On February 2^nd, 2023, the ANPD published the Regulation on Dosimetry and Enforcement of Penalties, to set up criteria for classifying and enforce penalties to infractions committed while processing personal data.

As a result, penalties will be classified according to their nature, severity and impacted data, according to the following requirements:

i. Medium: When it significantly affects the interests and fundamental rights of the affected data owners, significantly limiting the exercise of their right to treatment and/or give rise to material/non-pecuniary damages.

ii. Serious: Incident involving, in addition to the above elements, the processing of personal data on a large scale, upon economic advantage, processing of sensitive data, processing data without legal basis or consent, illicit processing and obstruction of inspection activity.

iii. Mild: Event that does not contain any of the criteria provided for classification as medium and serious.

In order to define the penalty to be imposed, the following requisites will be observed:

• the seriousness and nature of the infringements and the rights affected;
• the good faith of the controller/operator;
• the advantage gained or intended by the controller/operator;
• the economic condition of the controller/operator;
• specific recidivism;
• generic recidivism;
• the level of damage, under the terms of the Appendix I of the Regulation;
• the controller’s cooperation after the episode;
• the repeated and evidenced adoption of internal mechanisms and procedures capable to mitigate the damages, aimed at safe and adequate data processing, in line with LGPD;
• the adoption of good practices and governance policies;
• the prompt adoption of corrective measures and
• the proportionality between the seriousness of the offense and the level of the penalty.

The limitation provided for by LGPD regarding the percentage of 2% of revenue, limited to 50 million BRL, was also maintained. If the company responsible for the incident does not present documents that prove its revenue, ANPD may arbitrate the limitation of the penalty to be imposed.

In addition to the pecuniary penalty, there are other punishments that may be applied by ANPD, such as: publicizing the infraction, blocking personal data, deleting personal data, partial suspending the operation of the database, suspending the processing activity of personal data and even the partial or total prohibition of data processing by the company responsible for the episode.

Thus, as dosimetry was the missing component for the imposition of penalties by ANPD, companies must be fully adequate to LGPD, in order to avoid the imposition of penalties and prohibitions that affect their personal data processing activities.

Our Data Protection Team is available for any clarification you may need.