Newsletter November 2023 – The Supervisory and Sanctioning Procedure of the ANPD

The National Data Protection Authority (ANPD), created by Law no. 13.709/2018 (General Data Protection Law – known as the LGPD in Portuguese), has its attributions regulated in the 24 items of art. 55-J of the said Law.

One of its functions is to issue regulations, such as the Regulation of the Inspection Process and the Administrative Sanctioning Process, established by Resolution CD/ANPD no. 1/2021, and the Regulation for the Application of Administrative Sanctions, published in February of this year, to define the criteria and parameters for the sanctions established in arts. 52 and 53 of the LGPD, as well as the forms and dosimetry for calculating the base value of the penalties.

With regard to the first Regulation, art. 15 provides that the ANPD shall adopt monitoring, guidance and prevention activities in the inspection process, and may initiate repressive action in the administrative sanctioning process.

With regard to the means of action, the inspection can take place spontaneously, as a result of periodic inspection programmes, in coordination with public bodies and entities, or in cooperation with personal data protection authorities in other countries. As for instituting administrative sanction proceedings, this can be done on the initiative of the General Inspection Coordination (CGF), as a result of the monitoring process, or in the event of a request from the CGF, after considering the admissibility thereof.

As for the second Regulation, instituted by Resolution CD/ANPD no. 4/2023, which deals with the dosimetry of sanctions, art. 3 stipulates the administrative sanctions to which the offender will be subject, in accordance with the seriousness and nature of the infraction and the personal rights affected (art. 8). Furthermore, the dosimetry is calculated based on the turnover of the company or group, the range of tax rates, the degree of damage and any mitigating or aggravating circumstances.

An example of this is the first sanction applied by the ANPD’s General Inspection Coordination to the company Telekall Inforservice, in July 2023, for violating articles 7 and 41 of the LGPD, as well as article 5 of the ANPD’s Inspection Regulations.

The inspection was initiated following a complaint that the company Telekall Infoservice was offering a list of voters’ WhatsApp contacts for the purpose of disseminating election campaign material. The facts denounced were related to the 2020 municipal election in Ubatuba/SP.

The ANPD found that the reported processing of personal data was taking place without legal backing. It also found that the company had failed to prove the appointment of a person in charge of processing personal data. Although it is a micro-company, Telekall failed to prove that it did not carry out high-risk processing, which is a necessary condition to exempt it from the requirement to appoint a person in charge.

In view of the evidence of infringement of the LGPD and the company’s failure to comply with the inspection team’s determinations, the CGF/ANPD issued a Notice of Infringement, initiating the Administrative Sanctioning Process. On conclusion of the preliminary investigation, the Authority found that the company offered lists of WhatsApp contacts for the purpose of triggering messages, having built a database from data available on the internet.

Accordingly, the CGF concluded that violations had occurred of art. 7 and art. 41 of the LGPD, as well as art. 5 of CD Resolution no. 1/2021. As regards violation of art. 7 of the LGPD (due to the lack of proof of the legal processing of personal data) and for the violation of art. 5 of the Supervisory Regulation (due to the obstruction of supervisory activity), simple penalties (art. 52, II) of R$7.200,00 were imposed for each infraction, totalling R$14.400,00. Failure to comply with article 41 of the Law, due to failure to appoint a Data Controller, resulted in a warning sanction (article 52, I). The decision can still be appealed to the Authority’s Board of Directors.

In addition to the case mentioned above, there are currently 13 other inspections and another 9 administrative sanction cases in progress, according to information released by the CGF. The number is still low, but what is noticeable is a gradual increase in the ANPD’s inspection activities, as well as a growing number of communications regarding incidents, requests, complaints and petitions from data subjects, which is bound to lead to increasingly intense action by the ANPD.

Our data protection team remains at your disposal for any further explanation you may require on this matter.