Today, the Brazilian National Data Protection Authority – ANPD’s board of directors approved the Resolution CD/ANPD n. 02, providing the Regulation responsible for disciplining the applicability of the Brazilian General Data Protection Law – LGPD to the small processing agents.
The Regulation defines as small processing agents the micro and small business, as well as startups, as defined by Supplementary Law n. 123 of 2006 and Supplementary Law n. 182 of 2021, respectively, with the exception of agents that process data that could pose a high risk to the data subjects.
Moreover, the Regulation defines as high risk the data processing that either can significatively harm the data subjects’ constitutional rights or can be considered as a large-scale activity, when the mentioned activity also fits in at least one of the following categories:
(i) The data processing agent utilizes new or emerging technology;
(ii) The agent’s activity is related to surveillance and control of public areas;
(iii) The data processing decisions are solely based on automated data processing; or
(iv) The data processing refers to sensitive, minor’s or elder’s personal data.
Furthermore, the Regulation provides that the small processing agents’ obligations to keep data processing’s records and to notify a data security incident can be fulfilled in a simplified way, following rules and forms that will be later provided by the ANPD.
Regarding the deadlines, the small processing agent’s timestamp for filing a response to a data subject’s request, a notice of a data security incident to the ANPD and the data subjects and a complete declaration confirming the existence and processing of personal data to a data subject will be doubled. Besides that, the timestamp for filing a simplified declaration confirming the existence and processing of personal data to a data subject will be 15 days.
The Regulation also exempts the small processing agents of appointing a DPO, but this nomination will be considered as an indication of governance and good practices by the small processing agent. The Regulation also allows the small processing agents to organize themselves in representative entities to participate in negotiations and meetings related to data subject’s requests.
Finally, according to the Regulation, the ANPD can request that a company proves its qualification as a small processing agent at any time, as well as request that a small processing agent fulfill any obligations that were previously dismissed by the Regulation, if the ANPD deems necessary.
Our team is at your disposal for further clarifications, as well as to provide assistance with the procedures for fulfilling LGPD and/or ANPD regulatory obligations.
Gustavo Flausino Coelho – gustavo@bastilhocoelho.com.br
Fernando Naegele – fernando@bastilhocoelho.com.br