By: Leonardo Neri
The approval of the processing regulation for small-sized agents in relation to the General Data Protection Law (LGPD) was published on January 28, 2022, in the Federal Official Gazette. Based on the rules provided for in articles 55-J, XVIII, of Law No. 13,709; article 2, XVIII, Annex I of Decree No. 10,474; article 5, I, of the Internal Regulations of the ANPD, decided by the Board of Directors of the National Data Protection Authority, giving rise to the following order. This regulation presents the General Provisions, followed by Chapter 1, as well as the Preliminary Provisions: Affirming that this regulation does not apply to the processing of personal data carried out by natural persons for private and non-economic purposes, as well as for any situation that complies with article 4 of the LGPD. The following chapter seeks to define who is directly affected by the definition of the regulation. They are: Micro and Small Enterprises; Startups; Natural Persons and depersonalized private entities that process personal data, among others. Not being able to benefit from differentiated legal treatments provided for in this regulation, such as (carrying out high-risk processing for holders; who earn gross revenue above the limit established in art. 3, II of Complementary Law No. 123, of 2006 (R$360,000.00 and; who belong to an economic group whose global revenue exceeds the limits of R$360,000.00). Next, captioned as High-Risk Processing, will be considered the processing of personal data on a large scale (significant number of holders); emerging and/or innovative technologies; surveillance or control of areas accessible to the public; decisions made based on automated processing of personal data (including those intended for defining the personal, professional, health, consumption, credit or personality aspects of the holder), or even regarding the use of sensitive personal data of children, adolescents and the elderly. It is necessary for the small-scale processing agent to make information on personal data available, whether electronically, printed or by any other means. ensured by the LGPD. Following the same line, records of processing activities must follow the standards set forth in article 37 of the LGPD. Furthermore, regarding the communication of security incidents, it is worth noting that the ANPD will make it more flexible for small-scale agents. Furthermore, it is important to note that there is no obligation for the aforementioned companies to appoint a Data Protection Officer; however, they will need to provide a communication channel to serve the data subjects. However, if they choose to appoint a Data Protection Officer, it will be considered good practice. On another topic, it is worth mentioning that in this new regulatory environment, the deadlines will be simplified, in 15 days. Finally, the final provisions state that the ANPD may determine that the small-scale processing agent must comply with the obligations waived or made more flexible in said regulation, taking into account circumstances of immense relevance, such as the nature or operational volume of the data processing assessed.