ANPD and the regulation of personal data protection rules

National Data Protection Authority (ANPD)

The regulatory activity of the National Data Protection Authority (ANPD) is, from the perspective of the data economy, extremely important for all economic sectors, representing a common requirement of interested parties. This implies the relevance of monitoring and participating in public hearings and consultations, as well as analyzing reports of regulatory impacts, preparatory documents for ordinances, resolutions and other normative acts that will be edited by the ANPD.

It should be noted that the ANPD is a public body that is part of the Presidency of the Republic, endowed with technical and decision-making autonomy, jurisdiction throughout the national territory, responsible for ensuring, implementing and supervising compliance with the LGPD. Its powers are foreseen in that legal norm and in Decree nº 10.474 / 2020, which approved the regulatory structure of the ANPD. On November 6, 2020, its formal institution took place, with 15 appointed civil servants in January 2021, and a regulatory agenda already disclosed.

To date, over 60 LGPD points have been listed that depend on regulation, which are part of the 10 priority themes disclosed in Ordinance No. 11/2021 and will be the object of regulatory activity in the 2021-2022 biennium. An example that stands out due to the recent news of the leakage of 223 million personal data from Brazilians is the obligation of the controller to inform the ANPD and the holder of the occurrence of a security incident with significant risk or damage to the holders. In the resolution, for example, the deadline, the minimum content and the way of sending this communication should be specified.

It is also worth remembering that the validity of the articles of the LGPD that provide for the application of sanctions by the ANPD begins on August 1, 2021. Penalties that include, among others, a simple fine of up to 2% of the legal entity’s revenue, limited , in total, to R $ 50 million; daily fine; disclosure of the infraction; blocking and deleting personal data; partial suspension of the database operation; suspension and prohibition of the exercise of data processing activities.

On this subject, the beginning of the regulation is foreseen for the first semester of 2021. In it, the ANPD will organize its own resolution with regard to administrative sanctions against LGPD violations, which will detail the methodology for calculating the base value of sanctions and fines. , together with the circumstances and conditions for the adoption of these penalties.

Finally, it should be added that subsidies are being taken regarding the application of the LGPD for micro-enterprises, small companies, startups, innovation companies and individuals that process personal data for economic purposes. The deadline for sending contributions ends on March 1, 2021 by sending electronic communications to consultapublica@anpd.gov.br, according to a model publicly disclosed.

Wilson Sales Belchior