On February 27, the National Data Protection Authority (ANPD) finally published the Regulation on Dosimetry and Application of Administrative Sanctions Regulation on Dosimetry and Application of Administrative Sanctions, which establishes the dosimetry guidelines for sentences, especially calculating the base value for fines the agency may apply. It is an initiative of the rapporteur and director of the ANPD – Arthur Sabbat, in which he was unanimously followed by the rest of the board. Although the criteria set out below establish clear guidelines, the ANPD may depart from its methodology or review the penalty, if impaired proportionality is found between the severity of the violation and the intensity of the sanction.
The administrative sanctions to be applied by the ANPD for violating the General Data Protection Act (LGPD) are divided into:
TYPES OF ADMINISTRATIVE SANCTIONS APPROPRIATE HYPOTHESES
1. Warning 1. The violation is minor or medium in severity and does not incur specific recidivism, or
2. Corrective measures must be imposed.
2. Simple Fine 1. The offender has not complied with the imposed preventive or corrective measures imposed, within the established deadlines, when applicable;
2. The violation is classified as severe; or
3. A different sanction cannot be applied due to the nature of the violation, processing activity or personal data, and the circumstances of the specific case.
3. Daily Fine (cumulative and adding up to BRL 50 million) 1. After being notified of the irregularities that have been practiced, failure to remedy them within the specified period;
2. Obstruction to inspection activity, provided that the application of the daily fine is necessary to clear it; or
3. Permanent violation recurrent until the decision.
4. Publication of the Infringement The ANPD may apply the sanction of making the offender public, considering the relevance and public interest of the matter.
5. Temporary Blocking of Personal Data to which the violation refers. The ANPD may order the offender to block relevant personal data until the situation is resolved.
6. Deletion of Personal Data to which the violation refers The ANPD may order the offender to delete personal data to which the violation refers, whereby data or a set of data stored in a database will be deleted.
7. Partial Shut Down of the Database to which the Infraction refers The ANPD may order the offender to shut down part of the database to which the violation refers, for a maximum period of six months (taking into consideration the public interest, the impact on the rights of the personal data subjects, the classification of the violation, and the complexity in correcting the processing activity by the offender), in order to suspend the operation that violates the personal data protection legislation.
8. Suspension of the Activity of Processing Personal Data The ANPD may order the offender to suspend the activity of processing personal data, applicable for a maximum period of 6 months (taking into consideration the public interest, the impact on the rights of the personal data subjects, and the classification of the violation), being extendable for another six months.
9. Partial or Total Prohibition of Carrying Out Activities related to Data Processing 1. After recurrence of the violation which resulted in partial shutdown of the database or suspension of the activity of processing personal data;
2. Processing of personal data was carried out for illegal purposes, or without legal support; or
3. The offender cannot or can no longer meet the technical and operational conditions to maintain proper processing of personal data.
* Sanctions 7 to 9 will only be applied after at least one of sanctions 2 to 6 has already been enforced.
It is important to point out that all sentences are to be applied gradually, individually or cumulatively, after an administrative procedure and based on a reasoned decision by the ANPD. The right to a fair hearing, defense and due process of law will be ensured; if there is more than one offender, sentences will always be enforced individually.
Non-compliance by the violating party will give the ANPD reason to raise the severity of sanctions, without prejudice to applicable legal measures, since sanctions are applied at the administrative scope.
The following parameters and criteria must be taken into account when defining the sanction:
PARAMETERS AND CRITERIA
1. The severity and nature of the violation and personal rights affected;
2. The good faith of the offender;
3. The advantage gained or intended by the offender;
4. The economic condition of the offender;
5. The specific recurrence;
6. The generic recurrence;
7. The degree of damage;
8. The offender's cooperation;
9. The repeated and demonstrated execution of internal mechanisms and procedures capable of minimizing damage, aimed at safe and adequate data processing, in line with the LGPD;
10. The adoption of good practice and governance policies;
11. The immediate adoption of corrective measures;
12. The proportionality between the severity of the infringement and the intensity of the sanction;
Violations are classified as minor, medium or severe according to their nature and severity according to the concepts below:
CLASSIFICATION OF INFRINGEMENTS DEFINITION
Serious Violations 1. When they present any of the medium violation indicators and, at least, one of the below:
a) involve the processing of personal data on a large scale, covering a significant number of data subjects, wherein the volume of data involved as well as the duration, frequency and geographic extension of the processing carried out are also considered;
b) the offender earns or intends to earn economic advantage as a result of the committed offense;
c) the violation involves risk to the data subjects' lives;
d) the offense involves the processing of sensitive data or personal data of children, teenagers or elderly people;
e) the offender performs the processing of personal data without support in one of the legal hypotheses provided for in the LGPD;
f) the offender processes the data with illicit or abusive discriminatory effects; or
g) systematic adoption of irregular practices by the offender is verified;
2. When they constitute an obstruction to supervision.
Medium Violations When they can significantly affect the interests and fundamental rights of the personal data subjects, in situations where the processing activity can significantly prevent or limit the exercise of rights or the use of a service, as well as causing material or moral damages to data subjects, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or misuse of identity, as long as they are not classified as severe.
Minor Violations When they do not have any of the indicators mentioned above.
Attention must be brought to the definition of the base value for a simple fine, in which the following elements may be considered:
ELEMENTS FOR DEFINING THE BASE VALUE OF THE FINE
1. The classification of the violation;
2. The offender's budget in the last available financial year prior to enforcement of the sanction, excluding taxes, related to the business activity in which the violation occurred; and
3. The extent of damages.
The definition of the base value of the fine will be increased or reduced according to the aggravating or mitigating circumstances described below, respecting the minimum and maximum limits provided for sanctions according to the LGPD. Starting with the most aggravating circumstances:
AGGRAVATING CIRCUMSTANCES PERCENTAGE OF INCREASE
Specific Recurrence 10% up to the limit of 40%
Generic Recurrence 5% up to the limit of 20%
Per measure or preventive measure not complied with in the inspection process or in the preparatory procedure that preceded the administrative process for the violation 20% up to the limit of 80%
Each corrective measure not complied with 30% up to the limit of 90%
* If there is an incidence of more than one aggravating circumstance, the percentages must be applied cumulatively.
And the mitigating circumstances:
MITIGATING CIRCUMSTANCES PERCENTAGE OF REDUCTION
Cases of Ceasing the Violation a) 75% if prior to the initiation of a preparatory procedure by the ANPD;
b) 50% if after the initiation of a preparatory procedure and until the initiation of a sanctioning administrative process; or
c) 30% if after the initiation of a sanctioning administrative process and until the delivery of the initial decision within the scope of the sanctioning administrative process;
Cases of implementation of good practice and governance policies or repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing damage to data subjects, aimed at safe and adequate data processing, until the delivery of the initial decision within the scope of the sanctioning administrative process 20%
Cases in which the offender has proven the implementation of measures capable of reversing or mitigating the effects of the violation on the affected personal data subjects a) 20% if prior to the initiation of a preparatory procedure or sanctioning administrative process by the ANPD; or
b) 10% if after the initiation of a preparatory procedure and until the initiation of a sanctioning administrative process.
Cases in which cooperation or good faith on the part of the offender is verified. 5%
* In the event of more than one mitigating circumstance, the percentages must be applied cumulatively.
It is, therefore, a commendable initiative by the ANPD to try to reduce subjectivity in the application of administrative sanctions they might impose when there is a need to penalize any violation of the protection of subject's personal data.