News
Brazilian DPA can start to apply fines now
After two years of the law in force, and a countless actions to ensure compliance with the data protection regulation in Brazil, the parameters and criteria for applying fines of LGPD (Brazilian General Law of Personal Data Protection) were finally defined.

Last February 24th, due to the Resolution nº 4, the National Data Protection Authority (ANPD) established the rules for the calculation of severity levels related to data breach and other personal data violations, to start the execution of administrative sanctions, which was missing point to apply the fines.
The main purpose to establish a dosimetry approach aims to point out proportionality criteria between the infraction and the measure adopted by ANPD, which includes three tiers of penalty for an infringement, according to the severity. It also sets out aggravating and mitigating circumstances that will be taken into account in arriving at a fine, as well as a mathematical formula for assessing the amount of fines imposed.
Although, they intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. The practical implications are to enable the initiation of penalties by the ANPD.
Since the law came into force, in September 2020, there are many cases being conducted by Authority's administrative procedures - there have already been more than seven thousand reports of complaints related to personal data-violation until March 2023 last report of ANPD. Because it is an extremely detailed law, the institutions have been preparing themselves in so different ways for this moment. Traditionally in Brazil, the law effectiveness only happens with the possibility to impose a fine.
This is a major advance in achieving a culture of privacy and data protection in Brazil. Those who had already implemented security programs should review the standards and procedures, paying attention to possible updates. For those who have not yet started, it is high time to invest in LGPD compliance actions.
Details of Resolution #4
It is important to note that the Resolution nº 4 is applicable both for infractions before its publication date and for future infractions, which means that administrative proceedings already underway before the ANPD will be based on the published rules. From now on it is expected that the first decisions regarding sanctions will be issued, including the publication of infractions - as provided in article 52 of LGPD.
Another point of attention is that some concepts were not well defined, which may generate a trend to judicialization of its decisions - as in the case of serious infringements. There was an expectation of greater objectivity, but the ANPD ended up not providing a more detailed definition of what is considered large-scale processing, leaving a subjective definition, such as a significant number of users and volume of data, without more assertive parameters. The standard talks about a 'significant number of affected data subjects'. But it does not stipulate a percentage of the total data subject base.
A positive aspect was the provision for the hearing of other sector regulators at the time of instruction, which reduced the risk of divergent understandings and increases the alignment between Authorities. Otherwise, there is a great concern related to the possible application of fines calculated considering the total revenue of the Economic Group of Enterprises.
Regulatory agencies, such as CADE (Administrative Council for Economic Defense), Anatel (National Telecommunications Agency), Aneel (Brazilian Electricity Regulatory Agency), will be heard in the processes of companies whose sectors are regulated, since the same case may have different interpretations. But the ANPD continues to have the priority of conducting and deciding, and will hear to the entity about the impacts of a sanction on the market.
It is also worth mentioning that the best practices policy generates mitigating factors. For example, it is possible to have a fine discount of up to 20% if the application of best governance practices is demonstrated. Many companies have started to implement their Privacy and Data Protection programs since 2018, but as time goes by there ends up being a certain cooling or even interruption or lack of continuity of actions. Therefore, it is extremely important to update the LGPD Program and keep the Privacy Committee active, a role that is usually played by the Data Protection Officer (DPO).
Therefore, one of the expected results with the valorization of governance measures as mitigation is to contribute to DPOs gaining space, relevance, priority in the executive agenda, budget, so that they give continuity to the compliance program. In addition to having to comply with the LGPD, it becomes a good shield when faced with an inspection. For this purpose, it is necessary to maintain educational campaigns, data protection committee, regular meetings, and generate minutes. It is an ongoing program, not a project.
Article provided by INPLP members: Patricia Peck and Lorena Botelho (Peck Advogados, Brazil)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010