The Brazilian Data Protection Authority (ANPD) published, on July 6th, its first conclusive opening order, due to violations of the Brazilian General Data Protection Law (LGPD). ANPD has imposed fines and issued a warning against a small business from the telecommunications sector.
The inspection process started with a complaint from the Prosecutor's Office of the State of São Paulo about the undue commercialization of a WhatsApp contact list (telephone numbers) to third parties for the dissemination of electoral campaign material.
After an investigation conducted by ANPD and insufficient grounds offered by the offender, the following penalties were applied:
-
warning for the violation of the legal obligation of appointing a data protection officer as provided for in art. 41 of LGPD;
-
fine of BRL 7,200.00 for the violation of the statutory basis provisions of art. 7 of LGPD, what was considered to be a severe violation since the small business intended to obtain profits from such conduct; and
-
fine of BRL 7,200.00 for severe violation related to the obstruction of ANPD’s inspection activity, due to the small business’ failure to comply with the obligation of submitting documents and information during inspection processes, as provided for in ANPD’s Inspection Regulation.
Regarding the calculation of the penalty applied, the amount of each fine represented the maximum limit provided under the LGPD, i.e., 2% of the data processing agent's revenue. As the company’s revenue was not disclosed to ANPD, the gross revenue limit of small businesses provided by law was considered (BRL 360,000.00).
The fine must be paid within 20 business days, as of the official notice. The company may file an appeal within 10 business days, but there will be a 25% reduction in the amount of the imposed fine in case the company expressly waives its right to appeal.
Based on ANPD’s report, it seems that the small business' failure to cooperate and the inexistence of basic information and data protection documents increased the penalties. Thus, it is important that processing agents maintain records and clear information about the processing activities they perform. Furthermore, considering that the first penalty was applied to a small business, it is clear that any company, regardless of its size or activity, may be inspected and potentially penalized by ANPD for violations of the LGPD and/or ANPD regulations.
