Resolution regulates processing agents’ Brazilian data protection obligations
Regulation set to provide greater flexibility and exemptions for companies qualifying as small processing agents
On January 27, 2022, the Brazilian Data Protection Authority (ANPD) approved a resolution regulating how the Brazilian General Data Protection Law (LGPD) applies to small processing agents.
Micro-enterprises, small businesses, startups, legal entities governed by private law (including non-profit organizations, natural persons and depersonalized private entities) may all qualify for a special data processing framework provided for in the resolution, on condition that they do not:
- Carry out high-risk data processing in line with criteria established by the resolution;
- Earn more than BRL 4.8 million in gross revenue in a given calendar year (for startups, BRL 16 million in the previous calendar year, or when less than 12 months old, BRL 1.33 million multiplied by the number of months of business activity); or
- Belong to a de facto or de jure economic group whose global revenue exceeds the limits mentioned above.
In contrast to micro-enterprises, small companies and startups, the new resolution does not clearly define non-profit entities. This, therefore, has the potential to create doubt about which non-profit entities could benefit from the special framework. Further contributing to this uncertainty is the fact that most non-profit entities – especially philanthropic entities in the areas of health, education and social assistance – process sensitive personal data or the personal data of children, adolescents and the elderly, precisely one of the criteria the resolution uses to define high-risk data processing.
Nevertheless, the resolution introduces important exemptions and increased flexibility for agents eligible for the special framework. We highlight some of the provisions below:
- The need to designate a data protection officer to process personal data (as per the LGPD) is no longer required;
- A record of personal data processing operations can be prepared and maintained in a simplified manner, in line with a template the ANPD will make available;
- The ANPD will implement simplified and more flexible security incident reporting procedures;
- Agents may organize themselves into commercial representative entities to negotiate, mediate or reconcile complaints from data subjects.
The resolution determines that small agents will benefit from extended deadlines in certain circumstances, such as when fulfilling data subjects’ rights, or when reporting a security incident to the ANPD and data subject (except when not in the interests of national security or if there is potential to compromise subjects’ physical or moral integrity).
However, the special processing framework’s benefits and added convenience do not exempt small processing agents from complying with the LGPD’s other provisions (including legal bases, principles and rights of data subjects), or other legal, regulatory and contractual provisions concerning personal data protection.
For further information about the new processing framework, please contact Mattos Filho’s Data Protection & Cybersecurity and Civil Society Organizations, Social Business & Human Rights practice areas.