Although the administrative sanctions established in the Brazilian General Data Protection Law (“LGPD”) entered into force on August 1, 2021, its effectively application only started lately with the publication of the Regulation for Dosimetry and Application of Administrative Sanctions (“Regulation”) by the Brazilian National Data Protection Authority (“ANPD”).

Following the publication of the Regulation and aiming transparency, the ANPD recently released a list containing more than 20 inspection and sanctioning processes being carried out by the authority regarding compliance with the LGPD by data processing agents.

In this regard, the ANPD clarified that the inspection processes are carried out to verify and analyze compliance with the obligations brought by the LGPD. Through it, the ANPD can propose preventive measures to agents to comply with the provisions of the law, conduct audits, request specific and detailed information on the processing of personal data, with a focus on ensuring compliance with the LGPD and the protection of the fundamental right to personal data protection.

In the other hand, administrative sanctioning processes serve to apply sanctions determined by the LGPD, when there is already probative evidence of an infringement.

The penalties provided for by the LGPD are strict and range from a warning, with an indication, by the ANPD of the deadline for the adoption of corrective measures, to a fine of up to 2% of the incomes of the legal entity or its economic group in Brazil in the previous year, limited to BRL 50,000,000.00 per infraction (approximately USD 10,000,000.00), and even the suspension of personal data processing activities and the publication of the infraction, which has the potential to cause reputational damages greater than the amount of the established fine by law.

In addition to the inspection and sanctioning processes being carried out by the ANPD, there are also thousands of lawsuits being filed before courts based on the determinations provided for by the LGPD, with potential to result in liability for breaches of the law.

The need to adapt to and comply with the LGPD is essential and unavoidable. The recent edition of regulations, guiding documents and statements has brought new details and specifications that need to be considered from now on by data agents on the processing of personal data. Compliance programs should not be static processes and must be continuously updated to ensure compliance with the current data protection standards.

We will continue to follow up the matter and soon bring new information regarding ANPD's performance in relation to the inspection activities and administrative sanctions.