In this privacyespresso, our expert Luiza Sato from the Brazilian law firm TozziniFreire Advogados provides an overview of the first fine issued by the Brazilian Data Protection Authority (ANPD) based on violations of the Brazilian Data Protection Law (LGPD), marking a crucial milestone in the country’s data protection journey.
In this case, the ANPD imposed sanctions on Telekall Infoservice for multiple infractions. The sanctions consisted of a warning and two fines amounting to R$ 7,200 (approximately EUR 1,300) for each violation.The violations included processing personal data without a lawful basis, failure to appoint a Data Protection Officer (DPO), and non-compliance with the authority’s document requests.
Even if the fines appear relatively low considering the importance of the infractions, it’s important to note that in this instance, R$ 7,200 was the highest possible fine as it corresponds to 2% of Telekall’s annual revenue. So if we look at the size of the company, the fine can be considered high!
The ANPD’s decision carries valuable takeaways for data processing agents subject to the LGPD:
- The case highlights the involvement of other authorities (such as the Public Prosecutor) in LGPD compliance assessment, indicating a broader enforcement landscape in Brazil.
- The ANPD has started its sanctioning activities rather than focusing solely on educational measures. This demonstrates the authority’s commitment to enforcing data protection laws.
- The sanctions were imposed due to violations that could have been easily avoided by undertaking fundamental data protection compliance measures. Appointing a DPO, maintaining records of processing activities (RoPA), conducting a Data Protection Impact Assessment (DPIA), and relying on a lawful basis for data processing are essential tasks.
- The ANPD has made the full reasoning behind its decision public. The disclosure of this information has sparked significant attention, not only in Brazil but worldwide. The impact on a company’s reputation can be just as severe as the financial penalties.
This case serves as a reminder for all organizations handling personal data. Compliance with the LGPD is crucial, and failure to do so can lead to substantial consequences. Stay tuned for more updates on data protection matters!