BRAZILIAN DATA AUTHORITY IMPOSES PENALTIES ON TWO PUBLIC AGENCIES FOR VIOLATIONS COMMITTED IN OCTOBER

Por:
Públicada em: Friday, November 10, 2023

Brazil’s National Data Protection Authority (ANPD) has been showing vigilance in investigating administrative procedures initiated for violations of the General Data Protection Law (LGPD).

With the first sanction imposed on a private legal entity in July 2023, the National Authority published sanctions against two public agencies for LGPD violations, three months later. These agencies are the Institute for Assistance to State Public Servants of São Paulo (IAMSPE) and the State Health Department of Santa Catarina (SEC-SC).

The sanction against IAMSPE was published on October 6th, due to a violation of article 49 of the LGPD. This violation was attributed to the public agency’s negligence in maintaining secure systems for the appropriate processing of personal data belonging to thousands of public employees and their families. The breach resulted in a form of social engineering, meaning that an existing security flaw on a website under their control allowed the personal data of thousands of individuals to be scrutinized.

The Authority also considered that the agency failed to provide proper notification to the data subjects regarding the data leak incident, thereby violating article 48 of the LGPD.

Due to these violations, warning sanctions were imposed on IAMSPE, along with the requirement for corrective measures.

Less than 15 days later, the National Authority published a sanction against SEC-SC for committing four violations, three of which were considered severe. Specifically, these were: negligence regarding the security associated with the systems for storing and processing personal data; failure to provide clear, timely, and adequate communication to data subjects about a security incident; and the absence of a Personal Data Protection Impact Report (RIPD).

Similar to the case with IAMSPE, warning sanctions were applied to SEC-SC, along with the imposition of corrective measures. Among these measures is the requirement to maintain a general security incident notice on their website for 90 days, as well as the obligation to directly inform data subjects identified as victims of the incident.

Although the Law does not allow the imposition of fines on the public sector, the applied penalties nonetheless serve as a significant incentive for both the public and private sectors to understand that compliance with the LGPD and adherence to its guidelines are measures that must be implemented, and should not be considered optional.

FALE COM A NOSSA EQUIPE




    Brazilian data authority imposes penalties on two public agencies for violations committed in october

    Register now!

    Leave your email to receive news from Martinelli