In July 2019, the General Data Protection Regulation (GDPR) of the European Union issued the largest fine in the history of the law: 183 million euros. The fined company was British Airways, the English airline. The reason for the fine was a security breach that resulted in the personal data of over 500,000 customers being leaked.

Although the LGPD (Brazil's General Data Protection Law) has been in effect for some time now, the subject still generates many questions among Brazilians. What fines are specified in the LGPD? What is the maximum fine a company can receive? What is the deadline for a website to comply and avoid fines?

In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).

##What fines have been imposed under the GDPR?

In the European Union, companies can be fined up to 20 million euros or 4% of their annual revenue, whichever is higher. As we saw, British Airways incurred a loss of 183 million euros due to mishandling of data.

In Germany, a police officer was fined 1,500 dollars for using a citizen's license plate to find his phone number for personal purposes. This shows that it is not only large companies that draw attention with their mistakes and get penalized.

But what about our LGPD? Will the fines be the same under Brazil's General Data Protection Law, which is inspired by the European regulation?

##What cases under the LGPD are subject to fines?

The LGPD must be fully complied with, not in parts. British Airways was fined a record amount for an unintentional slip.

Therefore, it is extremely important that you read everything about the LGPD and make the necessary adjustments as quickly as possible. Every company must have a Data Protection Officer, and it is recommended to use a CMP, which makes the work much easier.

More significant slip-ups will result in higher fines, while minor slip-ups will obviously be penalized differently. The law states that the following factors will be taken into account:

• The severity and nature of the violations and the affected personal rights; • The good faith of the infringer; • The advantage gained or intended by the infringer; • The economic condition of the infringer; • The recurrence; • The degree of harm; • The cooperation of the infringer; • The adoption of good practices and governance policies; • The prompt adoption of corrective measures; and • The proportionality between the gravity of the offense and the intensity of the sanction.

The complete administrative sanctions are specified in 52nd Article of the law, which can be consulted here.

##What are the fines and penalties under the LGPD?

The LGPD provides for six penalties or fines. They are as follows:

1. Warning: This warning comes with a deadline for the company to comply with the law. If the company fails to make the necessary corrections within the specified timeframe, penalties will be imposed.

2. Simple fine based on revenue: This fine can be up to 2% of the legal entity's revenue. The maximum limit is 50 million Brazilian reais per violation.

3. Daily fine: This fine is also limited to 50 million Brazilian reais.

4. Public disclosure of the violation: The violation becomes public, and the damage to the company's reputation can be significant.

5. Blocking of personal data: This administrative sanction prevents companies from using the collected personal data until the situation is regularized.

6. Deletion of personal data: The sixth penalty provided by the LGPD requires the company to completely delete the data collected in its services, causing harm to the company's operations.

The maximum limit for fines under the LGPD is 50 million Brazilian reais. However, some of the penalties can be even more severe, depending on the company. For example, publicly acknowledging the leakage of personal data from thousands of customers can undermine even solid companies, completely eroding the credibility of a brand.

But do these fines also apply to smaller businesses with minimal data processing operations? Or only to large companies like British Airways and Google?

Can anyone be fined?

The law refers to "data controllers." Any website or company that collects data automatically becomes a data controller.

However, there are exceptions. They are as follows:

• Natural persons who use data for personal and non-economic purposes; • Persons who use data for journalistic, artistic, or academic purposes; • Public security or national defense agents who use data to enforce the law.

In these cases, there is no need for formal consent. Therefore, there is no possibility of a fine since these activities do not violate the law.

However, every business, without exception, will be subject to fines once the law comes into effect. But until then, you have a task:

What is the deadline for compliance?

The deadline has already passed! The law came into effect in Brazil on August 16, 2020.

If your company is not yet compliant, we recommend that you start as soon as possible and gather as much information as possible about the law to avoid fines and penalties.

To better understand the regulations, read the article Everything about the LGPD!