|On Monday (02/27), the National Data Protection Authority (ANPD) published the Regulation on the Calculation and Application of Administrative Sanctions (Resolution CD/ANPD No. 4 of February 24, 2023), which aims to determine the methodology to be followed for the enforcement of the penalties provided for by Article 52 of the General Data Protection Law (Law No. 13,709/2018) (LGPD).|
The LGPD determines that ANPD may, among other penalties, impose a simple or daily fine of up to 2% of the revenue of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited to BRL 50 million per infringement.
Upon the publication of the Regulation, it is expected that the ANPD will intensify its enforcement activities. In accordance with ANPD, several investigations and complaints related to potential breaches have been held in abeyance due to the lack of regulation providing the criteria for calculating and enforcing the penalties.
The sanctions will only be enforced after an administrative procedure is conducted, and a decision by the ANPD is rendered, ensuring the right to full defense, and the due process of law.
The Regulation aims to establish criteria for sanctions to be applied in a fair and proportionate manner.
Our data protection team is closely monitoring further updates on the subject and remains available to answer any questions regarding the Regulation and the penalties provided for by the LGPD.
Classification of the breaches
In accordance with the Regulation, the sanctions will take into account the severity and nature of the infringements, as well as the nature of the affected rights and shall be classified as light, medium and severe, as per the summary-chart below:
Types of sanctions