The approval of the regulation of the Inspection process and the Sanctioning Administration Process by the National Data Protection Authority (ANPD) was published on October 29, 2021 in the Official Gazette of the Union.

Divided into four titles, the resolution addresses the General Provisions, broken down into 14 articles, which cover the preliminary provisions and definitions, which are as follows:

I – Regulated agents: processing agents and other members or interested parties in the processing of personal data;

II – Indicted: regulated agent who, once sufficient evidence of infringing conduct has been identified, has an administrative sanctioning process instituted against him/her, by means of a notice of infraction;

III – Complaint: communication made to the ANPD by any person, natural or legal, of an alleged violation committed against the country's personal data protection legislation, which is not a petition from the holder;

IV – Obstruction of inspection activities: direct or indirect act, whether by commission or omission, of inspection or its premises, which prevents, hinders or obstructs the inspection activities carried out by the ANPD, by offering obstacles to the situation of agents, refusing to provide service, and not sending or sending untimely any data and information pertinent to the obligation of the regulated agent;

V – Petition from the holder: communication made to the ANPD by the holder of personal data of a request submitted to the controller and not resolved within the period established in the regulations, in accordance with item V of art. 55-J of the LGPD; and

VI – Request: set of types of communication, including the petition of the holder and the complaint.

duties of regulated agents and procedural provisions).

Followed by the duty of Regulatory Agents, who, in addition to monitoring, have the following duties:

I – Provide copies of documents, physical or digital, data and information relevant to the assessment of personal data processing activities, within the timeframe, location, format and other conditions established by the ANPD;

II – Allow access to facilities, equipment, applications, facilities, systems, tools and technological resources, documents, data and information of a technical, operational and other nature relevant to the assessment of personal data processing activities, in your possession or in the possession of third parties;

III – Enable the ANPD to have knowledge of the information systems used to process data and information, as well as their traceability, updating and replacement, making available the data and information originating from these instruments;

IV – Submit to audits carried out or determined by the ANPD;

V – Keep physical or digital documents, data and information for the periods established in legislation and specific regulations, as well as for the entire period of processing of administrative processes in which they are necessary; and

VI – Provide, whenever requested, a representative capable of supporting the ANPD’s activities, with the knowledge and autonomy to provide data, information and other aspects related to its purpose.

Subsequently, the Procedural Provision was presented, which applies to interactions between ANPD units and Regulatory Agents.

Next, title 2 seeks to involve the Inspection Procedural theme, branched out in articles 15 to 36, starting from the general provision on the means of inspection, focused on the object of responsive action, followed by the need for a monitoring activity, tending towards the need to form a report on the monitoring cycle, this means being an assessment instrument, accountability and planning of the ANPD's inspection activities, which:

I – Will assess the inspection activities carried out in the monitoring cycle, including priority topics, presenting indicators and results;

II – It will direct the strategy of guidance, preventive and repressive action and the measures to be adopted, including throughout the following cycle; and

III – It will consolidate the information obtained from requests and incident reports, as well as from other sources of input received by the Coordination–General Inspection.

In keeping with the monitoring method, the title reaffirms the presence of a Map of Priority Themes, which will be reformulated every two years and will establish the priorities that will be decided by the ANPD. The criteria used by the Authority will be risk, severity, currentness and relevance, encompassing:

I – the memory of the decision-making process that led to the selection and prioritization of topics, including the prioritization methodologies used;

II – the objectives to be achieved and the parameters or indicators used to measure the achievement of these objectives, where applicable;

III – schedule of its execution; and

IV – the indication of the need for interaction with other entities or bodies of the public administration, as well as with data protection authorities in other countries.

It is worth mentioning that the Receipt of Requests will be verified by:

I – the ANPD’s competence to assess the matter;

II – the identification of the applicant or, if applicable, anonymity in this case;

III – the legitimacy of the applicant;

IV – the identification of the alleged processing agent, where applicable; and

V – the description of the correct fact.

Furthermore, in the same title, it is understood that the guidance activity will help the ANPD to promote measures that aim to guide awareness and education of agents and/or interested parties in the care of personal data, through:

I – preparation and provision of good practice guides and document templates to be used by data processing agents;

II – suggestion to regulated agents to carry out training and courses;

III – development and provision of self-assessment of compliance and risk assessment tools to be used by data processing agents;

IV – recognition and dissemination of good practice and governance rules; and

V – recommendation of:

1. the) use of technical standards that facilitate control by holders of their personal data;
2. b) implementation of Privacy Governance Program; and
3. w) compliance with codes of conduct and good practices established by certification bodies or other responsible entities.

And finally, Title 2 addresses Preventive Activity, which aims to redirect the agent to treatment that avoids or remedies situations that would generate risks to the holder of personal data.

In title 3, in articles 37 to 69, it is understood that through repressive activity, when aimed at the administrative sanctioning process and its aspects, the investigation of violations of data protection legislation can be initiated in the following ways:

I – ex officio by the General Coordination of Inspection;

II – as a result of the monitoring process; or

III – in the face of a request in which the General Coordination of Inspection, after carrying out the admissibility analysis, decides to immediately open a sanctioning process.

It is divided into sections of preparatory procedure, initiation and instruction phases, decision phase by the general coordination of inspection, appeal phase, compliance with the decision and registration in the active debt and Review.

Furthermore, the final and transitional provisions make it very clear that the start of the monitoring cycle will only begin in January of next year.

Source: https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-1-de-28-de-outubro-de-2021-355817513