ANPD Applies First Sanctions Of 2024

Mayer Brown


Mayer Brown is a distinctively global law firm, uniquely positioned to advise the world’s leading companies and financial institutions on their most complex deals and disputes. We have deep experience in high-stakes litigation and complex transactions across industry sectors, including our signature strength, the global financial services industry.
The Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados, "ANPD"), applied its first two sanctions of 2024 against two Brazilian governmental institutions.
Brazil Privacy
To print this article, all you need is to be registered or login on

Additional author Ana Letícia Allevato

The Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados, “ANPD”), applied its first two sanctions of 2024 against two Brazilian governmental institutions. It is worth noting that, as both are public bodies, neither entity is subject to fines.

First Sanction

In the first case, the ANPD found that a 2021 security breach improperly exposed the contents of a public school program made by the governmental institution in question, including the registration information and health data of 3,030 minors and their guardians. According to the ANPD, human error contributed to the improper access of the program's participants' data by unauthorized parties.

The ANPD classified the incident as “serious,” as it involved the access to the personal health data of a significant number of subjects, including minors. The ANPD initially demanded that necessary measures be taken to address the breach. Subsequently, ANPD demanded that the entity submit a record of personal data processing operations ("ROPA"), data protection impact assessment ("DPIA"), communications to the affected data subjects, and its information security and privacy incident management plan. Such requests by the ANPD for additional information and evidentiary support of a compliant information security program following security incidents are routine.

According to the ANPD, its demands were not fully met by the impacted governmental institution, which only provided evidence of communication to data subjects during the ANPD's sanctioning process; eight months after the Authority's initial demand to do so.

Ultimately, the ANPD applied four sanctions:

  • Warning for the minor violation of not maintaining an ROPA (Art. 37, LGPD);
  • Warning for the minor violation of not preparing a DPIA after a request from the ANPD (Art. 38, LGPD);
  • Warning for the serious violation of not notifying the data subjects of the security incident within a reasonable time; however, the ANPD understood that the delayed communication was compliant with LGPD regulations (Art. 48, LGPD); and
  • Warning for the serious violation of not presenting an incident management plan within the deadline established by the ANPD, which constituted—according to the Authority—obstruction of the ANPD's inspection activity, and therefore, a serious infraction (Article 5, Dosimetry Regulation).

The governmental institution narrowly avoided a potential fifth sanction. The ANPD alleged that the governmental institution failed to adequately train users to use the impacted platform (a violation of Article 46's duty to adopt administrative measures for information security). However, the ANPD dismissed this sanction after taking into consideration the impact the COVID-19 pandemic had on public and private entities, including the inability to reasonably carry out training. In light of these extenuating circumstances, ANPD concluded that the pandemic constituted a force majeure in this case and, thereby rendering potential sanctions connected to the infraction moot.

When reviewing the ANPD's decision, it is important to note that:

(i) DPIAs can be prepared after the ANPD's request has been made, and its prior absence does not appear to constitute a LGPD violation.
(ii) Training users on specific platforms carries significant relevance, and its failure to do so may be seen as a violation of the LGPD by the ANPD.

Second Sanction

In the second case, a governmental institution was penalized after failing to inform data subjects of a security incident that occurred in 2022, and which was reported to the ANPD. In this case, a data leak compromised the registration, health, and financial data of an undetermined number of subjects.

ANPD's full report has not yet been published, but additional details about the grounds for ANPD's decision may be disclosed at a later date (including the severity of the violation and sanctions).

The ANPD found that the incident caused a “relevant risk” to the data subjects and determined that the governmental institution should report the incident, as outlined in Article 48 of the LGPD. The governmental institution claimed, however, that it did not have the technical capacity to detail which user base had its data leaked, and therefore made the decision to not notify impacted individuals. The ANPD did not accept the governmental institution's argument, particularly because the LGPD makes clear that when affected data subjects cannot be identified, the entity must issue a form of substitute notice instead, seeking to reach all users of the platform by alternate means.

Accordingly, the ANPD imposed the following penalty:

  • Announcement of the infraction through a notice on the first page of the governmental institution's website, as well as by sending a message to all users of their app. Both the website notice and the in-app notice must be available for sixty days. Notably, the ANPD indicated the exact text to be used by the governmental institution, which begins: "(…), in light of the fact that [the entity] was convicted by the National Data Protection Authority for violation of the duty to notify data subjects of the occurrence of security incidents, communicates [...]".

The potential damage to the reputation of any company is significant, even if it does not carry the threat of a financial penalty.

Visit us at Tauil & Chequer

Founded in 2001, Tauil & Chequer Advogados is a full service law firm with approximately 90 lawyers and offices in Rio de Janeiro, São Paulo and Vitória. T&C represents local and international businesses on their domestic and cross-border activities and offers clients the full range of legal services including: corporate and M&A; debt and equity capital markets; banking and finance; employment and benefits; environmental; intellectual property; litigation and dispute resolution; restructuring, bankruptcy and insolvency; tax; and real estate. The firm has a particularly strong and longstanding presence in the energy, oil and gas and infrastructure industries as well as with pension and investment funds. In December 2009, T&C entered into an agreement to operate in association with Mayer Brown LLP and become "Tauil & Chequer Advogados in association with Mayer Brown LLP."

© Copyright 2024. Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

This article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More