In a decision published on February 1st, 2024, in the Federal Official Gazette (DOU), the Brazilian National Data Protection Authority (ANPD) applied a sanction to the National Social Security institute (INSS) for not communicating a security incident involving personal data to the data subjects, thus violating the obligation set forth in article 48 of the Brazilian General Data Protection Law (LGPD).

According to the decision, the INSS must publicize the infraction through the landing page of its website and send a message to all users of the app “Meu INSS” informing about the sanction and about the security incident. Both communications must be available for 60 days from notice of the decision.

On the previous day, through another decision, ANPD applied 4 warning sanctions to the Office of Education of the Federal District (SEEDF) for various infractions to the LGPD, such as lack of appointment of DPO, failure to send the data protection impact report requested by ANPD and failure to report a security incident occurred in 2022.

The public entities may still appeal the decisions, which are available in Portuguese at:

https://www.in.gov.br/en/web/dou/-/despacho-decisorio-n-1/2024/fis/cgf-540637061 (INSS) and https://www.in.gov.br/en/web/dou/-/despacho-decisorio-n-3/2024/fis/cgf-540566212 (SEEDF).

ANPD has issued five decisions imposing sanctions in less than seven months (the first ANPD sanction was published on July 23, 2023). ANPD’s increasingly active stance in imposing sanctions demonstrates the urgent need to comply with the obligations set forth in LGPD.

This bulletin is for information purposes only and should not be relied upon to obtain legal advice on any of the topics dealt with here. For additional information, please contact the leaders of the Privacy and Data Protection team, Adriano Chaves and Marcia Issler Mandelbaum