On July 6th, the Brazilian National Data Protection Authority (ANPD) issued its first sanction for non-compliance with the Brazilian General Data Protection Law (LGPD). The ANPD’s General Supervision Coordination (CGF/ANPD) determined the penalties in conclusion to the administrative sanctioning process against a small business entity (microempresa – “Company”), due to violation of articles 7 and 41 of the LGPD, and article 5 of Resolution CD/ANPD No. 1/2021.
In more detail
The administrative proceeding was introduced on February 28, 2021 and began due to a complaint that the Company was offering a list of contacts of voters in Ubatuba/SP, in the context of the 2020 Municipal Election, through a messaging app. The proceeding initiated by CGF, which requested documents and clarifications to the Company, in order to better understand the composition and functioning of its database, as well as who was the Encarregado (similar to DPO) responsible for its activities.
Despite the opportunities for clarification, CGF understood that the Company did not provide satisfactory responses. As such, the Administrative Sanctioning Process No. 00261.000489/2022-62 was instated. The Company was notified of the infraction notice and presented its defense on August 04, 2022. The sanctioning decision was published in the Federal Official Journal (DOU) on July 06, 2023, of which the following main points below are highlighted:
- ANPD classified the Company as a data controller, considering it as the legal entity responsible for decisions related to the processing of personal data. This was due to the activities of building a database and offering it to its customers.
- It was recognized that the Company did not appoint the Encarregado in due time, with said appointment occurring solely after the Company presented its defense. As such, ANPD considered that the Company violated article 41 of the LGPD.
- The ANPD understood that the Company was idle in answering the official requests, not providing documents and information in the first opportunity. As a result, ANPD considered that the Company violated article 5 of Resolution CD/ANPD No. 1/2021, which determines the processing agents to provide to the ANPD copies of relevant documents and information, as required by the authority to conduct the analysis of the case. The lack of compliance of this requirement was considered an obstruction to the authority inspection activities and it was characterized as a severe violation.
- The Authority observed that there was a secondary use of manifestly public data by the Company, with no appropriate legal basis for said processing. In addition, the ANPD considered that there was an intention to obtain economic advantage through these processing activities and, therefore, the Company was considered to have infringed article 7 of the LGPD, which lists all legal bases for processing personal data.
- Regarding the absence of a legal basis, the ANPD highlighted the need for transparency (to the data subjects) in the processing activities of publicly available personal data, which did not occur in this case, as there was no transparency to data subjects regarding how their data was being processed. With this, the Authority emphasized the need to take special care for the adoption of the legitimate interest as legal basis and, hence, rejected, in this case, the possibility of appointing the legitimate interest as legal basis for purposes other than the original purposes for which the personal data was originally made public by the data subject.
- In addition, the ANPD made public the full report that provided grounds for its sanctioning decision.
As such, the ANPD decided to sanction the Company with a warning and two simple fines. Since the Company is classified as a small business entity, the LGPD limits the fine to 2% of revenue and, thus, the Company must pay the amount of BRL 7,200 for each fine, totaling BRL 14,400 (approximately USD 2,986).
This is an extremely important decision as it is the first case of a sanction imposed by the ANPD for non-compliance with the LGPD, since this decision serves as an indication of how ANPD will handle similar cases, including for companies of different sizes.