LGPD application for small processing agents

On January 27, 2022, the Brazilian National Data Protection Authority (“ANPD”), published Resolution CD/ANPD No. 02, approving the regulation of LGPD application for small processing agents, which include micro-companies, startups and people who perform activities involving the processing of personal data, assuming typical obligations of controller or processor.

The Resolution promotes an exclusive treatment for small data processing agents, through simplified documents and flexible deadlines, for example. However, according to the Resolution, those that (i) perform high-risk processing, (ii) have gross revenues exceeding the limit established in art. 3, item II, of Complementary Law No. 123 of 2006 or, in the case of startups, in art. 4, §1, item I, of Complementary Law No. 182 of 2021; or (iii) belong to an economic group whose global revenues exceed the aforementioned limits, may not benefit from such exclusive legal treatment. It should be noted that, when requested by the ANPD, the processing agent must prove its adherence to the provisions of art. 2 and art. 3 of the regulation within 15 days.

Lastly, the ANPD states that it may provide guidelines with the purpose of assisting in the evaluation of high-risk data processing and on the facilitation or simplified procedures for security incident communications.

In order to provide an overview of the Resolution, Demarest has prepared a guide for Small Data Processing Agents.

Demarest’s Privacy, Technology and Cybersecurity team is at your disposal should you need any further clarifications.