Put: Leonardo Neri

The approval of the processing regulation for small agents in relation to the General Data Protection Law (LGPD) was published on January 28, 2022, in the Official Gazette of the Union. With based on standards provided for in the Articles 55-J, XVIII, of Law No. 13,709; Article 2, XVIII, Annex I of Decree No. 10,474; Article 5, I, of the ANPD Internal Regulations, decided by the Board of Directors of the National Data Protection Authority, giving rise to the following order. 

This regulation presents the General Provisions, followed by Chapter 1, as well as the Preliminary Provisions: Stating that this regulation does not apply to the processing of personal data carried out by natural persons for private and non-economic purposes, as well as for any situation that complies with article 4 of the LGPD. 

The following chapter seeks to define those directly affected by the regulation's definition. They are: Microenterprises and Small Businesses; Startups; Natural Persons and depersonalized private entities that process personal data, among others. They cannot benefit from differentiated legal treatments provided for in this regulation, such as (high-risk processing for data subjects; earn gross revenue above the limit established in art. 3, II of Complementary Law No. 123, of 2006 (R$360,000.00 and; who belong to an economic group whose global revenue exceeds the limits of R$360,000.00). 

Next, under the heading of High Risk Treatment, the processing of personal data on a large scale (significant number of data subjects) will be considered; emerging and/or innovative technologies; surveillance or control of areas accessible to the public; decisions taken based on automated processing of personal data (including those intended for defining the personal, professional, health, consumption, credit or personality aspects of the data subject), or even regarding the use of sensitive personal data of children, adolescents and the elderly.  

It is necessary for the small-scale processing agent to make personal data information available, whether electronically, in print or by any other means guaranteed by the LGPD. 

Along the same lines, records of processing activities must follow the standards set out in article 37 of the LGPD. Furthermore, regarding the communication of security incidents, it is worth noting that the ANPD will be more flexible for small-scale agents. 

Furthermore, it is important to note that there is no obligation for the aforementioned companies to appoint a Data Protection Officer; however, they will need to provide a communication channel to assist data subjects. However, if they choose to appoint a Data Protection Officer, it will be considered good practice. 

In another topic, it is important to mention that in this new regulatory environment the deadlines will be simplified, in 15 days. 

Finally, the final provisions state that the ANPD may determine that the small-scale processing agent must comply with the obligations waived or made more flexible in such regulation, taking into account circumstances of immense relevance, such as the nature or operational volume of the data processing assessed. 

Source: https://in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-2-de-27-de-janeiro-de-2022-376562019