Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Feb 2022
LinkedIn Created with Sketch. Twitter Created with Sketch.

Brazil: ANPD regulation on applicability of LGPD to small processing agents

Data Protection OfficerRecords of ProcessingPrivacy Law ReformCybersecurityIncident and Breach

The Brazilian data protection authority ('ANPD') has been active in the past months, with the publication of various guidance documents pertaining to Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') and aimed at facilitating compliance. One such action was the ANPD's approval, on 28 January 2022, of Resolution CD/ANPD No. 2 of 27 January 2022 for a Regulation on the application of the LGPD to small processing agents1 ('the Resolution'), which entered into force on the date of its publication in the Official Gazette, 28 January 2022. This Insight article analyses the key aspects of the Resolution and what small processing agents must consider in ensuring that they comply with the requirements under the LGPD.

MarcosMartinezSanchez / Signature collection / istockphoto.com

Key definitions

In order to facilitate the understanding of the Resolution and what it considers as small processing agents, the Resolution provides for the following definitions:

  • Small-size processing agents: These include micro-companies, small companies, start-ups, legal entities which are governed by private sector laws in Brazil, and further includes non-profits, as currently defined under law, as well as natural persons and depersonalised private entities that process personal data, and which assume the typical controller or operator obligations.
  • Micro-enterprises and small businesses: These include business partnerships, simple partnerships, sole proprietorship limited liability companies, and the entrepreneur including individual micro-entrepreneurs which are registered in the Commercial Companies Registry or the Civil Registry of Legal Entities.
  • Startups: These include business or corporate organisations, nascent or in recent operation, whose performance is characterised by innovation applied to a business model or to products or services offered, and which meet certain additional criteria under Chapter II of Complementary Law No. 182 of 1 June 2021.

High risk processing

One notable aspect that the Resolution addresses with respect to small processing agents is data processing that can be determined to be of a high risk. In this respect, and in order to make this determination, the Resolution notes that personal data processing which cumulatively meets at least one listed general criterion and one listed specific criterion, will be deemed to be high risk processing.

As such, the Resolution outlines each criterion as follows:

  • General criteria:
    • large-scale processing of personal data, which is understood to involve processing that covers a significant number of data subjects, also taking into account the volume of data involved, the duration of processing, frequency, and geographic extent of which the processing is carried out; or
    • processing of personal data that may significantly affect data subjects' interests and fundamental rights, which is understood to include, among other situations, processing that may prevent the exercise of rights or the use of a service, or which causes material or moral damages such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud, or identity theft.
  • Specific criteria:
    • use of emerging or innovative technologies;
    • surveillance or control of areas accessible to the public, which are understood to be areas such as squares, shopping centres, public roads, bus, subway and train stations, airports, ports, and public libraries, among others;
    • decisions which are based solely on automated processing, as well as those aimed at defining the personal, professional, health, consumer and credit profile, or aspects of the data subject's personality; or
    • use of sensitive personal data or personal data of children, adolescents, and the elderly.

To further facilitate small processing agents' compliance with these provisions, the Resolution also details that the ANPD may issue guides and guidelines to assist such agents in determining what processing activities may be considered high risk and therefore requiring certain actions.

LGPD obligations and small processing agents

Nevertheless, the Resolution expressly provides that small processing agents are still subject to various provisions of the LGPD which would normally apply, such as provisions around legal bases for processing, compliance with principles, regulatory and contractual provisions, and obligations around the rights of data subjects.

Data subject rights

To facilitate this, the Resolution expressly delineates certain small processing agent obligations in this respect. Firstly, and with regard to the rights of data subjects, the Resolution requires, among other things, that small processing agents, in complying with the right to information, must provide information on their processing activities through electronic, printed, or other means which facilitate data subjects' rights and the right of access to personal data.

Records of processing activities

Regarding LGPD obligations to have a record of processing activities, the Resolution highlights that small processing agents may comply with this obligation of preparing and maintaining a record in a simplified way. Although the Resolution does not outline what is considered as simplified, it does provide that the ANPD will provide a model to be used for simplified registration of processing activities and records.

Incident and breach reporting

In addition to the above model that the ANPD will provide, the Resolution also provides that the ANPD will outline a flexible or simplified procedure for the reporting of data security incidents.

DPO appointment

Another LGPD obligation concerns the designation of a person in charge of the processing, or a data protection officer ('DPO'). Notably, the Resolution exempts small processing agents from designating a DPO as otherwise required by Article 41 of the LGPD. Nevertheless, the Resolution indicates that appointing a DPO is a matter of best practice, although if not done, small processing agents are still required to establish a channel through which communications can take place with data subjects.

Data security

Finally, and with respect to security and best practices, the Resolution reiterates small processing agents' obligation to implement essential and necessary administrative and technical measures, based on minimum information security requirements for the protection of personal data, while considering the level of risk to the privacy of data subjects.

However, the Resolution provides that such agents have the possibility of establishing a simplified information security policy to do this, although such as policy should still include those requirements which would be essential and necessary in order to ensure that personal data is protected from any unauthorised access, and from accidental or illegal destruction, loss, alteration, communication, or any other form of improper or unlawful processing. Furthermore, such a policy should consider the small processing agents' implementation costs, structure, as well as scale and volume of operations in order to put in place a relevant policy for the activities.

Timelines for compliance

In addition to the abovementioned provisions that the Resolution introduces for small processing agents, it also allows for the normal timeframe for compliance outlined in the LGPD to be doubled. Specifically, the Resolution applies this to matters involving:

  • regarding data subject requests about the processing of their personal data;
  • regarding the provision of a clear and complete declaration of processing following a data subject's request to be informed or access personal data;
  • communication with the ANPD and data subject(s) following a security incident that may cause significant risk or damage; although this does not apply where there is a potential compromise to the physical or moral integrity of the data subject or to national security, and, in these cases, the communication meets the deadlines given to the other processing agents; and
  • regarding LGPD deadlines for presenting the ANPD with information, documents, reports, and records of processing activities when requested.

To supplement the above, the Resolution notes that any deadlines not provided for in the context of processing by small processing agents will be determined by specific regulation.

Conclusion

With this Resolution, the ANPD took another step forward in ensuring that the LGPD is fully complied with by different bodies. It provides small processing agents with obligations to consider, and such agents can now anticipate the additional guidance from the ANPD that the Resolution highlights in order to take further understand and take the necessary measures to ensure that their processing activities are in accordance with the law.

Iana Gaytandjieva Lead Privacy Analyst
[email protected]

1. Only available in Portuguese here: https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-2-de-27-de-janeiro-de-2022-376562019#wrapper

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback