The Brazilian Data Protection Authority (“ANPD”) published its much anticipated first sanction on Thursday. The sanctions were applied against a call center and telemarketing company, considered a small processing agent as defined by the ANPD.1
According to the published decision,2 the company violated the provisions of the LGPD by failing to submit (i) the appointment of a Data Protection Officer and (ii) the Records of Processing Activities (ROPA),3 with no indication in the latter case of any lawful basis for the processing activities performed. In addition, the company did not cooperate with the ANPD during the investigation process.
Thus, a warning and two simple fines were imposed, each in the amount of BRL 7,200, for a total of BRL 14,400. Notably, the total amount of the fines in this specific case is a clear reflection of the parameters already established by the ANPD in Resolution CD/ANPD No. 4 of 2023 (Regulation on Dosimetry and Application of Administrative Penalties),4 which stipulates that the sanctions and the fines’ values be proportional to the size and revenue of the infringing company.
With the ANPD’s administrative sanctioning process coming online, it will be possible to monitor the developing administrative case law so that regulated entities can more accurately assess the risks they are subject to and the measures they can adopt to mitigate them. Additionally, when applicable, they can challenge the decisions by the ANPD that exceed its authority under the law.