Publications

Brazilian Data Protection Authority applies its first sanction based on the LGPD

Brazilian Data Protection Authority applies its first sanction based on the LGPD

In an order made available on the Federal Gazette on July 07, the National Data Protection Authority (ANPD) applied its first sanction targeting a Brazilian company for violation of the General Data Protection Law (LGPD).

This has been also considered the first concrete enforcement decision based on the Regulation on the Measurement and Enforcement of Administrative Sanctions by the ANPD, which establishes the rules and proceedings for the ANPD’s supervisory and sanctioning processes. More information regarding the so-called ANPD dosimetry rule is available on the guidebook prepared by L.O. Baptista’s Privacy and Data Protection teams.

The defendant is Telekall Inforservice Ltda, a small-enterprise carrying out activities within telemarketing industry, the only private entity on the list of the administrative proceedings initiated by the ANPD in the year 2022. Further cases handled by ANPD involve public administration entities and can be also accessed here.

Telekall was under investigation and was subject to sanctions for failing to:

According to the administrative decision issued by ANPD, Telekall was considered in breach of Articles 7 and 41 of the LGPD and Article 5 of the Resolution CD/ANPD No. 1/21, which correspond to the following inconsistent practices:

Based on those practices above, the ANPD imposed the following sanctions on the company:

The company was ordered to pay a fine equivalent to BRL 14,400 (approx. USD 3,005). However, in the event the company expressly waives the right to appeal the decision and makes the payment within the deadline set by the ANPD, the total amount of the fine will enjoy a 25% reduction (Art. 18 of the Regulation), totalizing BRL 10,800 (approx. USD 2,254).

If the company does not comply with the decision issued by ANPD, the administrative process will be forwarded to the ANPD Specialized Unit for purpose of the execution of the fine amounts. There is a penalty of registering a non-compliant company with public records as to an overdue tax liability, as well as to the Information Records on Outstanding Credits of the Federal Public Sector (Cadin).

Global overview

The recent ANPD’s actions in sanctioning data controllers and processors are aligned with a global movement of data protection authorities towards establishing remedial or preventive measures aiming at ensuring an adequate level to compliance with privacy and data protection standards by public and private entities across the globe.

In Europe, high fines are increasingly recurrent, especially within telecommunications sector. In a recent decision, the Spanish Data Protection Authority (AEPD) ordered Telefónica to pay a fine equivalent to € 15,000 (approximately BRL 80,000) for lacking legitimate interest, i.e. absence of legal basis for the processing of personal data, as it occurred in the case handled by the Brazilian ANPD.

It remains to be seen whether the Brazilian ANPD will follow the recent trends in Europe as to heavy fines – mainly in the EU and UK- and be more inclined to raise the correspondent amounts considered for upcoming fines imposed against data controllers and processors. Another indicator to be collected from the ongoing – and upcoming – cases handled by ANPD will be related to still lower (or potentially increasing) number of private entities under supervision and regulatory scrutiny in Brazil.

Access the guide “Global Indicators of National Data Protection Authorities in Sanctioning Processes involving Processing Agents” in case you want to learn more about the performance of national data protection authorities around the world. This guide is in its second edition and was edited by L.O.Baptista’s Privacy and Data Protection teams, led by partners Esther Jerussalmy Cunha and Fabricio Polido.

The decision can be considered a milestone in the concrete enforcement of the sanctions established in the LGPD and the ANPD regulation. The fact that the sanction was applied to a small business reveals that the ANPD has been proactively monitoring not only the large data processing agents in the market, but also the small ones. Therefore, companies operating in Brazil or processing personal data from data subjects in Brazil must be aware of the evolving landscape of data privacy enforcement and make efforts to comply with the LGPD´s main obligations related to data processing activities.

Our Privacy and Data Protection teams remain available to all clients and partners for any clarifications and assistance on the subject.

Coauthors: Ana Carolina Gontijo and Carolina Britski Puga

Related Posts
Tags