Securiti announces a $75M Series C Funding Round
ViewListen to the content
The Lei Geral de Proteção de Dados Pessoais, or General Personal Data Protection Law (LGPD), is the primary data protection and data privacy law in effect within the Federative Republic of Brazil. Like all major global data privacy regulations, the law places several obligations upon organizations processing users' personal data. Failure to do so results in regulatory sanctions and reputational and operational losses.
The Autoridade Nacional de Proteção de Dados, or National Data Protection Authority (ANPD), is the national data protection authority that oversees the enforcement of the LGPD across Brazil.
On February 27, 2023, the Board of Directors of the ANPD approved the Regulation of Dosimetry and Application of Administrative Sanctions via Resolution CD/ANPD No. 4, of February 24, 2023.
Primarily, the Regulation establishes the parameters and criteria for the application of pecuniary and non-pecuniary administrative sanctions by ANPD in accordance with Articles 52 and 53 of the LGPD and also provides for the forms and dosimetry for calculating the base value of fine sanctions.
The newly issued Regulation by ANPD has been long awaited as it was the only obstacle left in the way of the authority to impose sanctions on entities failing to comply with the provisions of the LGPD. This is also evident from the fact that the ANPD did not take long to publish a list of sanctioning proceedings and initiate enforcement action after the publication of the Regulation.
It was back in August 2022, when the draft of the Regulation was opened to public consultation to gain valuable feedback from the data security experts and the general populace. Thousands of contributions were made, while a public hearing was also conducted where further contributions were received.
With the publication of the final Regulation, it will now be easier for the businesses complying with the LGPD as well as for the ANPD to have legal certainty and predictability with respect to the applicable sanctions for LGPD infringements.
Currently, in addition to other administrative sanctions, the LGPD empowers the ANPD to impose fines that can go up to 2% of the offending entity's total revenue in Brazil, excluding taxes, for the preceding financial year. However, such penalties must be limited to BRL 50 million per infringement.
The sanctions will only be enforced once the ANPD conducts a comprehensive administrative inquiry, giving the offending entity the appropriate right to defense and other due processes of the law.
The offenses' severity and exact nature are a particular highlight of the new Resolution. All potential violations and offenses are classified in the following three severity levels:
Classification |
Description of Offence |
Classification: Minor |
Description of Offence:
Any offence not identified as average or serious. |
Classification: Average |
Description of Offence:
The offence significantly affects the interests and fundamental rights of the data subject. This includes instances where data processing may significantly limit the exercise of rights and use of a service by the data subject. Additionally, it may also lead to material and moral damages for the data subject, such as discrimination, identity theft, financial fraud, violation of physical integrity, and any other such serious instances not deemed serious. |
Classification: Severe |
Description of Offence:
An Offence shall be considered serious when:
|
The Regulation also provides elaborated parameters and defines the criteria for each of the administrative sanctions that may be applied by the ANPD under section 152 of the LGPD. The following table provides a reference list for each of the administrative sanctions and their relevant articles under the Regulation:
Sanction Type |
Relevant Article in the Regulation |
Warning | Article 9 |
One-time Fine | Articles 10 to 15 |
Daily Fine | Article 16 |
Publication of the Offence (Depending on Relevance and Public Interest) | Articles 20 and 21 |
Blocking of all Personal Data related to the Offence | Article 22 |
Deletion of all Personal Data related to the Offence | Article 23 |
Partial suspension of access to database related to the Offence | Article 24 |
Suspension of all processing activities related to Personal Data related to the Offence | Article 25 |
Partial or Complete Suspension of all data processing activities | Article 26 |
With it being clear how the Regulation classifies each offense and the nature of its severity, the next obvious question is how it elaborates on calculating the base value for the fine sanctions. However, before proceeding to the calculation of the fine amount, it is pertinent to note that the Regulation also provides for different aggravating and mitigating circumstances that reflect the compliance level of the offending entity and directly impact the amount of the fine.
Following are the aggravating and mitigating circumstances under the Regulation and the prescribed rules governing their impact on the amount of fine:
In the following specific circumstances, the amount of the simple fine will be increased as follows:
In the following specific circumstances, the amount of the simple fine will be decreased as follows:
Various elements need to be considered while calculating the applicable amount of fine for a specific instance of infringement. Fortunately, the Regulation provides all the necessary information required for anyone to determine the fine precisely.
The formula for the simple fine sanctions is as follows:
Vfine = Vbase X (1 + Aggravating - Mitigating)
Where:
Vfine = amount of the fine;
Vbase = base value of the fine;
Aggravating = sum of the percentages, in decimal form, of the aggravating circumstances; and
Mitigating = sum of the percentages, in decimal form, of the mitigating circumstances.
While the formula itself is relatively easy to interpret, here’s how the process behind the use of it would ideally go through.
The process will start with the ANPD classifying any potential offense per the classification discussed above. Per this classification, the minimum and maximum range of rates to be applied is as follows:
Classification |
Percentage of Revenue |
|
A1 | A2 | |
Minor | 0.08% | 0.15% |
Average | 0.13% | 0.50% |
Serious | 0.45% | 1.50% |
Afterward, the degree of damage (GD) has to be determined via the use of the following scale:
Value |
Degree of Damage |
3 | The offense has caused an injury or offense to the collective or individual rights and interests, which given the extraordinary circumstances of the case, have an irreversible or difficult-to-reverse impact on the affected data subjects of a material or moral nature, causing, among other situations, discrimination, violation of physical integrity, the right to image and reputation, financial fraud or misuse of identity. |
2 | The offense has caused an injury or offense to the collective or individual rights and interests, which given the extraordinary circumstances of the case, generate impacts on the data subjects of a material or moral nature that do not fit the criteria indicated in the description of the degree of damage 1 or 0. |
1 | The offense has caused an injury or offense to the rights and interests of a small number of data subjects with little material or moral impact that can be reversed or compensated with relative ease. |
0 | The offense does not cause any damage or only causes a minimal insignificant impact on data subjects. Hence, it does not justify the need for compensation. |
With all the information mentioned above available, the following formula can be applied:
Abase = (A2-A1)/3 * GD + A1
Where:
A2 = maximum rate according to the classification of the infraction;
A1 = minimum rate depending upon the classification of the Offence;
GD = degree of damage caused by the infraction; and
Abase = base rate
The base value of the fine will be determined using the following formula:
Vbase = Abase * (Billing - Taxes)
Where:
Vbase = base value of the fine;
Abase = base rate;
Invoicing/billing = invoicing of the offender; and
Taxes = taxes levied.
In case the offense is caused by a natural person or a legal entity that does have billing, the base value of the fine can be calculated using the following formula.
Vbase = (V2 - V1)/3 * GD + V1
Where:
Vbase = base value;
V2 = maximum value according to the classification of the Offence;
V1 = minimum value depending on the classification of the Offence; and
GD = degree of damage caused by the infraction.
The information needed to execute the aforementioned formula can be found in the following table:
Classification |
Value (in R$) |
|
V1 | V2 | |
Minor | 1,500 | 3,500 |
Average | 3,000 | 7,000 |
Serious | 6,750 | 15,750 |
The following formula needs to be applied for the base value of the fine:
Vfine = Vbase * (1 + Aggravating Factors - Mitigating Factors)
Where:
Vfine = amount of fine;
Vbase = base value of the fine;
Aggravating Factors = sum of the percentages, in decimal form, of the aggravating circumstances; and
Mitigating Factors = sum of the percentages, in decimal form, of the mitigating circumstances.
Lastly, it has to be ensured that the value of the resulting fine is at least twice the amount of any advantage received by the offending entity. In case, the fine is lower, it has to be adjusted to ensure the value remains twice that of the advantage received.
Furthermore, if necessary, the fine amount must be adapted to the minimum amounts of the fine to be applied and the maximum limit of 2% of the turnover of the legal entity in Brazil in its last financial year in total, to R$ 50,000,000 for the offense, so that:
Vfine, if Vmin ≤ Vfine ≤ Vmax
Vfinal = Vmin, if Vfine < Vmin
Vmax, if Vfine > Vmax
Where:
Vmin = minimum amount of fine to be considered according to the table below or double the advantage earned, whichever is greater;
Vmax = maximum amount of fine to be considered, respecting the maximum limit of 2% of the gross revenue of the legal entity or R$ 50,000,000, whichever is lower; and
Vfinal = final amount of the fine to be applied.
Hence, the final amount of the fine for the offense will have as its minimum limit, the highest value between:
Classification |
Value (in R$) |
Minor |
|
Average |
|
Serious |
|
Similarly, the maximum limit will be the lowest value between:
Once the offending entity has calculated precisely what fine they are obliged to pay, the Regulation requires that the fine be paid within twenty (20) working days, starting from the official date the decision to enforce the fine was made and communicated to the entity.
The Regulation provides a 25% reduction in the total fine amount for offending entities that expressly waive their right to appeal the decision of the first instance.
In case, the fine is not paid within this time frame, a daily interest of 0.33% on the arrears and the default fine will be applicable.
Like all major data regulations, LGPD places a tremendous degree of importance on an organization involved in data processing to be fully compliant with all its requirements. These requirements include ensuring all processed data is appropriately collected, stored, managed, and used while also giving the users an appropriate degree of control over their collected personal data.
Failure to comply with these obligations can lead to strict regulatory actions such as heavy fines and the temporary or permanent suspension of all data processing activities.
To avoid such a disastrous scenario, organizations must opt for an effective and efficient solution that can deliver seamless compliance with all major LGPD-related obligations.
Securiti, a leader in providing enterprise data privacy, protection, governance, and compliance solutions, has a plethora of modules and dedicated products that can help you achieve just that.
Its PrivacyCenter.cloud should be of particular interest as it allows websites to consolidate and address their privacy obligations easily from a single centralized dashboard.
Sign up for PrivacyCenter.cloud today and ensure compliance with LGPD and all other major data regulations today.
Get all the latest information, law updates and more delivered to your inbox
January 25, 2021
On January 5, 2021, the Council of the European Union under the Portuguese Presidency released the new draft, draft 14th of the e-Privacy Regulation...
May 24, 2022
In today’s digital world, businesses collect a wealth of personal data, rely on it, and use it for assessing data subjects’ preferences, building their...
May 24, 2021
On 5 January 2021, the Council of the European Union under the Portuguese Presidency released the 14th version of the e-Privacy Regulation. Read our...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128