09 Feb ANPD PUBLISHES REGULATORY CALENDAR 2021-2022
On January 27, 2021, the Brazilian National Data Protection Authority (“ANPD”) published the regulatory calendar for the years of 2021 and 2022, through Ordinance No. 11/2021.
The regulatory calendar was approved by ANPD Head-Council during Deliberative Meeting No. 1, encompassing ten (10) Regulatory Projects (“Projects”), separated by priority levels.
The regulatory process for Projects in Phase 1 shall begin in up to a year from the calendar’s publication date. Projects in Phase 2 have a deadline of a year and six (6) months. The last group of Projects, in Phase 3, shall have its regulatory processes initiated within two (2) years.
Phase 1 encompasses six (6) Projects:
(i) issuance of ANPD Internal Regulation, through ordinance;
(ii) issuance of 2021-2023 Strategic Planning, with aims to be reached by ANPD and its respective deadlines, as well as strategic actions for so, through ordinance;
(iii) creation of a different regulation for micro companies and small-sized companies, including issuance of guidelines over the matter, as established by Brazilian General Data Protection Law (“LGPD”), article 55-J, through resolution;
(iv) definition, on a separated set of rules, of administrative sanctions due to LGPD breaches, guidelines to calculate the grounds for monetary fees, circumstances and conditions to apply monetary punishment, through resolution;
(v) regulation of communications to ANPD and personal data subjects regarding security incidents that may result into relevant risk or damage to data subjects, through resolution; and
(vi) and issuance of rules and procedures regarding personal data protection and privacy, as well as personal data protection impact reports for situations on which data processing presents high risk to personal data protection general principles, through resolution.
In Phase 2, there are two (2) Projects,
(i) establishment of complementary rules regarding the definition and duties of the data protection officer, including when its appointment can be waived, depending on the entity’s nature and size or the amount of data processing operations, through resolution; and
(ii) regulation of personal data international transfer, set forth on articles 33, 34, 35, LGPD, thorough resolution.
Finally, there are two (2) additional Projects in Phase 3:
(i) regulation of personal data subjects’ rights, including, but not limited to articles 9th, 18, 20 and 23, LGPD, through resolution; and
(ii) issuance of a document to guide the public over LGPD applicability grounds and legal circumstances regarding several topics, including, but not limited to legal circumstances described on article 7th, LGPD, through Best Practices Guideline.
The Projects set forth on the regulatory calendar shall be considered for the draft of ANPD National Personal Data Protection and Privacy Policy guidelines, which may also use other sources.
It is relevant to highlight, however, that ANPD Head-Officer, a position currently occupied by Mr. Waldemar Gonçalves Ortonho Junior, may alter the targets established on the regulatory calendar, after the Head-Council deliberates, if it is convenient and appropriate for ANPD.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from Kestener & Vieira Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments