, Sao Paulo office.
*Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.

Write A Comment