*Per Leonardo Melo Lins
The reasons that led to the application of the first fine by the National Data Protection Authority (ANPD) to a micro telemarketing company in Espírito Santo have already been well debated. Basically, the ANPD imposed a warning and two fines: the first, “due to the failure to indicate a person in charge of processing personal data” (DPO); a “simple fine in the amount of R$ 7,200 for lack of legal hypothesis for the processing of personal data”; and, finally, “a simple fine in the amount of R$7,2000 for not complying with ANPD requests during the investigation process”[1].
In this article, I will discuss aspects of the warning given to the company and the second fine applied, taking as a reference the data on the compliance of companies with the General Data Protection Law (LGPD) released last year by Cetic.br[2]. With indicators developed together with experts from academia and the public sector, the survey provided a broad overview of the current stage of personal data protection practices in Brazilian companies.
The first point is about the DPO[3]. Although the ANPD has recently waived the presence of the person in charge in small organizations, there is a need if the company processes high-risk personal data[4]. The warning given by the ANPD links the alert to other companies, and the available data show that there is still a way to consolidate the role of the DPO among Brazilian companies.
According to the survey, 17% of Brazilian companies appointed a data officer, which is a more recurrent practice among large companies (41%)[5]. With regard to the market in which they operate, the sectors of information and communication and professional activities are the ones that most presented companies that appointed a data controller, closely followed by the transport sector, but in all cases reaching a very small proportion companies.
Graph 1 – Companies, by appointment of a data officer
Total companies (%)
It is important to mention that the data above does not imply that all companies need to appoint a data officer, or that the low proportion of DPOs will lead to widespread warnings, regardless of company size and industry. However, the data above shows that in most companies there is no professional responsible for ensuring and promoting a culture of data protection, which can avoid future warnings and fines.
A practical effect of this is precisely the reason for the second fine imposed: the lack of an impact report on the protection of personal data and treatment procedures, implying the absence of a flow on the entry and disposal of this data[6].
According to research by Cetic.br, the presence of procedures for the correct treatment of personal data is still incipient, especially in small and medium-sized companies. Only 13% of the companies made a personal data protection impact report, while 24% prepared an LGPD compliance plan. From the point of view of transparency, the scenario is also incipient, as 32% companies have developed a privacy policy that informs how personal data is treated. As you can see in the chart below, only large companies have more consolidated practices for compliance with the LGPD.
Graph 2 - Companies by type of LGPD compliance action
Total companies (%)
In short, basic aspects of the processing of personal data need to be disseminated, especially in small and medium-sized companies. There are several practices that can lead to incorrect use of the personal data of customers and employees and that can generate other fines and warnings.
Even though the law is recent and there are uncertainties as to its correct adequacy, it is necessary to make the best personal data protection practices a constant at, as ensuring the proper use of data is increasingly central to the organization's reputation, as well as to avoid punishments that could bring irreversible reputational and financial damage[7].
*Leonardo Melo Lins is Researcher at the ABES Think Tank, member of the Postdoctoral Program at IEA/USP and Analyst at Cetic.br | NIC.br
[1] The details of the decision can be consulted on here.
[2] More information about the search on this link.
[3] According to the LGPD, the attributions of the person in charge of personal data are: “I – accept complaints and communications from data subjects, provide clarifications and adopt measures; II – receive communications from the national authority and adopt measures; III – guide the entity's employees and contractors regarding the practices to be adopted in relation to the protection of personal data; and IV – carry out other attributions determined by the controller or established in complementary norms”
[4] Resolution CD/ANPD n. 2, of January 27, 2022, in its Article 11, exempts small organizations from appointing a personal data protection officer. However, it is important to point out that the ANPD takes the organization's revenue as a size concept. More details on here.
[5] The survey classifies the size of companies in terms of the number of people employed: up to 49, small; between 50 and 249, average; over 250, big.
[6] The impact report on the protection of personal data is defined in Article 5 of the LGPD as: “documentation from the controller that contains the description of the processes for processing personal data that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms
[7] It is worth remembering that several orientation guides are available in the ANPD website.
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies
EN 
PT 
