Brazil: Sanctions under the Data Protection Law Take Effect

By‎ Adv. Haim Ravia

Partner, Chair of the Cyber, Privacy & Copyright Group at Pearl Cohen Zedek Latzer Baratz

By‎ Adv. Dotan Hammer

Partner at the Cyber, Privacy & Copyright Group, Pearl Cohen Zedek Latzer Baratz

Reading time: 1 Minute
Save to "My Content"

The final component of Brazil’s Lei Geral de Proteção de Dados (LGPD) – the administrative sanctions piece – became effective at the beginning of August, enabling the Brazilian national data protection authority (ANPD) to effectively enforce the LGPD.

According to the newly effective provisions, data controllers who do not comply with the LGPD may be subject to the following sanctions, among others:

  • Daily fines;
  • Public notification of the infringement after it is duly investigated and confirmed;
  • Partial suspension of the operation of the database that is the subject of the infringement for up to six months (extendable to twice this period), until the controller remedies the unlawful processing activity;
  • Partial or total prohibition of the activities related to data processing. 

In imposing sanctions, the ANPD will consider, among other factors, the severity of the infringement, the size and economic power of the infringing data controller, the level of cooperation by the data controller, and the existence of policies and mechanisms to safely process personal data.

The LGPD was enacted in August 2018. It was due to take effect in three increments: upon the establishment of the ANPD (December 2018), upon the commencement of data controllers’ obligations and data subjects’ rights (September 2020), and finally upon the introduction of sanctions.

CLICK HERE to read the LGPD.