[co-authors: Julio Cesar, Oliveira Alves and Felipe Lacerda]
On January 27, 2022, the National Data Protection Authority (ANPD) published Resolution nr. 2, regulating the application of certain provisions of the General Personal Data Protection Act (LGPD) to small processing agents, including, among others, the waiver of the obligation to appoint a DPO and simplified procedures for complying with obligations under LGPD regarding the preparation of ROPAs and the report of security incidents.
Beneficiaries of the Resolution
This Resolution applies to micro-enterprises, small businesses, startups, legal entities governed by private law, as well as individuals and depersonalized private entities that process personal data. Small processing agents that carry out high-risk processing for data subjects (processing of personal data on a large scale or that may significantly affect the interests and fundamental rights of data subjects) are not eligible for the differentiated legal treatment provided for in the Resolution (except for the provisions on Negotiation, Mediation and Conciliation detailed below).
Benefits
The Resolution modifies the requirements for small processing agents such that:
- They can fulfil the obligation to prepare and maintain a record of personal data processing operations (ROPAs) in a simplified way.
- They can follow a simplified security incident reporting procedure.
- They are not obliged to indicate the person in charge of processing personal data (DPO).
- They can establish a simplified information security policy.
- They may provide a simplified declaration confirming the existence or access to the data subject's personal data within a period of up to (15) fifteen days, counting from the date of the data subject's request.
- Their deadline will be doubled to:
- Respond to requests from data subjects;
- Communicate to the ANPD and data subjects the occurrence of a security incident that may cause significant risk or damage to data subjects, except when there is a potential compromise to the physical or moral integrity of data subjects or national security;
- Provide a clear and complete statement on the processing of personal data;
- Present information, documents, reports, and records requested by the ANPD to other processing agents.
- They may be organized through entities representing the business activity, by legal entities, or by individuals for the purpose of negotiation, mediation, and conciliation of complaints presented by data subjects (Negotiation, Mediation, and Conciliation).
The adoption of measures to adapt to the LGPD, as well as the implementation of security and privacy policies, even if simplified, will be positively considered among the parameters and criteria for the application of administrative sanctions by the ANPD.
The waiver or flexibility of the obligations set forth in the Resolution will not exempt small-scale processing agents from complying with other LGPD provisions, including the legal basis and principles, and other legal, regulatory, and contractual provisions relating to the protection of personal data, as well as rights of data subjects.
Next Steps
Our Privacy and Cybersecurity team is available to assist our clients with the design and implementation of compliance measures through best practices for information security.
[View source.]
