Brazilian Data Protection Authority’s (ANPD) first penalty for non-compliance with the Brazilian General Data Protection Law (LGPD)

Last July 6th, the ANPD ruled the first case of LGPD violation. The wrongdoer, which is a microenterprise, was fined in the amount of BRL 14,400 for offering to political candidates a database with voters’ personal data (including name, telephone number and address). According to the decision, the Brazilian company was processing personal data with no legal basis, in breach of Article 7 of the LGPD. It also failed to provide copies of documents and information requested by the ANPD. Lastly, the authority warned the company for not appointing a Data Protection Officer (DPO) as required by Article 41 of the LGPD.

Alongside other jurisdictions with GDPR-alike laws, the Brazilian authority is not only targeting big tech companies, but any enterprise, including micro, small and medium-sized ones whose activity is likely to result in a high risk, such as the commercial exploitation of subject’s personal data.

The penalty is still very low but the authority announced that for now the fines must be educational.