By: Leonardo Neri
On a recent occasion, the ANPD, the LGPD regulatory agency, made available the administrative measures that will be taken as punishment for those who fail to comply with the regulations of the General Data Protection Law, as provided for in articles 52 and 53 of said Law.
Recently, another significant step towards the credibility of the LGPD was taken. The Regulation on Dosing and Application of Administrative Sanctions was presented, which will finally come into effect after years of relaxing the rule in order to raise awareness among companies about adjusting their policies regarding data protection.
What was already provided for in articles 52 and 53 of the aforementioned Law will now occur directly. Furthermore, the resolution provided provides guidance on sentencing, such as calculating the base value. It is important to note that the presentation of this model was one of the gaps needed for its proper application.
Initially, the regulation addresses the ratification of penalties already provided for by law, from the form of a warning to the complete prohibition of actions aimed at personal data.
Still, according to the document, in view of the ANPD's decision, sanctions will be applied when: (i) The mandatory preventive or corrective guidance forms are not followed; (ii) Serious infractions occur; (iii) There is no possibility of applying another sanction.
The base value of a simple fine, in turn, will be analyzed according to the following narrative: (i) Classification of the infraction; (ii) Revenue of the Private Law Legal Entity; and (iii) degree of damage caused.
Therefore, after citing what will be taken into consideration for the presentation of the sanctioning base value, it is worth informing that the value of the fines, according to article 52 of the law under discussion, will be subject to sanctions of up to 2% of the turnover of the Private Law Legal Entity; R$50 million for violations by groups or conglomerates.
However, the resolution demonstrates the possibility of minimum values for minor infractions, starting at R$1 thousand for Individuals or Private Legal Entities without revenue; R$3 thousand for other Legal Entities.
Medium and serious infractions will be subject to a fine of between R$1,400,000 and R$1,400,000 for individuals and legal entities without revenue, and R$1,400,000 and R$1,400,000 and R$1,400,000 and R$1,200,000 for other legal entities. In the meantime, it is important to note that the legislated period of 30 (thirty) days from official notification for payment of the fine is hereby approved.
As already mentioned, the prohibition of exercising activities related to data processing will occur in the following circumstances: (i) Recidivism; (ii) Use of Data for Illegal purposes or without legal support; or (iii) Offender losing or failing to meet basic and technical operating conditions adequately.
Finally, the process was approved by resolution CD/ANPF nº1, aiming to carry out ANPD's inspection strategies.
With collaboration from: Barbara Gomes and Pedro Sobolewski