LGPD Enforcement Body Administering Sanctions Is Now Active
First enacted in August 2018, Brazil’s data privacy law Lei Geral de Protecao de Dados (“LGPD”) and its provisions were originally scheduled to take effect in three separate phases:
- The Brazilian National Data Protection Agency (“ANPD”) was created in December 2018 to enforce LGPD (however ANPD did not actually become operational until November 2020);
- Individuals’ rights and obligations of data controllers, processors, and privacy officers became enforceable in September 2020; and
- The ANPD’s ability to impose penalties and sanctions are scheduled to take effect on August 1, 2021.
The ANPD is expected to begin enforcement against companies that process large amount of personal data, and gradually roll out enforcement against companies regardless of size and scope. Under the LGPD, controllers and processors of data are subject to the following administrative sanctions:
- Fine of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (fifty million reais) (approximately $10,000,000 USD) per infraction;
- publicizing the infringement after it is duly investigated and confirmed;
- partial suspension of the database operation that is the subject of the infringement for up to six months, extendable for an equal period, until the controller corrects the unlawful processing activity;
- warning with a deadline for taking corrective measures;
- blocking the personal data to which the infringement refers until its correction;
- deleting the personal data subject to the infringement;
- suspension of the personal data processing activity to which the infringement refers for up to six months, extendable for an equal period; and
- partial or total prohibition of the activities related to data processing.
The ANPD will consider certain mitigating factors when assessing sanctions, such as the seriousness of the infraction, the size and economic means of the violator, the damages caused, the cooperation of the violator, and the existence of policies and mechanisms to safeguard and safely process personal data, among others.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.