It has been two months since enforcement of the LGPD has been in effect, and a Brasilian court has already sanctioned an education institution for violating the law. In that case, the plaintiff claimed to have received more than 20 daily calls from the defendant. Plaintiff asserted that after browsing through defendant’s website through a redirect link from Facebook, he started to receive messages via Whatsapp, text messages and emails about postgraduate courses offered by defendant.

Plaintiff requested the deletion of his data by the defendant, but the defendant failed to carry-out the request. In addition, plaintiff filed for injunctive relief, requesting that the defendant cease all communications with the defendant. However, this injunction was denied on June 15, 2021. It is important to note that the plaintiff filed for injunctive relief prior to the enforcement date of the LGPD.

As this case continued to develop, approaching the enforcement deadline of the LGPD, it became clear that the defendant failed to implement a specific channel for data subjects to request the deletion of their personal data. Pursuant to Article 8, the defendant is required to request unequivocal consent of the data subject. Had there been a specific channel for the plaintiff to submit a data subject deletion request, the defendant would have had to respond to the request.

Under the theory of res ipsa, the judge found that “there is no proof of consent by the author (Art. 7, I, of the LGPD).”[1] Furthermore, the judge held that “the defendant’s treatment activity occurred in disagreement with the LGPD, which as a corollary generates the duty to indemnify for pain and suffering. Moral damage is that damage that hurts the core of the individual’s personality, that is, that damage that hurts the personality attributes.”[2] Therefore, the judge granted the plaintiff’s request for pain and suffering in the amount of R$6,000.

While this penalty may not be as significant as the fines that have been imposed under the General Data Protection Regulation (GDPR),3 this enforcement comes exceedingly early. Remember, LGPD enforcement came into effect on August 1, 2021, and this decision was decided August 21, 2021—three weeks after the LGPD became enforceable.  

If you are unsure whether your organization is compliant with the LGPD, MDS can help in a variety of ways to ensure compliance. MDS has helped its customers become compliant with the LGPD by providing privacy impact assessments that are tailored to our customers’ organization. The assessments enable MDS understand our customer’s posture with respect to the regulatory compliance schemes and the legal basis for processing information. Upon completion of our assessment, MDS implements a variety controls and tools that provide regulatory intelligence, automation, and flexible solutions to optimize privacy management. 


[1] Novaes, Manuela, Faculty is Fine R$6000 for Approaching a Client Without Consent, LGPD News (Aug. 28. 2021),sc,elem.

[2] Id.

The material and information provided in Maureen Data Systems (“MDS”) Content are for general information only and should not, in any respect, be relied on as professional advice. The MDS Content shall be construed as author-based content and commentary. Accordingly, no warranties or other guarantees are offered as to the quality of the opinions, commentary or anything else appearing in such MDS Content. MDS expressly reserves the right to delete stories at its and their sole discretion.

Register for Maureen Data System’s 4th Annual Security Conference

Ready to Get Started with mDS?

Fill-out the quick form & a MDS technical expert will contact you soon!

+1 (888) 123-4567