On February 2nd, 2023, the ANPD published the Regulation on Dosimetry and Enforcement of Penalties, to set up criteria for classifying and enforce penalties to infractions committed while processing personal data.
As a result, penalties will be classified according to their nature, severity and impacted data, according to the following requirements:
i. Medium: When it significantly affects the interests and fundamental rights of the affected data owners, significantly limiting the exercise of their right to treatment and/or give rise to material/non-pecuniary damages.
ii. Serious: Incident involving, in addition to the above elements, the processing of personal data on a large scale, upon economic advantage, processing of sensitive data, processing data without legal basis or consent, illicit processing and obstruction of inspection activity.
iii. Mild: Event that does not contain any of the criteria provided for classification as medium and serious.
In order to define the penalty to be imposed, the following requisites will be observed:
The limitation provided for by LGPD regarding the percentage of 2% of revenue, limited to 50 million BRL, was also maintained. If the company responsible for the incident does not present documents that prove its revenue, ANPD may arbitrate the limitation of the penalty to be imposed.
In addition to the pecuniary penalty, there are other punishments that may be applied by ANPD, such as: publicizing the infraction, blocking personal data, deleting personal data, partial suspending the operation of the database, suspending the processing activity of personal data and even the partial or total prohibition of data processing by the company responsible for the episode.
Thus, as dosimetry was the missing component for the imposition of penalties by ANPD, companies must be fully adequate to LGPD, in order to avoid the imposition of penalties and prohibitions that affect their personal data processing activities.
Our Data Protection Team is available for any clarification you may need.