The Brazilian Data Protection Authority (ANPD), the body responsible for the promotion and control of the General Data Protection Law (LGPD) in Brazil, started 2022 by publishing CD/ANPD Resolution #2 on January 27, 2022, which approves the regulation implementing the LGPD – Statute #13.709/2018 for small processing agents.
Regarding the above standard, the following definitions already considered by the ANPD are noteworthy:
Even so, the above resolution prohibits small businesses from having their obligations under the LGPD simplified under this resolution if they:
- carry out high-risk processing of personal data, except if they organize themselves in entities representing the business activity, legal entities, or natural persons for negotiation, mediation, and conciliation of complaints presented by data subjects.
- earn gross revenue exceeding BRL 4.8 million and, in the case of startups, gross revenue in the previous year exceeding BRL 16 million.
- belong to a de facto or de jure corporate group whose global revenue exceeds BRL 4.8 million and, in the case of startups, if the gross revenue in the previous year exceeds BRL 16 million.
The term “high-risk processing” could raise some doubts, but ANPD wasted no time and defined which high-risk processing would apply if the processing of personal data cumulatively meets at least one general criterion and one specific criterion:
1. Large-scale processing of personal data, this being the case when it covers a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency, and geographic extent of the processing performed; or
2. Processing of personal data that may significantly affect the interests and fundamental rights of data subjects, this being the case, among other situations, when the processing activity may prevent the exercise of rights or the use of a service, as well as cause material or moral damages to data subjects, such as discrimination, violation of physical integrity or of the right of publicity, financial fraud, or identity theft.
1. Use of emerging or innovative technologies;
2. Surveillance or control of areas accessible to the public;
3. Decisions made solely on the basis of automated processing of personal data, including those intended to define the personal, professional, health, consumer, and credit profile or aspects of the data subject’s personality; or
4. Use of sensitive personal data or personal data of children, adolescents, and the elderly.
The ANPD may also at any time request small data processing agents to prove this condition within a 15-day term.
Small processing agents are obliged to provide information on the processing of personal data or respond to requests from data subjects by electronic, printed or any other means that facilitates access to information by data subjects.
However, with regard to compliance with the obligation to prepare and maintain a record of personal data processing operations, the ANPD will provide a template for simplified registration.
Another simplification concerns the communication of security incidents, since the ANPD states it will provide for flexibility or a simplified communication procedure. It remains to be seen what kind of flexibility or procedure this will be.
The good news for small businesses is that they will not need to appoint a person in charge, as defined in the LGPD, as the individual who intermediates the company's communication with the ANPD and data subjects.
On the other hand, small processing agents must adopt the necessary administrative and technical measures based on minimum information security requirements for personal data protection, requiring compliance with the recommendations and best practices for prevention and security, including through guidelines. It is also possible to establish a simplified information security policy, which takes into account the implementation costs, as well as the structure, scale, and volume of operations, and which includes protection from unauthorized access and accidental or unlawful destruction, loss, modification, communication or any form of inappropriate or illicit processing.
Another good news for small processing agents is that they will always have a double deadline, (i) in responding to requests from data subjects regarding their personal data, (ii) in communicating the ANPD and the data subject about the occurred security incident that may cause significant risk or damage to the data subjects, pursuant to specific regulations, except when there is a potential compromise to the physical or moral integrity of the data subjects or to national security, in which cases the communication must meet the deadlines given to the other processing agents, in accordance with the terms of the above regulation, (iii) in providing a clear and complete statement indicating the source of the data, the lack of registration, the criteria used, and the purpose of the processing, with due regard to commercial and industrial secrets and (iv) with regard to the deadlines set forth in the regulations for the submission of information, documents, reports, and records requested by the ANPD to other processing agents. Indeed, even the simplified communication to the data subject can be provided within 15 days, while the LGPD sets forth an immediate deadline for other data processing agents.