Brazil
Importantly, Article 43 of the LGPD outlines scenarios in which processing agents may be exempt from liability. These exemptions apply if the processing agents can demonstrate (i) that they did not perform the personal data processing activity assigned to them; (ii) that they did perform the assigned processing activity, but there was no violation of data protection legislation; or (iii) that the damage is solely due to the fault of the data subject or a third party. 9.2. Consequences and penalties for other violations and non- compliance Article 52 of the LGPD outlines a comprehensive range of administrative sanctions for data processing agents found in violation of its regulations, emphasizing the law's commitment to enforcing data protection principles. The potential sanctions include: (i) warning, with a deadline for adopting corrective measures; (ii) fines up to two percent (2%) of the turnover of the private legal entity, group, or conglomerate in Brazil for the last financial year, excluding taxes, with a cap of fifty million reais (R$50,000,000.00) per infraction; (iii) daily fines, subject to the total limit of fifty million reais (R$50,000,000.00); (iv) publicization of the infringement after its occurrence has been duly ascertained and confirmed; (v) blocking of the personal data to which the infringement relates until the activity is regularized; (vi)
However, it does not have the authority to regulate data protection matters. Instead, its responsibility is to enforce and apply the regulations and guidelines already established by the LGPD and the ANPD. Consequences of non- compliance 9 .1.Consequences and penalties for data breach Article 48 of the LGPD mandates that any controller or processor who, due to their personal data processing activities, causes property, moral, individual, or collective damage to others in violation of the LGPD, is required to provide compensation for such damage. This ensures that data subjects receive effective compensation for any harm they suffer due to non-compliance with data protection laws. The LGPD stipulates that processors share joint and several liability with controllers for any damages caused by processing activities. This applies if they fail to comply with data protection laws or disregard lawful instructions from the controller. In such cases, processors are held equally responsible alongside controllers for any resulting damages. Additionally, in cases where there are joint controllers directly involved in the processing activity that leads to damage, they are deemed jointly and severally liable. This means that each controller can be held responsible for the full amount of the damage, providing a stronger protection mechanism for data subjects.
https://klalaw.com.br/en/home/
Made with FlippingBook - PDF hosting