On July 6th, the National Data Protection Authority (ANPD) marks two years since its first administrative sanction was imposed. Since the implementation of the regulation for sanction quantification and enforcement in February 2023, the ANPD has initiated a fundamental process of oversight and sanctioning, culminating in the inaugural imposition of a monetary penalty on a small business.
Initially, there were speculations regarding the amount of the penalty, which was set at R$ 14,400.00, considered low in relation to the impacts of the decision and the ANPD's actions within the national legal framework. Despite the modest amount, this sanction marked the beginning of the Authority's enforcement activity, which primarily focuses on the application of sanctions such as warnings and corrective measures. Thus far, this has been the only monetary sanction imposed.
The ANPD, positioning itself as a guiding body, has intensified its oversight activities over the past two years, having adjudicated 76 oversight processes, 17 of which are currently active. However, when comparing the number of companies subject to oversight with the total number of personal data holders in Brazil, the volume of processes is still considered low, highlighting the Authority's measured approach.
In this context, the sanctions imposed by the ANPD so far, reflecting its repressive activity, include warnings and corrective measures, such as the obligation to notify data subjects of security incidents and to present a Data Protection Impact Assessment (DPIA), in addition to the publication of infractions.
Although the Authority has used oversight processes to implement preventive measures more frequently, this activity aims to ensure compliance among data processing agents, being more intense in the public sector than in the private.
The ANPD's oversight actions are essential for ensuring compliance with the Brazilian General Data Protection Law (LGPD), promoting a safer environment for personal data holders.
Therefore, the Authority maintains its triangular strategy, encompassing regulation, oversight, and education. In this regard, 12 public hearings, 14 calls for contributions, and 9 guiding manuals have already been conducted, along with partnerships with other authorities, such as the Superior Electoral Court (TSE) and the National Consumer Secretariat (SENACON), to guide the application of the LGPD in the electoral context and assist holders in protecting their personal data.
These initiatives emphasize the relevance of the ANPD and the need for continuous monitoring of data protection standards. Aligning with ANPD guidelines is not merely a legal compliance issue but an ethical responsibility regarding the rights of data subjects. Companies, therefore, must prepare for this new reality by keeping pace with this movement and ensuring transparent and adequate practices in compliance with applicable legislation regarding personal data processing.
Check in detail the educational, supervisory, and enforcement actions implemented by the ANPD by clicking here.