ANPD Board of Directors approves application of LGPD regulation for small data processing agents

On January  27, the Brazilian Data Protection Authority (ANPD) published Resolution CD/ANPD No. 02, approving the application of LGPD regulation for small data processing agents, among which are micro-companies, startups and people who carry out activities involving the processing of personal data, assuming the respective obligations of controller or processor.

The Resolution promotes differentiated treatment for small data processing agents — for example, they are not obliged to indicate the DPO as required in art. 41 of the LGPD, but must provide a communication channel with the data subject in order to comply with art. 41, § 2, item I. They can also provide several documents in a simplified form, such as the information security policy and the registry of personal data processing operations data mapping.

In addition, a double period will be granted to respond to requests from data subjects or to communicate to the ANPD and data subjects a security incident that may pose a significant risk or result in damage, for example.

However, according to the Law, the benefit of differentiated legal treatment is not applicable to those that (i) perform high risk processing, (ii) have gross revenues exceeding the limit established in art. 3, item II, of Complementary Law No. 123 of 2006 or, in the case of startups, in art. 4, § 1, item I, of Complementary Law No. 182 of 2021; or (iii) belong to an economic group whose global revenues exceed the limits aforementioned. It should be noted that, when requested by the ANPD, the processing agent must prove within 15 days that it is in compliance with the provisions of art. 2 and art. 3 of the regulation.

Finally, the ANPD states that it will be able to provide guidelines with the aim of assisting in the evaluation of high-risk data processing and on greater flexibility or simplified procedures for security incident communications.