25 Oct LGPD enforcement regulation for small data processing agents is into force
By Fabio Vieira, Eduarda Mourad, and Jhonata Candido
Since January 28, 2022, the date on which it was published on the Union Official Gazette, Resolution CD/ANPD No. 2, which approves the Regulations for the application of the Brazilian General Data Protection Law (“LGPD”) for small sized data processing agents (“Regulation”), is into force.
The Regulation applies to micro-enterprises, small businesses, startups, private legal entities, including non-profit legal entities as set forth by the applicable laws, natural persons, and impersonalized private entities that perform personal data processing, assuming typical controller or operator obligations.
For a legal entity to be classified as micro-enterprises or small businesses, it must have an annual revenue equal to or less than R$ 244,000.00 to be considered a micro-enterprises, and obtain annual revenue greater than R$ 244,000.00 and equal to or less than R$ 1,200,000.00 to be considered a small businesses, in accordance with Article 2 of Law No. 9.841/1. In these terms, it is up to the processing agents to prove that they fit one of above categories if Brazilian National Data Protection Authority (“ANPD”) requests them to do so.
However, even if fitting any of these profiles, small sized processing agents that (i) perform high-risk processing, as defined on article 4th of the Regulation, for the data subjects; (ii) earn gross revenue exceeding the limit established by law; or (iii) belong to an economic group in fact or in law with global revenue exceeding that provided by law, will not be able to benefit from the differentiated legal treatment provided by the Regulation.
In view of the need to adapt to LGPD by all processing agents and its high cost, something unfeasible for small sized agents, the Regulation also establishes the relaxation and waiver of some obligations, which include:
I. The registration of personal data processing operations may be done in a simplified manner, whose template shall be provided by ANPD;
II. The simplified procedure for reporting security incidents – the ANPD will publish specific regulations on the subject;
III. Non-mandatory appointment of a Data Protection Officer (“DPO”) – should the small sized business agent choose not to appoint one, it must make available a communication channel with the data subject in order to assist him;
IV. The simplification of the Information Security Policy with only those items that are essential and necessary for the protection of personal data;
V. The granting of double deadline for the fulfillment of the subjects’ requests, the communication to ANPD and the data subject of the occurrence of a security incident (except when the subject’s physical or moral integrity or national security is compromised).
Despite this flexibility, ANPD also points out that the provisions of the Regulation do not exempt small sized data processing agents from complying with the other provisions of the LGPD, including the legal bases and principles, regulatory and contractual provisions relating to the protection of personal data and the rights of the data subject.
The Regulation represents a major milestone for small sized processing agents, and with that it is expected that compliance and enforcement under the LGPD, currently below the desired levels, will grow more and more.
The Regulation can be fully accessed here.
This article is intended exclusively to provide information and does not contain any opinion, recommendation or legal advice from KV Advogados in relation to the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.
No Comments