Navigation

ANPD applies sanction to a public agency of São Paulo

Wednesday, October 25th 2023

On October 6th, the National Data Protection Authority (ANPD) imposed a sanction against the São Paulo´s State Public Servant Institute of Medical Assistance  (Instituto de Assistência Médica do Servidor Público Estadual de São Paulo - (IAMSPE, after a decision in an administrative proceeding that accepted the Instruction Report No. 2/2023/CGF/ANPD.

The report provides that an initial proceeding was filed against IAMSPE, after ANPD receiving a complaint about a security failure on a website, where it would be possible to access personal data such as CPF (Individual Taxpayer´s ID), name, RG (Individual National Registration ID), address, telephone, salary, as well as images of documents such as CNH (driver´s license), RG and proof of residence, of several data subjects.

ANPD concluded that IAMSPE violated the Sections 48 and 49 of the Brazilian General Data Protection Law (LGPD) in the security incident, as the agency did not notify the affected data subjects individually within the deadline granted, as well as failed to implement controls to ensure data confidentiality. Thus, because of the infraction, the ANPD imposed the following warning sanctions against IAMSPE:

  • To adjust, in ten working days, the security incident communication already available on IAMSPE website, according to the wording of the ANPD, as well as prove compliance with the decision in the administrative proceeding.
  • To keep the adjusted communication for 90 calendar days, counted as from the date of compliance with the adjustment in the communication and also prove compliance with the decision in the administrative proceeding.
  • To develop a schedule that incorporates actions aimed to reinforcing the security of its personal data processing systems, making them less susceptible to security incidents and prove the results in the administrative proceeding.

The decision may still be modified if IAMSPE appeals to the ANPD's board of directors.

NNB Advogados has a specialized team in privacy and data protection, being qualified to assist companies in advisory and litigious demands. To learn more about how we can assist you, please contact us.