ANPD’s Regulation on Administrative Sanctions: Overview

The Lei Geral de Proteção de Dados Pessoais, or General Personal Data Protection Law (LGPD), is the primary data protection and data privacy law in effect within the Federative Republic of Brazil. Like all major global data privacy regulations, the law places several obligations upon organizations processing users' personal data. Failure to do so results in regulatory sanctions and reputational and operational losses.

The Autoridade Nacional de Proteção de Dados, or National Data Protection Authority (ANPD), is the national data protection authority that oversees the enforcement of the LGPD across Brazil.

On February 27, 2023, the Board of Directors of the ANPD approved the Regulation of Dosimetry and Application of Administrative Sanctions via Resolution CD/ANPD No. 4, of February 24, 2023.

Primarily, the Regulation establishes the parameters and criteria for the application of pecuniary and non-pecuniary administrative sanctions by ANPD in accordance with Articles 52 and 53 of the LGPD and also provides for the forms and dosimetry for calculating the base value of fine sanctions.

A Brief Background

The newly issued Regulation by ANPD has been long awaited as it was the only obstacle left in the way of the authority to impose sanctions on entities failing to comply with the provisions of the LGPD. This is also evident from the fact that the ANPD did not take long to publish a list of sanctioning proceedings and initiate enforcement action after the publication of the Regulation.

It was back in August 2022, when the draft of the Regulation was opened to public consultation to gain valuable feedback from the data security experts and the general populace. Thousands of contributions were made, while a public hearing was also conducted where further contributions were received.

With the publication of the final Regulation, it will now be easier for the businesses complying with the LGPD as well as for the ANPD to have legal certainty and predictability with respect to the applicable sanctions for LGPD infringements.

Sanctions: The Important Details

Currently, in addition to other administrative sanctions, the LGPD empowers the ANPD to impose fines that can go up to 2% of the offending entity's total revenue in Brazil, excluding taxes, for the preceding financial year. However, such penalties must be limited to BRL 50 million per infringement.

The sanctions will only be enforced once the ANPD conducts a comprehensive administrative inquiry, giving the offending entity the appropriate right to defense and other due processes of the law.

The offenses' severity and exact nature are a particular highlight of the new Resolution. All potential violations and offenses are classified in the following three severity levels:

Classification	Description of Offence
Classification: Minor	Description of Offence: Any offence not identified as average or serious.
Classification: Average	Description of Offence: The offence significantly affects the interests and fundamental rights of the data subject. This includes instances where data processing may significantly limit the exercise of rights and use of a service by the data subject. Additionally, it may also lead to material and moral damages for the data subject, such as discrimination, identity theft, financial fraud, violation of physical integrity, and any other such serious instances not deemed serious.
Classification: Severe	Description of Offence: An Offence shall be considered serious when: It fulfills the criteria for an average infraction while fulfilling any of the following: involves the processing of personal data on a large scale, characterized when it covers a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency and geographic extension of the treatment carried out; the violator earns or intends to earn economic advantage as a result of the infraction committed; the infraction involves risk to the data subjects’ lives; the offense involves the processing of sensitive data or personal data of children, teenagers, or the elderly; the offender carries out the processing of personal data without support in one of the legal hypotheses provided for in the LGPD; the offender carries out treatment with illicit or abusive discriminatory effects; or verified systematic adoption of irregular practices by the offender; Obstructs inspection activities.

The Regulation also provides elaborated parameters and defines the criteria for each of the administrative sanctions that may be applied by the ANPD under section 152 of the LGPD. The following table provides a reference list for each of the administrative sanctions and their relevant articles under the Regulation:

Sanction Type	Relevant Article in the Regulation
Warning	Article 9
One-time Fine	Articles 10 to 15
Daily Fine	Article 16
Publication of the Offence (Depending on Relevance and Public Interest)	Articles 20 and 21
Blocking of all Personal Data related to the Offence	Article 22
Deletion of all Personal Data related to the Offence	Article 23
Partial suspension of access to database related to the Offence	Article 24
Suspension of all processing activities related to Personal Data related to the Offence	Article 25
Partial or Complete Suspension of all data processing activities	Article 26

With it being clear how the Regulation classifies each offense and the nature of its severity, the next obvious question is how it elaborates on calculating the base value for the fine sanctions. However, before proceeding to the calculation of the fine amount, it is pertinent to note that the Regulation also provides for different aggravating and mitigating circumstances that reflect the compliance level of the offending entity and directly impact the amount of the fine.

Following are the aggravating and mitigating circumstances under the Regulation and the prescribed rules governing their impact on the amount of fine:

Aggravating Circumstances

In the following specific circumstances, the amount of the simple fine will be increased as follows:

• 10%, for each case of specific recurrence, up to a limit of 40%;
• 5%, for each case of generic recurrence, up to a limit of 20%;
• 20%, for each guidance or preventive measure not complied with in the inspection process or the preparatory procedure that preceded the sanctioning administrative process, up to the limit of 80%; and
• 30%, for each corrective measure not complied with, up to a limit of 90%.

Mitigating Circumstances

In the following specific circumstances, the amount of the simple fine will be decreased as follows:

• In case of cessation of the offense:
  • 75%, if before the initiation of a preparatory procedure by the ANPD;
  • 50%, if after the initiation of the preparatory procedure and until the initiation of sanctioning administrative proceedings; or
  • 30%, if after the initiation of a sanctioning administrative process and until the delivery of the first instance decision within the sanctioning administrative process.

• 20%, in case of implementation of good practices and governance policy and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage to holders, aimed at safe and adequate data processing, until the rendering of the decision of the first instance in the scope of the sanctioning administrative process.

• In case the offending entity has shown proof of implementation of measures capable of reversing and mitigating the effects of the offense on the affectees:
  • 20%, before the initiation of a preparatory procedure or sanctioning administrative proceeding by the ANPD; or
  • 10%, if after the initiation of a preparatory procedure and until the initiation of a sanctioning administrative proceeding.

• 5%, in cases where there is appropriate cooperation or good faith on the offender's part.

Calculation of Simple Fine Amount

Various elements need to be considered while calculating the applicable amount of fine for a specific instance of infringement. Fortunately, the Regulation provides all the necessary information required for anyone to determine the fine precisely.

The formula for the simple fine sanctions is as follows:

Vfine = Vbase X (1 + Aggravating - Mitigating)

Where:
Vfine = amount of the fine;
Vbase = base value of the fine;
Aggravating = sum of the percentages, in decimal form, of the aggravating circumstances; and
Mitigating = sum of the percentages, in decimal form, of the mitigating circumstances.

While the formula itself is relatively easy to interpret, here’s how the process behind the use of it would ideally go through.

Step 1: Determination of the Base Rate

The process will start with the ANPD classifying any potential offense per the classification discussed above. Per this classification, the minimum and maximum range of rates to be applied is as follows:

Classification	Percentage of Revenue
	A1	A2
Minor	0.08%	0.15%
Average	0.13%	0.50%
Serious	0.45%	1.50%

Afterward, the degree of damage (GD) has to be determined via the use of the following scale:

Value	Degree of Damage
3	The offense has caused an injury or offense to the collective or individual rights and interests, which given the extraordinary circumstances of the case, have an irreversible or difficult-to-reverse impact on the affected data subjects of a material or moral nature, causing, among other situations, discrimination, violation of physical integrity, the right to image and reputation, financial fraud or misuse of identity.
2	The offense has caused an injury or offense to the collective or individual rights and interests, which given the extraordinary circumstances of the case, generate impacts on the data subjects of a material or moral nature that do not fit the criteria indicated in the description of the degree of damage 1 or 0.
1	The offense has caused an injury or offense to the rights and interests of a small number of data subjects with little material or moral impact that can be reversed or compensated with relative ease.
0	The offense does not cause any damage or only causes a minimal insignificant impact on data subjects. Hence, it does not justify the need for compensation.

With all the information mentioned above available, the following formula can be applied:

Abase = (A2-A1)/3 * GD + A1

Where:

A2 = maximum rate according to the classification of the infraction;
A1 = minimum rate depending upon the classification of the Offence;
GD = degree of damage caused by the infraction; and
Abase = base rate

Step 2: Determination of the Base Value of the Fine

The base value of the fine will be determined using the following formula:

Vbase = Abase * (Billing - Taxes)

Where:

Vbase = base value of the fine;
Abase = base rate;
Invoicing/billing = invoicing of the offender; and
Taxes = taxes levied.

In case the offense is caused by a natural person or a legal entity that does have billing, the base value of the fine can be calculated using the following formula.

Vbase = (V2 - V1)/3 * GD + V1

Where:

Vbase = base value;
V2 = maximum value according to the classification of the Offence;
V1 = minimum value depending on the classification of the Offence; and
GD = degree of damage caused by the infraction.

The information needed to execute the aforementioned formula can be found in the following table:

Classification	Value (in R$)
	V1	V2
Minor	1,500	3,500
Average	3,000	7,000
Serious	6,750	15,750

Step 3: Determination of the Fine Amount

The following formula needs to be applied for the base value of the fine:

Vfine = Vbase * (1 + Aggravating Factors - Mitigating Factors)

Where:

Vfine = amount of fine;
Vbase = base value of the fine;
Aggravating Factors = sum of the percentages, in decimal form, of the aggravating circumstances; and
Mitigating Factors = sum of the percentages, in decimal form, of the mitigating circumstances.

Step 4: Adequacy to the Minimum and Maximum Limits of the Fine

Lastly, it has to be ensured that the value of the resulting fine is at least twice the amount of any advantage received by the offending entity. In case, the fine is lower, it has to be adjusted to ensure the value remains twice that of the advantage received.

Furthermore, if necessary, the fine amount must be adapted to the minimum amounts of the fine to be applied and the maximum limit of 2% of the turnover of the legal entity in Brazil in its last financial year in total, to R$ 50,000,000 for the offense, so that:

Vfine, if Vmin ≤ Vfine ≤ Vmax

Vfinal = Vmin, if Vfine < Vmin

Vmax, if Vfine > Vmax

Where:

Vmin = minimum amount of fine to be considered according to the table below or double the advantage earned, whichever is greater;
Vmax = maximum amount of fine to be considered, respecting the maximum limit of 2% of the gross revenue of the legal entity or R$ 50,000,000, whichever is lower; and
Vfinal = final amount of the fine to be applied.

Hence, the final amount of the fine for the offense will have as its minimum limit, the highest value between:

1. Twice the advantage earned when estimated;
2. The minimum amount provided in the following table.

Classification	Value (in R$)
Minor	1,000 (Offender is a Natural Person or Legal Entity Without Billing) 3,000 (Offenders other than natural person or legal entity without billing)
Average	2,000 (Offender is a Natural Person or Legal Entity Without Billing) 6,000 (Offenders other than natural person or legal entity without billing)
Serious	4,000 (Offender is a Natural Person or Legal Entity Without Billing) 12,000 (Offenders other than natural person or legal entity without billing)

Similarly, the maximum limit will be the lowest value between:

1. R$50,000,000;
2. 2% of the turnover of the legal entity under private law, group, or conglomerate of companies in Brazil in its last financial year, excluding taxes.

Payment of the Fine

Once the offending entity has calculated precisely what fine they are obliged to pay, the Regulation requires that the fine be paid within twenty (20) working days, starting from the official date the decision to enforce the fine was made and communicated to the entity.

The Regulation provides a 25% reduction in the total fine amount for offending entities that expressly waive their right to appeal the decision of the first instance.

In case, the fine is not paid within this time frame, a daily interest of 0.33% on the arrears and the default fine will be applicable.

How Can Securiti Help

Like all major data regulations, LGPD places a tremendous degree of importance on an organization involved in data processing to be fully compliant with all its requirements. These requirements include ensuring all processed data is appropriately collected, stored, managed, and used while also giving the users an appropriate degree of control over their collected personal data.

Failure to comply with these obligations can lead to strict regulatory actions such as heavy fines and the temporary or permanent suspension of all data processing activities.

To avoid such a disastrous scenario, organizations must opt for an effective and efficient solution that can deliver seamless compliance with all major LGPD-related obligations.

Securiti, a leader in providing enterprise data privacy, protection, governance, and compliance solutions, has a plethora of modules and dedicated products that can help you achieve just that.

Its PrivacyCenter.cloud should be of particular interest as it allows websites to consolidate and address their privacy obligations easily from a single centralized dashboard.

Sign up for PrivacyCenter.cloud today and ensure compliance with LGPD and all other major data regulations today.