Global Data Privacy and Cybersecurity Handbook

Brazil

Select a Topic
Start Comparison
Penalties for Non-compliance
Jump to
Penalties for Non-compliance Start Comparison
What are the potential penalties / remedies for non-compliance with the key data privacy and cybersecurity laws in the jurisdiction?

Last review date: January 2024

There are:

☒       administrative remedies /civil penalties applied by regulators and law enforcement

According to the LGPD, sanctions include:

  • Warnings, with an indication of a deadline for correction measures to be undertaken
  • Simple fines of up to 2% of the net turnover of the economic group in Brazil, in its last fiscal year, limited to BRL 50 million (approx. USD 10.5 million) per violation
  • Daily fine, considering the total limits of the previous fine
  • Disclosure of the violation, after having properly verified and confirmed its occurrence
  • Blocking of the personal data the subject of the violation, until remedied
  • Deletion of the personal data, which is the subject of the violation
  • Suspension of the relevant database for six months, renewable for another six-month period
  • Suspension of the processing activities for six months, renewable for another six-month period
  • Prohibition of processing activities

Recently, the ANPD published the Regulation on the Calculation and Application of Administrative Sanctions, which establishes standards and criteria for the application of administrative sanctions by the Authority, as well as the forms and dosimetry for calculating the base value of fine sanctions.

☒       criminal penalties from regulators and law enforcement

According to the Brazilian Criminal Code, it is a criminal offense to invade third parties' information devices, whether or not such devices are connected to the internet, by means that aim to obtain, alter or destroy data or information without the express or implied authorization from the device owner or to install vulnerabilities to obtain illicit advantages. The crime is punishable by detention of three months to one year, plus a fine. This penalty also applies to anyone who makes, offers, distributes, sells or discloses a computer device or software aimed at enabling the conduct described above. Also, in the event that the invasion results in obtaining content from private electronic communications, industrial or trade secrets, confidential information or the unauthorized remote control of the device, the penalty is increased to imprisonment for six months to two years, plus a penalty. This latter penalty is also increased in the event that the data or information obtained is disclosed, traded or transmitted to third parties.

☒       private remedies

The imposition of administrative remedies does not preclude the right of affected individuals to claim indemnification for damages caused by the processing of personal data. The Brazilian Federal Constitution expressly entitles the data subject to indemnification for both moral and material damages for violations of the individual's rights to data protection, intimacy, privacy and honor.

☐       other

If data subjects have private remedies, what form can these remedies take?

☒        individual personal actions

☒       representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☒       class actions

{{ $store.state.loadingScreen.message }} ...