[co-authors: Lizandra Baptista, Julio Alves]
On July 6, 2023, the Brazilian National Data Protection Authority (ANPD) published an order imposing the first fine for breaches of the Brazilian General Data Protection Law (LGPD). The fine, totaling BRL 14,400 (around USD 3,000), was issued to a small-sized telemarketing company (Telekall Infoservice) and remains subject to appeal.
The company was investigated for personal data commercialization and for the lack of a data protection officer. According to the legal procedure prior to the sanction, the company offered a list of personal telephone numbers of voters for use in promoting electoral campaign materials in 2020. LGPD prohibits the commercialization and improper use of individuals' personal information. On top of that, the company did not have a designated professional responsible for any activities related to the use, processing, and storage of personal information. According to the LGPD, companies are required to have a Data Protection Officer responsible for ensuring the adequate protection of individuals' data and compliance with the law. ANPD stated that Telekall failed to demonstrate that it did not engage in high-risk data processing, which would be a condition to exempt the requirement of appointing a Data Protection Officer.
The company was penalized for the following violations of LGPD: (i) the failure to appoint a Data Protection Officer, (ii) the lack of a legal basis for data processing, and (iii) non-compliance with ANPD's requests during its administrative process with respect to the company. In March 2023, ANPD released a list of the initial seven entities under investigation, consisting of six public agencies in addition to the company which has been convicted. The first fine issued by ANPD comes nearly three years after the approval of the law, which was approved in September 2020.
[View source.]