Artigos

Brazilian data protection agency (anpd) opens public consultation on the obligation to appoint a dpo in micro-enterprises, Small Businesses and startups, signaling for release

Since the Data Protection Law (“Lei Geral de Proteção de Dados” – “LGPD”) entered into force, a lot has been said on the regulatory uncertainties that orbit the universe of regulation of the subject in micro-enterprises, small businesses, and startups. Among the several uncertainties, one in special has taken the sleep of most entrepreneurs: the obligation to appoint a DPO (Data Protection Officer, as provided by the European Union General Data Protection Regulation).

First of all, it is important to clarify that, according to the Law, the DPO is the person, within a company, responsible for accepting complaints and communications from the data subjects, providing explanations and taking actions, receiving communications from the national authority, guiding employees of the company on actions to be taken in connection with personal data protection, as well as performing other tasks determined by the controller or established in complementary rules.

The expectation on the requirement of his/her appointment is fully justifiable, not only because of the differentiated treatment given to these companies in Brazil, or due to the real possibility of sanction application by the National Data Protection Agency (“Agência Nacional de Proteção de Dados” - “ANPD”), but mainly because the LGPD itself sets forth that it is up to the national authority to establish hypotheses of exempting the need for such an appointment, taking into account “the nature and size of the entity or amount of data processing operations”.

However, worries arising from such uncertainties fortunately have their days numbered, insofar as ANPD opened on last Monday, August 08, 2021, a public consultation on specific rules for micro and small companies, startups, and non-profit legal entities (associations, foundations, religious organizations, political parties, etc.), besides individuals who also perform data processing.

From the agency’s perspective, the draft resolution presented aims to allow such companies, identified as "Small Processing Agents" (“Agentes de Tratamento de Pequeno Porte” – “ATPP”), to carry out simplified and differentiated procedures when handling personal data, facilitating the process of adaptation to the Law, and encouraging a culture of personal data protection, always based on the perspective that such measures do not contradict the rights assured to their owners.

In practical terms, the main topic of the resolution deals with the exemption of such ATPP from the duty to appoint a DPO, establishing that those who opt to use this license must provide a communication channel with the data subject, with the possibility of being represented by entities representing the business activity, by legal entities or individuals for purposes of negotiation, mediation and conciliation of claims presented by data subjects.

It is essential to highlight that the purpose of exemption from of hiring a DPO covers even the ATPP that performs data processing considered highly risky and on a large scale.

In addition, this measure also softens other obligations to these agents, such as:

  • Possibility of opting to meet the requests of the owners by electronic or printed means;
  • Exemption from the obligation to grant data portability to other products or services providers;
  • Authorization for providing a simplified statement confirming the existence of personal data processing, being exempted from delivering a statement of complete processing;
  • Permission to submit an impacting personal data protection report in a simplified manner and only upon requirement;
  • The granting of a doubled deadline to comply with the subjects’ requests, communication to ANPD and to the owner of the security incident.            

Another relevant matter for these agents is the exemption from the obligation to keep records of the processing of personal data transactions that have been carried out, providing the possibility of presenting a report of impacting personal data protection in a simplified manner, when required.

As to information security and good practices matters, the ANPD resolution provides that the ANPD will make available an orientation guide containing recommendations related to administrative and technical actions that must essentially and necessarily be taken, always considering the level of risk to privacy that is involved and the reality of the processing agent, allowing them to establish simplified information security policies, which contemplate essential requirements for the treatment.

This simplified information security policy shall consider the implementation costs, as well as the structure, scale, and number of operations to be carried out by the small processing agent, and also the sensitivity and criticality of data processed prior to the rights and freedoms of the subjects.

Despite the exemptions and flexibilizations, the provisions of the resolution do not apply to an ATPP who performs treatments considered highly risky for owners and of large scale. The operations are considered highly risky and of large scale when they involve:

  • Sensitive data or data belonging to vulnerable groups, including children, adolescents and elderlies;
  • Surveillance or control of publicly accessible zones;
  • Use of emerging technologies, which may cause material or moral damage to the holders, such as discrimination, violation of image and reputation rights, financial fraud and identity theft; or
  • Automated processing of personal data that affect the interests of the holders, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality.

Finally, an inspection loophole is opened, insofar as, depending on the nature and number of operations, on the risks to owners, on the sensibility and criticality of the processed data, ANPD may extraordinarily determine these agents complying with the obligations exempted or softened by the resolution.

The public consultation is available on the Participa mais-Brasil platform, which is the only channel available to send contributions, which may take place until September 29, 2021. This platform also makes available the Regulatory Impact Analysis Report, the votes of the directors and a presentation explaining the participation in the platform.

A public hearing on the matter is also scheduled for September 14 and 15, 2021, which will be opened to the public with simultaneous transmission on the agency’s YouTube channel. On this occasion, previously registered interested persons will be allowed to comment on the provisions of the draft resolution.

The registrations to present oral arguments shall be made until 6 pm of September 9, 2021, through a form made available on the ANPD website.

Source:

Brazilian data protection agency (anpd) opens public consultation on the obligation to appoint a dpo in micro-enterprises, Small Businesses and startups, signaling for release Read article here (Brazilian data protection agency...)   |   PDF Download

IDIOMA / LANGUAGE