Brazilian Data Protection Authority (Autoridade Nacional de Proteção de Dados – “ANPD”) published Resolution CD/ANPD No. 2 of January 27, 2022, regulating the application of Law No. 13,709/ 2018 – the General Personal Data Protection Law (LGPD) for small agents (“APP”) that carry out activities related to the control of personal data, last Friday (01/28).
The regulation softens some LGPD obligations for the following agents:
- Microenterprises and small businesses: in accordance with the definitions of the Brazilian Civil Code and the National Statute of Microenterprises and Small Businesses;
- Startups: business or corporate organizations, beginning or recently in operation, whose performance is characterized by innovation applied to the business model or the products or services offered and that meet the requirements set out in the Legal Framework for Startups;[1]
- Private legal entities, including non-profits with a maximum revenue of BRL 4.8 million, as provided for in the National Statute of Microenterprises and Small Businesses.
For these agents, the registration of processing operations, as well as the communication of data breach, will be done in a simplified form, based on the model/procedure that will be made available by the ANPD itself. In addition, several communication deadlines before data subject and ANPD will be counted in an extended way or doubled.
Furthermore, APPs will not be required to appoint a DPO. However, a communication channel must be maintained with the data subject, and if a company choose to appoint a DPO, it will be considered as a policy of good practices and governance, being taken into account when applying any sanctions for non-compliance with the LGPD.
There are also definitions, concerning security criteria and good practices for APPs, which must adopt minimum measures to protect data from unauthorized access and accidental or illicit situations of destruction, loss, alteration, communication, or any form of inappropriate or illegal processing. These policies may consider implementation costs, as well as structure, scale, and volume of the agent’s operations, as simplification and limiting factors.
Important: the flexibilizations considered do not apply to agents that carry out processing defined as “high risk,” even if they fit the definitions of the regulation, which are: (i) large-scale processing or (ii) ones that may significantly affect the interests and fundamental rights of the holders. In both of these cases, these processing must be characterized by the following criteria: a) the use of emerging or innovative technology; b) the use of surveillance technology or the control of spaces open to the public; c) those who make decisions on the sole basis of automated processing of personal data; or d) the use of sensitive personal data or personal data related to children, adolescents, and the elderly.
It is important to highlight that there is no quantitative definition of what a large-scale processing would be. The regulation only defines a processing as that which covers a significant number of data subjects, considering the volume of data involved, the duration, the frequency, and the geographic extent of the processing. The processing of personal data that could significantly affect interests and fundamental rights will be characterized as those in which the processing activity may prevent rights being exercised or the use of a service, as well as causing material or moral damages to the data subject, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud, or identity theft, among others.
[1] According to Startups Legal Framework (Complementary Law No. 182/2021), individual entrepreneurs, individual limited liability companies, business companies, and cooperative and simple companies that meet the following criteria are eligible for inclusion in this modality: (i) gross revenue up to BRL 16 million in the previous calendar year or BRL 1.34 million multiplied by the number of months in the previous calendar year when the company has been active for less than 12 months; (ii) registration with a CNPJ for up to 10 years; and that (iii) meet one of the following requirements: a) declaration in its constitutive act or one amending the use of innovative business models for the generation of products or services or b) classification in the special Inova Simples regime.