Companies and public agencies that fail to comply with the law can now face the consequences
Since it came into force in September 2020, the Brazilian General Data Protection Regulation (GDPR) has raised the most diverse concerns. Here on the blog, we have already talked about the reasons to adapt to the new regulation and the importance of the DPO (Data Protection Officer) for compliance with GDPR. Today, we will clarify another very important issue: the fines and penalties for the companies who break the law.
The Brazilian GDPR which was sanctioned in August 2018, took two years to come into force. Administrative sanctions became applicable as of August 1, 2021. This time was necessary for companies and public agencies to understand the new regulation and adapt to the changes in the treatment of personal data. The law provides rights to data subjects and duties to data controllers and operators. The supervision of compliance with the law and the application of the respective fines and penalties are the responsibility of the ANPD.
The National Data Protection Authority (ANDP) is the public administration body responsible for ensuring compliance with the GDPR in Brazil, guaranteeing the protection of individuals’ rights to freedom and privacy. It also works in partnership with other entities, such as the National Consumer Secretariat (Senaco-MJSP), to coordinate actions, such as addressing consumer complaints.
On the website, individuals can create a petition against the controller of personal data, report non-compliance with LGPD, and report security incidents, for example.
In case of breach of the rules provided by the law, data processing agents are subject to the following administrative sanctions applicable by the ANDP:
- Warning, indicating the deadline for the adoption of corrective measures;
- Simple fine up to 2% (two percent) of the legal entity’s revenue, limited, in total, to R$ 50,000,000.00 (fifty million reais) due to infraction;
- Daily fine, subject to the total limit referred to in the previous item;
- Publication of the violation after its occurrence has been verified and confirmed;
- Blocking of personal data to which the violation relates until its regularization;
- Destruction of personal data to which the violation refers;
- Partial suspension of the operation of the database referred to in the infraction for a maximum period of 6 (six) months, extendable for the same period until the regularization of the processing activity by the controller;
- Suspension of the activity of processing personal data referred to in the infraction for a maximum period of 6 (six) months, extendable for an equal period;
- Partial or total prohibition of the exercise of activities related to data processing.
The fines and penalties are severe. Therefore, it is important that companies and public agencies act in a preventive manner, in order to avoid possible non-compliance with the law, and act quickly in cases of security incidents, through efficient mechanisms. For data subjects, punishments reinforce compliance with the GDPR and ensure greater security.
At Pryor Global, we offer DPO services, the person in charge of personal data processing, who, among other things, mediates communications between the company and the ANPD. Contact us to learn more!