Twenty companies adjusted their operations to comply with Brazil's General Personal Data Protection Law (LGPD) following an enforcement action by the National Data Protection Authority (ANPD), which began in November of last year. The process concluded on April 24, with all audited companies meeting the Authority's requirements.
The enforcement action focused on legal entities that were frequently mentioned in data subject requests due to their failure to designate a Data Protection Officer (DPO) or to provide a contact channel for that role. Companies that had not responded to previous ANPD demands were also included. The ANPD prioritized larger organizations, taking into account the volume of data processed and the scope of their activities, with the aim of maximizing the impact of the enforcement action.
The absence of a DPO or a clear communication channel prevents data subjects from exercising their rights and undermines transparency in data processing. This situation makes things harder both for data subjects and for the ANPD itself, which relies on this point of contact to verify compliance with the LGPD. The initiative is part of the ANPD's regular monitoring activities aimed at promoting legal compliance and best practices.
As next steps, the Monitoring Division of the ANPD's General Coordination of Enforcement will follow up with the companies for a period of six months to verify that they maintain compliance with their obligations. Any new requests related to the absence of a DPO or difficulties in making contact will also be monitored. If violations or a high number of new complaints are identified, the ANPD may reopen the case and consider launching a formal administrative sanctioning process.
This post was summarized from its original version using ChatGPT version 4o, with human review.
Source: ANPD