Giovanna Spatti Rossagnesi
Enacted in August 2018, Brazil’s General Data Protection Law (LGPD) aims to safeguard citizens’ fundamental rights to freedom and privacy. The law came into force in September 2020, and the National Data Protection Authority (ANPD) is the body responsible for its enforcement and oversight.
The ANPD’s role in ensuring compliance with the LGPD includes supervisory, advisory, preventive, and sanctioning activities related to data processing agents.
Data processing agents—whether controllers or processors, individuals or legal entities, public or private—are subject to ANPD oversight regardless of the medium used, the country in which the organization is based, or the location of the data, as long as:
The data processing occurs within Brazilian territory;
The processing activity is related to the offering of goods or services to, or involves data of, individuals located in Brazil; or
The personal data was collected in Brazil.
In this context, the ANPD’s growing activity in conducting evaluations highlights the evolution of the LGPD regulatory landscape in Brazil. Since its first published sanction in July 2023, seven penalty decisions have already been issued, with four additional cases currently underway. This trend reinforces the ANPD’s commitment to ensuring that companies comply with existing legislation and demonstrates that enforcement and penalties are not merely theoretical but a concrete reality impacting the business sector.
As an example, in Administrative Proceeding No. 00261.000489/2022-62, a private-sector company was fined R$14,400.00 for the following violations: failure to demonstrate a legal basis for processing personal data (Articles 7 and 11 of the LGPD); failure to provide evidence of maintaining records of data processing activities (Article 37); failure to submit a data protection impact report related to its processing operations (Article 38); and failure to demonstrate the appointment of a Data Protection Officer (Article 41).
Given this scenario, it is essential for companies to adopt proactive measures to ensure LGPD compliance and avoid fines, warnings, and other administrative penalties such as the one above. Some of the key actions organizations should implement include:
Mapping and reviewing data processing activities
Establishing internal data protection policies and procedures
Appointing a Data Protection Officer (DPO)
Monitoring and responding to security incidents
Addressing data subjects’ (consumer) requests and rights
Thus, the ANPD’s increasingly active enforcement of LGPD underscores the importance for companies to prioritize compliance. Adopting sound data governance practices not only mitigates regulatory and financial risks but also strengthens trust among consumers and business partners—ultimately becoming a competitive advantage in the market.
LGPD compliance should be treated as an ongoing process in which companies remain up to date on new guidelines and regulations issued by the ANPD, fostering an organizational culture centered on data protection and privacy.
Given this landscape, it is essential that companies seek legal counsel specialized in LGPD implementation to ensure that every stage of the compliance process is conducted safely, effectively, and in alignment with regulatory requirements.