On Jan. 27, 2022, Brazil’s Data Protection Agency (ANPD) adopted Resolution ANPD No. 2 (the “Resolution”), limiting Brazil’s Data Protection Law (LGPD) obligations on small entities.
Processing Agents
Similar to the European GDPR, the LGPD categorizes businesses subject to the law as either “controllers” or “processors.” However, the LGPD also groups these two categories together under one definition: “processing agent.”[1] Processing agents are generally required to meet a number of compliance obligations similar to the obligations placed on controllers and processors under the GDPR.
Processing agent obligations include:
-
Keep and maintain a record of processing operations (e.g., a data inventory)[2]
-
In some circumstances, conduct data protection impact assessments[3]
-
Verify processors’ compliance with controller’s processing instructions[4]
-
Appoint a data protection officer[5]
-
Adopt security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing[6]
-
Notify the ANPD and impacted data subjects of security incidents that create risk or relevant damage to the data subjects[7]
Small Processing Agents
This Resolution limits the LGPD obligations of “small-sized processing agents.” The Resolution defines “small-sized processing agents” as micro-companies, small companies, startups, and “legal entities governed by private law,” including non-profits and depersonalized private entities that process personal data.[8]
Micro-companies and small companies are businesses and simple partnerships and proprietorship LLCs as determined by Brazilian law.[9]
Startups, on the other hand, are “business or corporate organizations nascent or in recent operation, whose performance is characterized by innovation applied to a business model or to products or services offered.”[10]
Obligations of Small-sized Processing Agents
Generally, if an organization falls within the definition of a small-sized processing agent, it has simplified LGPD compliance obligations.[11]
The ANPD’s simplified obligations for small-sized processing agents include:
-
Keeping and maintaining a record of personal data processing operations under Art. 37 of the LGPD in a “simplified way.”[12]
-
“Flexible” or “simplified procedure” for security incident reporting.[13]
-
Small-sized processing agents do not have to appoint a data protection officer.[14]
-
Adoption of a “simplified” information security policy that includes “essential and necessary requirements for processing personal data.”[15]
-
Small-sized processing agents will have twice the amount of time to respond to (i) data subject requests, (ii) security incident response notification to ANPD and data subjects,[16] and (iii) in response to requests for information and documents from the ANPD.[17]
Why it Matters
The way in which a business is classified impacts how the ANPD expects a company to comply with the LGPD. While the ANPD is expected to provide further guidance on the obligations of small-sized processing agents, businesses should analyze whether they can benefit from the simplified obligations.
FOOTNOTES
[1] LGPD Article 5(IX)
[2] LGPD Article 37
[3] LGPD Article 38
[4] LGPD Article 39
[5] LGPD Article 41
[6] LGPD Article 46
[7] LGPD Article 48
[8] Resolution Article 2(I)
[9] Resolution Article 2(II)
[10] Resolution Article 2(III)
[11] Unless the small-sized processing agent conducts “high risk treatment” as defined in the Resolution. The ANPD has signaled that small-sized processing agents engaged in “high risk treatment” will be subject to separate guidelines, which appear to be forthcoming.
[12] Resolution Article 9.
[13] Resolution Article 10
[14] Resolution Article 11
[15] Resolution Article 13
[16] Unless there is a “potential compromise to the physical or oral integrity of the holders or to the national security.”
[17] Resolution Article 14(I-II)
Mike Summers also contributed to this article.