By: Leonardo Neri
A draft resolution was promulgated by the National Data Protection Authority (ANPD), which defined the flexibility of the mandatory appointment of the data protection officer for: small micro-enterprises; startups; non-profit legal entities; small-scale treatment agents (excluding agents of the same theme that have maximum revenue in accordance with art.4, §1, I, of Complementary Law 128/21); and areas accessible to the public. It is worth noting that, in art. 3, the exemption and flexibility are not adopted for small agents who carry out actions of high risk (sensitive data; surveillance of accessible public areas; emerging technology; automated processing) and in large scale (significant number of holders; volume of data; duration; frequency and geographical extent) on the holder, with the exception of that provided for in § sole paragraph of art.13 (small-scale agent who does not indicate a manager will provide a communication channel with the data owner. Furthermore, in §3 of the same ordinance, it was illustrated that it will not be considered large scale employee data for exclusive or management purposes.
However, Article 4 mentions that it will be the responsibility of the small-scale agent to prove that he/she complies with the provisions of the previous articles.
It is noted that due to the registration activity, the small-scale treatment agents will be exempt from obligations constants node art. 37 of the LGPD. Furthermore, the ANPD will provide means of voluntary and simplified registration, as well as simplified provision, if required, of the data protection impact report and communications of security incidents, with the possibility of exemption or flexibility of the last mentioned.
Furthermore, due to the administrative practices, it is necessary that the party in question, adopt essential and necessary technical measures, based on the minimum information security requirements (such as simplified policies, considered by the ANPD, in part of articles 6, X and in art.52, §1º, VIII and IX of the LGPD, taking into consideration of costs; structure; scale and operational volume), for data protection.
Finally, the ANPD will provide guidance guides for adaptation. There is still no date for the draft to come into effect.
To clarify doubts and make the draft official, the Agency made consultations available from September 14th and 15th, 2021, with a period of 30 days, and everyone could collaborate with suggestions for decision-making, through the means available on the platform.
To access the public hearing, interested parties must express their interest by pre-registration on 09/09/2021, and the session will be open, but those previously registered will be able to express their opinion on the draft, which will be broadcast on YouTube on the ANPD channel.