Our Policies
News

Newsletter

11 de October de 2023

Brazilian Data Protection Authority applies the second penalty for non-compliance with LGPD

Three months after imposing the first fine on a company, the Brazilian Data Protection Authority (ANPD) issued last Friday (06/10) a new sanction for non-compliance with the Brazilian General Data Protection Law (LGPD). This time, the punishment was directed at a public body and resulted in the imposition of two warnings, followed by corrective measures.

The sanctions were motivated by IAMSPE’s inappropriate conduct regarding a security incident involving personal of civil servants from the state of São Paulo and their dependents, that were accessed in an unauthorized manner by an external user.

The first warning refers to the violation of art. 48 of the LGPD, which establishes the obligation of the personal data controller to notify the ANPD and the data subjects of the incident.

IAMSPE was penalized because it did not communicate the security incident to the ANPD in time, taking around three months to do so. Similarly, the communication to data subjects was partial, lacking information such as a description of the nature of the data and the reasons for the delay in communication. For this warning, the Institute should update the notice of the incident on its website, keeping it available for at least 90 days.

The second penalty is related to art. 49 of the LGPD, which states that controllers must use systems that meet “security requirements, standards of good practice and governance and the general principles set out in the LGPD.” The infraction was classified as high since the Institute had a high volume of personal data and data of vulnerable data subjects (such as minors and the elderly) and did not implement adequate controls to guarantee the confidentiality of the data. The corrective measures related to this sanction involve the presentation of a schedule and results of the programs developed and implemented.

The ANPD’s active role in all sectors of the economy reinforces the need for all companies to handle the personal data protection matters with utmost care and responsibility.

If you wish to obtain more information on this matter, we are available at digital@kasznarleonardos.com

Back

Last related news

27 de March de 2026

New Structure of the ANPD and Impacts Brought by the Digital Child and Adolescent Statute

Among the most recent publications related to the Brazilian Data Protection Agency (“ANPD”), the release of Decree No. 12.881/2026 stands out. The Decree approves New Structure of the ANPD and Impacts Brought by the Digital Child and Adolescent Statute

  • Kasznar Leonardos
    • Ler notícia

    24 de March de 2026

    Published the Decree Regulating the Digital ECA: Clarifying Technical Parameters and Expanding Platform Responsibilities

    After the enactment of the Digital Statute of the Child and Adolescent (Law No. 15,211/2025 – “ECA Digital”) in September last year, Published the Decree Regulating the Digital ECA: Clarifying Technical Parameters and Expanding Platform Responsibilities

    Ler notícia

    2 de February de 2026

    MP 1.335/2026: New Frameworks for Trademark Protection – FIFA Women’s World Cup 2027

    The recently published Provisional Measure (MP) No. 1,335/2026—currently pending Congressional approval—introduces a distinct legal regime that significantly shifts the level of IP MP 1.335/2026: New Frameworks for Trademark Protection – FIFA Women’s World Cup 2027

    Ler notícia

    Check out our Social Responsability and Sustainability projects

    Meet our complete team