Brazil: Your Company May Be at Risk of Fines and Sanctions by LGPD

published on 1 February 2023 | reading time approx. 2 minutes

The LGPD (General Data Protection Law) completed 4 years of its publication and the government agency responsible for its inspection (ANPD – National Data Protection Authority) is in a constant process of inspection and investigation of infringements.

To be safe, companies need to follow the rules and guidelines provided by law for the security of its processes, systems, and IT infrastructure in the activities of processing personal data.

The sanctions and fines provided in Chapter VIII of the law are:

Warning, indicating a deadline for the adoption of corrective measures;
Simple fine, of up to 2 per cent of the revenue of the legal entity governed by private law, group, or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in total, to R$50,000,000.00 (fifty million reais) for infringement;
Daily fine, observing the total limit referred to in item II;
Disclosure of the infraction after its occurrence has been duly verified and confirmed;
Blocking of the personal data to which the infraction refers until its regularization;
Deletion of the personal data to which the infraction refers;
Partial suspension of the operation of the database to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period, until the treatment activity is regularized by the controller;
Suspension of the exercise of the activity of processing the personal data to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period;
Partial or total prohibition of activities related to data processing.