In 2018, Law No. 13,709/18, the General Data Protection Law (LGPD) was published, regulating the protection of personal data in Brazil, following an international trend, and inspired by the General Data Protection Regulation (GDPR), a standard that regulates data protection in the European Union (EU). With the sanction of the LGPD, we have taken an important step to protect a precious asset of society, its personal data.
Since September 2020, after the legal vacancy, an adaptation period for companies, the law has been applicable to legal entities of public and private law, protecting the data considered to be of a personal nature, whether in physical or digital media.
The full application of the law, however, depended on the regulation that would define the dosimetry of the sanctions established in the LGPD. Without the application of penalties, the legal standard becomes a dead letter.
On February 27, 2023, in order to guarantee the application of the law and safeguard the right to the protection of personal data, the National Data Protection Authority (ANDP), the national authority responsible for the supervision and application of penalties related to non-compliance with the law, published the Regulation on Dosimetry and Application of Administrative Penalties (Resolution CD/ANPD no. 4, of February 24, 2023), establishing the criteria and parameters for the application of administrative sanctions to which companies are subject if they fail to comply with the law, in addition to defining procedures for the calculation of the base value of fines, complying with the determination of article 53 of LGPD.
The publication of the regulation is certainly one of the most important milestones since the publication of the LGPD, because the parameters used to impose sanctions by the national authority become clear.
One of the aspects analyzed to apply the penalty in case of non-compliance with LGPD is the damage or harm that the company has caused to the data subjects. The regulation aims to ensure balance between the seriousness of the agent’s conduct and the sanction applied.
- Warning;
- Simple fine, of up to 2% (two percent) of the legal entity’s revenue, limited, in total, to R$ 50,000,000.00 (fifty million reais) per infraction;
- Daily fine, with a total limit of R$ 50,000,000.00 (fifty million reais);
- Publicization of the infraction;
- Blocking of personal data to which the infraction refers;
- Deletion of the personal data to which the infraction refers;
- Partial suspension of the operation of the database to which the infraction refers for a maximum of 6 (six) months, extendable for an equal period, until the situation is regularized;
- Suspension of the activity of processing personal data for a maximum of 6 (six) months, extendable for an equal period;
- Partial or total prohibition to exercise activities related to data processing.
Resolution CD/ANPD No. 4/2023 aims to establish the application method for applying the penalty of a simple fine and/or a daily fine, as established in articles 11 and 16.
In addition to punishments such as fines, the national authority may require the adoption of corrective measures to prevent further infractions of the LGPD.
The minimum amounts of the simple fine to be applied in cases of natural person and legal entity with no revenue have been established as follows:
In addition to the regulation of the dosimetry for the application of penalties, which guarantees the legal certainty of the process, the first trials by the ANPD have also begun. Initially, the first batch will be judged, with 8 lawsuits, most of them involving federal public sector bodies and personal data leakage.
In an interview with Valor Econômico newspaper, the Director of the ANPD, Nairane Leitão, informed that the ANPD already has a second batch of cases, which will be better evaluated, involving private companies and cases of security incidents and sale and sharing of data, among others.
After the judgments in the first instance by the regulatory agency, there will be an appeal to the ANPD’s board of directors and, at the end of the administrative instance, the agents may appeal to the judiciary to try to review or even cancel the penalties applied.
According to the regulator, 40 inspection proceedings have already been opened regarding possible non-compliance with the legislation, and the ANPD has already received 1,110 reports, in addition to 703 petitions from data owners requesting the opening of proceedings and the adoption of measures for non-compliance with the law.
Companies need to be aware of and comply with the legal requirements, which include mapping the personal data collected, processed, and stored, as well as identifying the purpose and legal basis for processing, creating internal policies and procedures, conducting employee training and awareness in relation to personal data protection, to appointing a Data Protection Officer (DPO) who is responsible for ensuring the company’s compliance with the LGPD and for communicating with the ANPD.
If you have not yet appointed or have no DPO, Pryor Global can help you. We offer the DPO service autonomously and independently, complying with all legal requirements.
Count on our services! We have an expert team in LGPD and personal data protection.
Contact us to learn more about our services at
A Pryor Global se preocupa com o uso de seus dados pessoais. Solicitamos apenas os dados necessários para podermos retornar seu contato. Estes dados serão devidamente protegidos. Para mais informações, consulte nossa Privacy Policy".