On 06 July, was published the first sanctioning decision of the Brazilian Data Protection Authority (ANPD), issued in the Administrative Proceeding No. 00261.000489/2022-62. In summary, the authority imposed the following sanctions on a small company that operates in multimedia communication services:
- A warning, without imposition of corrective measures, for violation of Article 41 of the LGPD (regarding the obligation to indicate a person in charge of the processing of personal data);
- A simple fine, in the amount of R $ 7,200.00, for violation of Article 7 of the LGPD (legal bases for the processing of personal data);
- A simple fine, in the amount of R $ 7,200.00, for violation of Article 5 of the Regulation on Sanctions (duties of regulated agents);
Although the decision does not provide further details about the infractions, in an analysis of the list of administrative sanctioning proceedings initiated by the institution’s oversight body (the Coordenação-Geral de Fiscalização), which was released by the ANPD on March 23, it is possible to verify that the process had been initiated for the investigation of the following conduct: (i) lack of proof of legal basis; (ii) absence of registration of operations; (iii) failure to submit a Data Protection Impact Report; (iv) absence of Data Protection Officer; and (v) failure to comply with the ANPD’s request.
In this context, it is worth mentioning that small companies –defined in Article 2 of Resolution CD / ANPD No. 2 – are exempt from appointing a Data Protection Officer. However, in this case, must provide a communication channel to the data subject to address complaints and communications, provide clarifications and adopt relevant measures (Art. 11 of the Resolution). It is also worth mentioning that the Resolution allows small companies to carry out the registration of personal data processing operations in a simplified manner.
It should be noted that the provisions of Resolution CD/ANPD No. 2, pursuant to its Article 3, do not apply to small companies who: (i) – perform high-risk data process (defined in Article 4), except for the hypothesis provided for in Article 8; (ii) – generate gross revenue higher than the limit established in Article 3, II, of Complementary Law No. 123, of 2006 or, in the case of startups, in Article 4, paragraph 1, I, of Complementary Law No. 182, of 2021; or (iii) – belong to an economic group in fact or in law, whose overall revenue exceeds the limits referred to in item II, as appropriate.
The decision can be accessed at this LINK.