LGPD Fines: what they are, how they are calculated, and what determines their value
The ANPD has already imposed the first financial sanctions in the Brazilian private sector, the penalty-calculation regime is fully in force, and Deliberation CD-10/2025 introduced daily fines for non-compliance with precautionary measures. Understanding how LGPD penalties work, which factors increase or reduce them, and what the most recent administrative case law reveals about the regulator's conduct has moved beyond a preventive precaution to become a concrete operational necessity.
The range of sanctions provided for in the LGPD
The Lei nº 13.709/2018 establishes, in art. 52, a graduated set of administrative sanctions applicable by the ANPD. The penalties are not limited to financial fines: a warning with a deadline for the adoption of corrective measures; public disclosure of the infraction, which turns the sanctioning proceeding into a public reputational risk; blocking of the personal data to which the infraction relates; deletion of personal data; a simple fine of up to 2% of gross revenue in the last fiscal year, capped at R$50 million per infraction; a daily fine, subject to the same cap of R$50 million; partial suspension of the operation of the database for up to six months, extendable for an equal period; suspension of the personal data processing activity; and partial or total prohibition of activities related to data processing.
The most serious sanctions, such as suspension and prohibition, are of subsidiary application: under the Resolution CD/ANPD No. 4/2023, they may only be applied after at least one prior sanction has already been imposed on the same offender in the same case. This does not mean the path to them is long: the progression can be swift for companies that fail to respond to the authority's notifications or do not adopt the corrective measures ordered.
How penalty calculation works in practice
Resolution CD/ANPD No. 4/2023, published on February 27, 2023, established the method for grading and calculating penalties, making the LGPD sanctioning regime operational. Before this resolution, the ANPD already had formal authority to impose sanctions, but lacked objective parameters for calculating financial fines. The resolution filled that gap and defined a structured three-stage system, as detailed in the survey by the LGPDPro.
In the first stage, the ANPD sets the base fine value, calculated as a percentage of the offender's gross revenue in the previous fiscal year, always subject to the R$50 million cap per infraction. This starting percentage varies according to the classification of the infraction, which can be minor, moderate, or serious. In the second stage, the base value is adjusted by aggravating and mitigating factors, with a score assigned to each criterion. In the third stage, a final proportionality assessment is applied, considering the concrete impact of the breach on the affected data subjects. In 2024, Resolution CD/ANPD No. 5 updated the methodology, introducing greater objectivity to the scoring system and making the process more predictable for data controllers and processors.
The eleven criteria set out in art. 52, §1 of the LGPD guide the penalty calculation: seriousness of the infraction and the rights affected; good faith of the offender; benefit obtained; economic capacity; recidivism; degree of harm; cooperation; adoption of security mechanisms; adoption of a good-practices policy; adoption of corrective measures; and proportionality between the gravity of the violation and the intensity of the sanction.
What the first sanctioning case revealed
In July 2023, the ANPD published in the Official Gazette the first sanctioning decision with a fine in the private sector: Telekall Infoservice, a micro-sized telemarketing company, was penalized with a warning and two fines of R$7,200 each, totaling R$14,400. The proceeding had been initiated in March 2022, arising from five simultaneous infractions: absence of a legal basis for the processing of personal data; absence of records of processing operations; failure to submit the Data Protection Impact Report (RIPD); absence of a designated Data Protection Officer (DPO); and non-compliance with ANPD requests during the inspection proceeding, as reported by the Migalhas.
The nominal amount of R$14,400 is modest, but the technically relevant aspect of the case lies in the calculation: the fine corresponded to 2% of the company's gross revenue, that is, the legal cap applicable to its size. For a larger organization with the same set of infractions, the amount could reach R$50 million per infraction. The Telekall case demonstrates that the ANPD did not segment its enforcement by company size: the determining factor was the seriousness of the conduct and the resistance to cooperating with the regulatory authority.
| Infraction identified (Telekall) | Legal basis violated | Impact on penalty calculation |
|---|---|---|
| Absence of a legal basis for processing | Art. 7 and 11, LGPD | Aggravating factor |
| Absence of a record of processing operations | Art. 37, LGPD | Aggravating factor |
| Failure to submit the RIPD | Art. 38, LGPD | Aggravating factor |
| Absence of a designated DPO | Art. 41, LGPD | Aggravating factor |
| Non-compliance with ANPD requests | Art. 55-J, LGPD | Critical aggravating factor |
By August 2024, the ANPD had imposed 18 administrative sanctions, of which only two were fines. The remaining sanctions applied to public bodies, which are legally prohibited from being fined. In 2024, no private company was financially sanctioned. The contrast with the European scenario is revealing: in the period from January 2023 to January 2024 alone, GDPR fines in the European Union totaled EUR 1.78 billion, according to data compiled by the portal TI Inside. The difference does not reflect an absence of risk in Brazil, but rather a regulatory maturation cycle that 2025 indicators suggest is accelerating.
The new enforcement threshold in 2025 and 2026
Deliberation CD-10/2025 represents a significant shift in the ANPD's coercive capacity. By introducing daily fines for non-compliance with precautionary measures, the resolution creates a mechanism of continuous pressure on companies that fail to implement the corrections ordered by the authority within the established deadlines. In practice, a company that receives a precautionary measure and does not comply begins to accumulate a daily liability, potentially up to the R$50 million cap.
The transformation of the ANPD into an independent regulatory agency, formalized by Provisional Measure No. 1,317/2025, eliminated the budgetary and staffing constraints that previously limited the scale of enforcement. With a dedicated auditor career track, financial autonomy, and interdiction powers, the ANPD is no longer structurally constrained in the number of sanctioning proceedings it can pursue simultaneously.
Civil liability running parallel to administrative liability
The STJ's case law amplifies this scenario. In 2025, the 3rd Panel consolidated the understanding that the leakage of sensitive data constitutes presumed moral damages, regardless of proof of actual harm by the data subject, in judgments REsp No. 2,121,904/SP and REsp No. 2,201,694/SP. Companies that have experienced incidents involving sensitive data face strict civil liability running parallel to administrative liability before the ANPD.
What determines the effective fine amount
The difference between a fine at the floor of the calculation and one approaching the R$50 million cap is determined by the combination of factors the ANPD weighs in the penalty-calculation process. The elements that systematically increase the amount are: infraction classified as high severity; impact on sensitive data, such as health, biometric, financial, racial, or religious data; a significant volume of affected data subjects; identifiable economic benefit obtained by the offender; recidivism in LGPD infractions; absence of cooperation with the authority during the proceedings; and complete failure to adopt corrective measures even after becoming aware of the violation.
| Factor | Effect on penalty calculation | Legal basis |
|---|---|---|
| Sensitive data affected | Increases the amount | Art. 52, §1, I, LGPD |
| Recidivism | Increases the amount | Art. 52, §1, V, LGPD |
| Absence of cooperation | Increases the amount | Art. 52, §1, VII, LGPD |
| Economic benefit obtained | Increases the amount | Art. 52, §1, III, LGPD |
| Demonstrated good faith | Reduces the amount | Art. 52, §1, II, LGPD |
| Documented good-practices program | Reduces the amount | Art. 52, §1, VIII, LGPD |
| Corrective measures adopted spontaneously | Reduces the amount | Art. 52, §1, X, LGPD |
The LGPD is not a law of intentions. It is a law of documented, calculated, and progressive consequences. LGPD compliance is not merely a response to the risk of being sanctioned: it is the difference between facing a sanctioning proceeding with legitimate mitigating arguments or facing it with none.
What Apter offers in this area
Apter Apter structures LGPD compliance programs focused on operational sustainability and documentation that withstands real sanctioning proceedings. The work begins with a diagnostic assessment: mapping data processing activities, identifying the applicable legal bases for each operation, evaluating documentary gaps, and analyzing priority risks by sector and volume of data processed. Based on the diagnostic, Apter structures the policies, workflows, and documents required for compliance, implements data governance processes, delivers training for operational teams and the DPO, and can fully assume the role of personal data officer as an outsourced service.
For companies that have already experienced security incidents or received notifications from the ANPD, Apter provides technical and legal support in responding to sanctioning proceedings, including drafting administrative defenses, structuring corrective measures, and, where applicable, negotiating commitment terms with the authority.
Talk to an Apter specialist about LGPD



