+44 (0) 121 582 0192 [email protected]




On the 6th of July in the year 2023, a momentous event transpired within the sphere of data protection in the nation of Brazil. The National Data Protection Authority (ANPD) administered its inaugural penalty against a modest processing entity in accordance with the tenets of the Brazilian Data Protection Law (LGPD). This seminal decision not only accentuated the exigency of robust safeguards against data breaches but also accentuated the paramount importance of establishing a legitimate foundation for data processing endeavors.


The Data Breach


The entity in question conducts its operations within the telemarketing sector and found itself embroiled in an administrative proceeding pertaining to a data breach of considerable magnitude. This breach materialized as a consequence of the organization’s actions, wherein it disseminated the personal data of a multitude of São Paulo residents to political candidates for utilization in widespread campaign communications during the electoral year of 2020.


The Imposed Penalty


In accordance with Article 52 of the LGPD, non-adherence to the prerequisites concerning the notification of data breaches can culminate in substantial financial penalties. In this specific instance, the data controller, despite its classification as a small or medium-sized enterprise, incurred a monetary sanction amounting to BRL 14,400 (approximately USD 3,000). The computation of this fiscal penalty was predicated upon the parameters delineated in the ANPD’s Resolution CD/ANPD nº 4/2023, which takes into account factors such as the severity and nature of the breach, as well as the extent of the infringement upon individuals’ personal rights. Clearly organisations can learn  a lesson Brazil’s First ANPD Fine


Key Breach Allegations


The decision rendered by the ANPD pinpointed several significant breaches committed by the aforementioned entity:

  1. Absence of a Legal Foundation: The data controller failed to substantiate the existence of a legitimate basis for the processing of personal data, thus contravening Article 7 of the LGPD.
  2. Neglect of Responsible Party Designation: Article 41 of the LGPD prescribes that organizations must designate an accountable entity for overseeing the processing of personal data. This obligation remained unfulfilled.
  3. Noncompliance with Authority’s Requests: The company declined to adhere to the requests proffered by the ANPD for the submission of pertinent documents and provision of support during the investigative proceedings, thereby running afoul of Article 5 of the Inspection Regulation.


Implications for Enterprises


This precedent-setting ruling serves as a salient reminder that the purview of the ANPD extends to entities of every dimension. It accentuates the imperative for all organizations, regardless of their size, to approach matters of data protection with the utmost circumspection and responsibility.


Transparency and Mitigation


The transparent nature of the punitive process bestows a valuable opportunity upon enterprises to gain insights into the evolution of administrative jurisprudence. By vigilantly monitoring cases of this nature, organizations can comprehensively assess potential liabilities and contrive efficacious strategies for mitigation. This offers a fortuitous prospect for learning from the errors of others and ensuring that data processing endeavors adhere scrupulously to the dictates of the law.


Challenging Regulatory Decisions


Moreover, the transparency inherent in publicised sanctions affords a pivotal avenue for contesting the determinations of the ANPD in the event that they are perceived to transgress the boundaries of their authority as stipulated by the LGPD. This safeguard guarantees that enterprises can safeguard their prerogatives and maintain a delicate equilibrium between regulatory adherence and the conduct of their business operations.

In summation, the ANPD’s inaugural imposition of a penalty against a small processing entity in Brazil serves as an indelible reminder of the gravity of safeguarding against data breaches and the imperative of establishing a sound legal foundation for data processing activities. It constitutes a clarion call for enterprises to accord paramount precedence to regulatory compliance, espouse transparency, and proactively preserve the privacy rights of individuals within the contemporary landscape defined by the ubiquity of data.