Background:

The Lei Geral de Proteção de Dados (LGPD) is the Brazilian legal framework that regulates data processing carried out in Brazil and in other countries where the processing operations (i) aim to offer or supply goods and services to people located in Brazil; (ii) process the personal data of people located in Brazil; or (iii) process personal data that has been collected in the Brazilian territory. 

LGPD came into force in August 2020, and its parameters were mainly influenced by the European Union’s General Data Protection Regulation (GDPR). It is enforced by the Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority, responsible to supervise and apply penalties in cases of non-compliance with the LGPD’s provisions.  

These penalties can range from warnings to fines of up to 2% of the organisation’s annual revenue in Brazil, up to a maximum of 50 million Brazilian Reais per violation (~ € 8-9 million), in addition to the complete prohibition of personal data processing operations. 

Despite the severity of LGPD that has been in force since 2020, legal experts state that 80% of Brazilian companies have not yet adapted to this regulatory landscape, the reason more oversight was needed to ensure compliance and, consequently, the data subjects’ rights.  

On 27 February 2023, ANPD published Resolution CD/ANPD n. 4/2023, approving the Regulation on Dosimetry and Application of Administrative Sanctions (RDAAS). The RDAAS addresses the requirement of Article 53 of the LGPD, which establishes that the national authority shall define, through an independent regulation, clear sanction measures and the methodologies applicable to non-compliance cases. Thus, the RDAAS sets up the methods for the most appropriate penalty for each specific case and seeks proportionality between the sanction and the seriousness of the infraction.  

Overview of the RDAAS:

Concisely, it classifies the non-compliance infraction as minor, medium, or serious, and it establishes criteria for the applicability of: 

  • Warnings 
  • Pecuniary fines and the method of its calculation 
  • Corrective measures  
  • Blocking and deletion of personal data 
  • Suspension of personal data processing for a maximum of six months, extendable for the same period 
  • A partial or total prohibition from carrying out data processing operations 
  • Fines for recidivism  
  • Deadline for execution and demonstration of compliance, and payment deadline of fines. 

The definition of the penalty and the amount of the fine in cases of pecuniary sanction will consider elements such as the level of infringement (minor, medium or serious), the recidivism of the offense, the nature of the infringement, the processing activity and the personal data, aggravating and mitigating circumstances, and other factors of the specific case. 

Recidivism:

For companies or natural persons that infringe LGPD more than once, there will be fines for recidivism. Recidivism can be:  

(1) general: when the offender commits another infraction within the period of 5 years; or  

(2) specific: when the offender commits the same infraction within the period of 5 years – both counted from the final and unappealable decision of the administrative proceeding to the date of the new infraction. 

In general recidivism, the fine can be increased by up to 20%. In cases of specific recidivism, this percentage can reach a 40% increase in the value of the penalty. 

How can HewardMills help you? 

With the publication of the RDAAS non-compliance practices will result in more severe repressive measures. Data subjects will be able to enjoy more legal certainty, while data controllers and data processors shall be more cautious concerning their data processing operations.  

However, compliance with LGPD can be achieved with legal experts’ assistance, who will help you to understand, on a regular basis, the effects of this regulation and new enforcement rules on your business. As well as the recommendable measures that can be adopted to implement a privacy-friendly framework for your company – this will certainly minimise the risks of repressive measures, penalties, heavy fines and recidivism. 

As a global B Corp Data Protection Officer (DPO), we assist organisations to maintain compliance to global data protection and privacy regulations. Therefore, if you are interested in how this Brazilian regulation affects your business, or to get guidance on how to ensure that you have processes in place to cater to the requirements of the regulation, HewardMills will be at your disposal to help you to prepare for the regulatory landscape. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at dpo@hewardmills.com.