First application of a fine by ANPD: what can we learn?

messi74

The first week of July 2023 was one of the busiest in terms of personal data protection in Brazil, since, although the Law has been in force for almost 3 years, the first fine was applied by the National Data Protection Authority (ANPD).

And one of the most important and surprising aspects was that, contrary to what most experts expected, the company that suffered the sanction was not a company of great relevance in the national market, nor did it belong to the Big Tech group, but a small-scale agent.

The objective of this article is to analyze each infraction gambling data saudi arabia committed by the company and recommend actions so that other companies do not make the same mistakes, in addition to providing evidence of ANPD's position for future convictions.

The Telekall case
The first case of a fine by the ANPD in Brazil occurred due to some infractions committed by the company Telekall Inforservice, a micro-enterprise that operates in the private sector as a telephone service provider, which allegedly offered candidates in the municipal elections a list of WhatsApp contacts of voters in Ubatuba/SP for the purpose of disseminating electoral campaign material.

The ANPD was initiated by means of an official letter from the Public Prosecutor's Office of São Paulo, through the Public Prosecutor's Office of Ubatuba, which demonstrates the widespread concern with the protection of personal data in the supervisory bodies of different federative entities.

Sanctions applied
The Authority found that some provisions of the LGPD were violated, namely:

Art. 7 and Art. 11 – lack of proof of a legal hypothesis for the processing of personal data;
Art. 37 – lack of proof of registration of personal data processing operations;
Art. 38 – failure to send a report on the impact on the protection of personal data relating to its processing operations;
Art. 41 – lack of proof of the appointment of the person in charge.
In addition to the violated provisions of the Legislation, there was also a lack of compliance with the Regulation of the Inspection Process and the Administrative Sanctioning Process, an ANPD Resolution that regulates inspection, published in 2021.

As the inspected company did not comply with the Authority's requests, a penalty was applied.

Thus, in total, there were five violations of the rules on the protection of personal data and privacy, which we will analyze individually.