Data processing agents that commit infractions of the rules provided in this Law are subject to the following administrative sanctions, to be applied by the national authority:
I – warning, with an indication of the time period for adopting corrective measures;
II – simple fine of up to two percent (2%) of a private legal entity’s, group or conglomerate revenues in Brazil, for the prior financial year, excluding taxes, up to a total maximum of fifty million reais (R$ 50,000,000.00) per infraction;
III – daily fine, subject to the total maximum referred to in item II;
IV – disclosure and publicization of the infraction once it has been duly ascertained and its occurrence has been confirmed;
V – blocking of the personal data to which the infraction refers to until its regularization;
VI – deletion of the personal data to which the infraction refers to;
VII – (vetoed);
VIII – (vetoed);
IX – (vetoed);
X – partial suspension of the operation of the database related to the infraction for a maximum period of 6 (six) months, extendable for the same period, until the normalization of the processing activity by the controller; (Included by Law No. 13,853/2019)
XI – suspension of the personal data processing activity related to the infraction for a maximum period of 6 (six) months, extendable for the same period; (Included by Law No. 13,853/2019)
XII – partial or total prohibition of activities related to data processing. (Included by Law No. 13,853/2019)
§1 The sanctions shall be applied following an administrative procedure that will provide opportunity for a full defense, in a gradual, single or cumulative manner, in accordance with the peculiarities of the particular case and taking into consideration the following parameters and criteria:
I – the severity and the nature of the infractions and of the personal rights affected;
II – the good faith of the offender;
III – the advantage received or intended by the offender;
IV – the economic condition of the offender;
V – recidivism;
VI – the level of damage;
VII – the cooperation of the offender;
VIII – repeated and demonstrated adoption of internal mechanisms and procedures capable of minimizing the damage, for secure and proper data processing, in accordance with the provisions of item II of §2 of Art. 48 of this Law.
IX – adoption of good practices and governance policy;
X – the prompt adoption of corrective measures; and
XI – the proportionality between the severity of the breach and the intensity of the sanction.
§2 The provisions of this article do not substitute the application of administrative, civil or criminal sanctions defined in specific legislation.
§2 The provisions in this article are not a replacement to the application of administrative, civil and criminal sanctions in the Law No. 8,079, September 11th, 1990, or in specific legislation. (New Wording Given by Law No. 13,853/2019)
§3 The provisions of Items I, IV, V, VI, X, XI and XII of the lead sentence of this article may be applied to public entities and bodies, without prejudice to the provisions of Laws Nos. 8,112, of December 11, 1990, 8,429, of June 2, 1992, and 12,527, of November 18, 2011.
§4 When calculating the amount of the fine referred to in item II of the lead sentence of this article, the national authority may consider total revenues of the company or group of companies, when it does not have the amount of revenues from the business activity in which the infraction occurred, defined by the national authority, or when the amount is presented in an incomplete form or is not demonstrated unequivocally and reputably.
§5 The sum of the collection of fines applied by the ANDP, whether or not registered as active debt, shall be allocated to the Diffuse Rights Defense Funds, as referred to in the art. 13 of Law No. 7,347 of July 24, 1985, and Law No. 9,008 of March 21, 1995.
§6 Sanctions provided for in Items X, XI and XII of the lead sentence of this article shall be applied:
I – only after at least one (1) of the sanctions mentioned in items II, III, IV, V and VI of the lead sentence of this article have been imposed, for the same facts; and
II – in the case of controllers subject to other agencies and entities with sanctioning powers, after those entities and agencies are heard. (Included by Law No. 13,853/2019)
§7 The individual data leaks or unauthorized access mentioned in the lead sentence of the art. 46 of this Law may be subject of direct conciliation between controller and data subject, and, in the absence of an agreement, the controller shall be subject to the penalties referred to in this article.” (Included by Law No. 13,853/2019)