Since the date of its creation on July 8, 2019, the National Data Protection Authority (“ANPD” or “Authority”) has been developing and creating autonomy in relation to its activities.

In the first years, the ANPD focused on establishing a cooperative relationship with other government entities and educational actions and starting its action plan by regulating what is within its competence. For example, it published regulations to establish guidelines for dosimetry, the severity of sanctions, and how administrative sanctions would be applied when there are violations of the General Data Protection Law (“LGPD”) and/or the regulations issued by the Authority itself.

Thus, gaining strength in its autonomy and independence, on July 6, 2023, it was published in the Official Gazette that the ANPD has applied the first sanction in an administrative sanctioning proceeding against the company Telekall Infoservice (“Telekall” or “Company”).

 

What were the facts that led to the sanction application?

Investigations against the micro-enterprise Telekall began due to a supposed offer WhatsApp list of contacts for the purpose of sending electoral messages to voters in Ubatuba/SP. The investigation document (Notice of Infraction n. 3/2022/CGF/ANPD) indicates that the company Telekall offered a WhatsApp listing on its website for sending messages containing a database of 130 (one hundred and thirty) million people.

During the investigation, Telekall received the following questions from the sector that was conducting the investigation, the General Inspection Coordination[1] (“CGF/ANPD”): (i) indicate the company’s Data Protection Officer (“DPO”) and his/her contacts; (ii) indicate the origin of the data that the company provides to trigger WhatsApp messages; if it is from a specific supplier, identify it and provide the contacts; (iii) indicate how the database that serves as the object for the service offered by Telekall is compiled; (iv) indicate which data are part of the database made available to its customers; and (v) indicate how many records the company currently has in its database.

Telekall presented its defense but did not answer the CGF/ANPD’s questions. Therefore, the Authority sent a new official letter giving the company another opportunity to provide the requested clarifications and indicate any relevant information to clarify the facts investigated in the administrative proceeding. Once again, Telekall did not provide the information requested by the Authority; in this sense, Sanctioning Administrative Proceeding n. 00261.000489/2022-62 was instituted.

When manifesting itself in the Administrative Proceeding, Telekall presented a defense informing who would be the DPO and stating that it collected the data of the WhatsApp listings on the internet, and for this reason, it wasn’t necessary to indicate a legal basis for such treatment since the data available on the internet is under the reach of anyone. In addition, they alleged that, as the data were collected through various internet sites, this fact would not prevent the sale of this data as a service to be provided by the Company.

 

After all, which LGPD articles and ANPD regulations were violated?

Besides Telekall’s manifestation and defense, the Authority understands that there were a series of violations of the LGPD and the ANPD regulations. That is, based on the investigation and in the context of the evidence brought to the file in the Sanctioning Administrative Proceeding, the CGF/ANPD understands that the company violated:

  • Article 7 of the LGPD, as its commercial activity is not regularly supported by any of the treatment hypotheses provided for in art. 7 of the LGPD.
  • Article 41 of the LGPD, since the company had not indicated its DPO prior to the investigation by the Notice of Infraction, only doing so in the presentation of defense in the Sanctioning Administrative Proceeding.
  • Article 5 of the ANPD Inspection Regulation, for not having responded to the Authority’s questions (CGF/ANPD) prior to the opening of the Sanctioning Administrative Process.

 

What were the sanctions and dosimetry applied?

  • As for the violation of Article 7 of the LGPD, it was understood that it is a minor infraction, and applying a simple fine, pursuant to Article 10, III of the Dosimetry Regulation, was more appropriate and proportional.
  1. Aggravating factors: Absence
  2. Mitigating factors: Presence, since the violation ceased at a time prior to the infraction notice
  3. Analysis of the context in which the violation occurred based on the advantage intended by the violator for the provision of services of the product offered (WhatsApp listing for the purpose of sending an electoral message), the violation occurred shortly before the election and that the value of the fine should be 2% of billing.
  4. It was suggested the application of a fine of BRL 7,200.00 (seven thousand and two hundred reals)
  • As for the violation of Article 41 of the LGPD, it was understood that the violation was minor; therefore, under the terms of Article 9 of the Dosimetry Regulation, the application of a Warning was suggested.
  • As for the violation of Article 5 of the ANPD Inspection Regulation, it was understood that the infraction was serious. Under Article 10, II, of the Dosimetry Regulation, a simple fine should be applied.
  1. Aggravating factors: Absence
  2. Mitigating: Absence
  3. Analysis of the context in which the violation occurred since it failed to comply with the duty to provide a copy of documents, data, and information relevant to the evaluation of the personal data processing activities within the deadline, place, format, and other conditions established by the ANPD and that the amount of the fine should be 2% of the billing.
  4. It was suggested the application of a fine of 7,200.00 (seven thousand and two hundred reals).

In total, it was suggested the application of a fine of BRL 14,400.00 (fourteen thousand and four hundred reais) of simple fine and warning to the company Telekall Infoservice in the Administrative Sanctioning Proceeding No. 00261.000489/2022-62.

 

What are the implications of the application of the first sanction by the ANPD?

With the application of the first sanction by the ANPD, from now on, companies that do not believe in the supervisory power of the Authority must be prepared for more intense action by the ANPD. This indicates that companies not yet complying with the LGPD should seek to do so as soon as possible since the Authority has already gained enough strength and autonomy to start investigating and applying sanctions with more intensity.

In addition, it is important to remember that micro-enterprises, despite receiving special treatment in relation to compliance with the LGPD, according to Resolution CD/ANPD n. 2, through waiver or relaxation of obligations set forth in the LGPD, this does not mean that they are unpunished to the application of sanctions by the Authority. See the example of the Telekall Infoservice Case. It is worth mentioning that the LGPD applies to everyone, including micro-enterprises, public bodies, and non-profit entities, etc., even though some companies receive different treatment as flexibility in some obligations.

Therefore, complying with the LGPD is essential to avoid applying unwanted sanctions or judicialization of cases.

The Campos Thomaz & Meirelles team is well prepared with competent professionals and is available to answer any questions regarding sanctions for the application of the LGPD, in addition to providing services for your company to comply with the LGPD, including for small companies, and provide legal advice regarding privacy and data protection.

 

*

share

LinkedInFacebookTwitterWhatsApp

newsletter

Subscribe our newsletter and receive first-hand our informative

    For more information on how we handle your personal data, see our Privacy Policy.
    contato@camposthomaz.com
    *

    R. Funchal, 551, conjunto 51
    Vila Olímpia, São Paulo – SP
    04551-060

    11 3044-4906

    © Campos Thomaz Advogados privacy policy