Data Protection in Brazil

Enforcement in Brazil

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

  • Warning
  • Publicizing of the violation
  • Blocking the personal data to which the infraction refers to until its regularization
  • Deletion of the personal data to which the infraction refers
  • Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months, extendable for the same period, until the processing activity is corrected by the controller;
  • Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6) months, extendable for the same period;
  • Partial or total prohibition of activities related to data processing.

Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1, 2021. On October 29, 2021, the ANPD published the Regulation of the Inspection Process and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the rules to be observed during the administrative sanctioning process. On February 24, 2023, the ANPD published the Regulation of Dosimetry and Application of Administrative Sanctions, which provides for the parameters of calculation of the above penalties. Until the present moment, the ANPD has  only imposed one administrative sanction regarding violations to the LGPD by a private entity. Therefore, the level of enforcement activity is still uncertain.

Public authorities (such as consumer protection bodies and public prosecutors) are also entitled to monitoring data protection matters and to applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual, or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to remedy a violation exist only if:

  • The agent (ie, controller or the processor) did not carry out the data processing
  • There was no violation of the data protection legislation in the processing, or
  • The damage arises due to exclusive fault of the data subject or a third party

Continue reading

  • no results

Previous topic
Back to top