Brazil’s Data Protection Authority calls for contributions to regulate simplified ROPAs

On November 4, 2022, the Brazilian Data Protection Authority (ANPD) opened a call for public contributions for the draft of the simplified Record of Processing Activities (RoPA) to be adopted by small data processing agents.

Resolution CD/ANPD No. 2, of January 27, 2022 regulates the Brazilian General Personal Data Protection Law (Law No. 13,709/2018 – LGPD) for small data processing agents. The Resolution defines small agents as micro-enterprises, small companies, startups, and legal entities of private law, including non-profit entities, under the terms of the legislation in force. This also includes natural persons and non-personalized private entities that process personal data.

To be applicable, the definition also considers the gross revenue and the risk of the data processing performed.

RoPA Template

Keeping a Record of Processing Activities is an obligation under Article 37 of the LGPD that applies to controllers and processors. Article 9, sole paragraph of the Resolution, establishes that the ANPD will provide a template of simplified RoPA to be used by small data processing agents.

ANPD has published the first draft of the RoPA model, which is subject to comments and contributions within the scope of the call for public contributions.

Contributions from society can be made, in Portuguese, through the Participa + Brasil Platform until December 4, 2022.

For further information about the ANPD’s activities and other aspects of data protection, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.