On January 28, the Brazilian National Data Protection Authority (“ANPD”) published the Resolution CD/ANPD No. 2, which approved the Regulation for the application of Federal Law No. 13,709/18, known as the Brazilian General Data Protection Law (“LGPD”), for small-scale processing agents.
The Regulation sets forth that micro-enterprises, small businesses, startups, legal entities governed by private law, including non-profits, natural persons and depersonalized private entities that process personal data are considered small-scale processing agents. However, the processing agents indicated in article 3, who perform high-risk processing for data subjects, those who earn gross revenue above the limits established by Complementary Law No. 123/06, by Complementary Law No. 182/21 (for startups) or belonging to an economic group with global revenue above the limits indicated in the Complementary Laws will not be able to benefit from the terms of the Regulation.
It will be considered high risk processing the operation that cumulatively meets at least one general criteria, such as: (a) the processing on a large scale of personal data or (b) the personal data processing that may significantly affect the interests and fundamental rights of the data subjects; and one specific criteria, such as: (a) use of emerging or innovative technologies; (b) surveillance or controls of publicly accessible zones; (c) decisions made solely on the basis of automated personal data processing and; (d) use of sensitive personal data or personal data of children, adolescents and the elderly. The ANPD may provide guides and guidelines to support the assessment of high-risk processing, however, it is recommended that small-scale agents proactively carry out the assessment of their activities to evaluate the possibility of application of the published Regulation.
As benefits brought by the Regulation, small-scale processing agents will be able to register their personal data processing operations in a simplified way, through a template that will be provided by the ANPD. In addition, the ANPD will provide for a flexible or simplified procedure for reporting security incidents to these agents. Security measures can also be simplified, adopting essential and necessary measures according to the level of risk to the privacy of the data subjects and the reality of the processing agent.
Small-scale processing agents also will not need to appoint a person in charge of processing personal data (such as a Data Protection Officer), provided that a communication channel with the data subject is made available. Regarding the deadlines related to requests from data subjects, small-scale processing agents will have a double period to: (i) respond to requests from data subjects, (ii) communicate to the ANPD and the data subject of the occurrence of a security incident (unless the fact may compromise the physical or moral integrity of the data subjects or national security), (iii) to provide a clear and complete declaration of access requested by the data subject on the personal data processing, and (iv) to present information, documents, reports and records requested by the ANPD. The ANPD will still determine the deadlines not indicated in specific regulations.