Article 52
Administrative Sanctions by the National Authority - ANPD
Data processing agents, due to violations of the rules provided for in this Law, are subject to the following administrative sanctions applicable by the national authority:
- I - warning, indicating the deadline for the adoption of corrective measures;
- II - simple fine of up to 2% (two percent) of the revenues of the legal entity of private law, group or conglomerate in Brazil in its last year, excluding taxes, limited to a total of R $ 50,000,000.00 (fifty million reais) for infringement;
- III - daily fine, observing the total limit referred to in item II;
- IV - publicizing the infraction after duly ascertained and confirmed its occurrence;
- V - block the personal data to which the infringement refers until its regularization;
- VI - deletion of the personal data to which the infringement refers;
- VII - (Vetoed);
- VIII - (Vetoed);
- IX - (Vetoed).
- X - partial suspension of the operation of the database to which the infringement relates for a maximum period of 6 (six) months, extendable for an equal period, until the controller regularizes the processing activity;
- XI - suspension of the processing of personal data to which the offence relates for a maximum period of six (6) months, extendable for an equal period;
- XII - partial or total prohibition of activities related to data processing.
- 1. The sanctions shall be applied after an administrative procedure that allows the opportunity for broad defense, in a gradual, isolated or cumulative manner, according to the peculiarities of the specific case and considering the following parameters and criteria:
- I - the seriousness and nature of the infringements and personal rights affected;
- II - the offender's good faith;
- III - the advantage obtained or intended by the violator;
- IV - the economic condition of the violator;
- V - the recurrence;
- VI - the degree of damage;
- VII - the cooperation of the violator;
- VIII - the repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing the damage, aimed at the safe and adequate treatment of data, in accordance with the provisions of item II of § 2 of art. 48 of this Law;
- IX - the adoption of a policy of good practices and governance;
- X - prompt adoption of corrective measures; and
- XI - the proportionality between the gravity of the fault and the intensity of the penalty.
- 2. The provisions of this article do not replace the application of administrative, civil or criminal sanctions defined in Law No. 8.078, of September 11, 1990, and in specific legislation.
- 3. The provisions of items I, IV, V, VI, VII, VIII and IX of the caput of this article may be applied to entities and public bodies, without prejudice to the provisions of Law No. 8,112, of December 11, 1990 (Statute Federal Public Servant) , Law No. 8,429, of June 2, 1992 (Administrative Misconduct Law ) , and Law No. 12,527, of November 18, 2011 (Access to Information Law).
- 4. In the calculation of the amount of the fine referred to in item II of the caption to this article, the national authority may consider the total revenue of the company or group of companies, when it does not have the amount of revenue in the branch of business in which it occurred. infringement, as defined by the national authority, or when the value is presented incompletely or is not demonstrated unequivocally and properly.
- 5. The proceeds from the collection of fines imposed by the ANPD, whether or not inscribed in active debt, shall be destined to the Diffuse Rights Defense Fund referred to in art. 13 of Law No. 7,347 of July 24, 1985, and Law No. 9,008 of March 21, 1995.
- 6. The penalties provided in items X, XI and XII of the main section of this article shall be applied:
- I - only after at least one (1) of the penalties referred to in items II, III, IV, V and VI of the main section of this article have already been applied in the same specific case; and
- II - in the case of controllers subject to other bodies and entities with sanctioning powers, after hearing those bodies.
- 7. The individual leaks or unauthorized access referred to in the caput of art. 46 of this Law may be the subject of direct conciliation between controller and holder and, if there is no agreement, the controller shall be subject to the application of the penalties referred to in this article.