On Data Protection Day, January 28th, the Brazilian National Data Protection Authority, ANPD, published the Resolution CD/ANPD No. 2/2022 that regulates the application of the Brazilian General Law on Personal Data Protection (LGPD) for small data processing agents.

This is great news as complying with the LGPD can put a serious strain on smaller businesses. From now on, businesses that fall into the definition of “micro and small enterprises” such as a small e-commerce that sells sports clothing nationally or the bakery around the corner with 20 employees, enjoy certain exemptions like not having to appoint a full-time Data Protection Officer (DPO).

Not having to indicate a DPO is one of the many exemptions the resolution presents. The regulation is meant to make it affordable and feasible for the micro and small sized companies to comply with the data protection law and protect their clients and businesses.

We summarised the main points you need to know on the topic and which aspects of the regulations were simplified.

Businesses with annual revenue of less than R$ 4,800,000.00 (or approx. US$ 1,000,000) that are legally registered as micro and small enterprises can benefit from the Regulation.

This includes startups. To be considered a startup in Brazil, the company must meet the criteria set out in the Brazilian Complementary Law No. 182/2021, such as: (A) the business is in its early start of operations (less than ten years since legally registered) and (B) should be characterised by innovation applied to the business model or the products or services offered.

There are however a few exceptions. Companies cannot benefit from the Regulation when they process personal data on a large scale or in a way that may significantly affect the interests and fundamental rights of data subjects, this includes:

A. Processing personal data of children and elderly people.

B. Processing data of surveillance cameras or control of areas accessible to the public, such as shopping centers, public roads, bus and train stations.

C. Processing data to create a profile of the data subject, such as professional, health, consumer and credit profiling, and make decisions solely based on that automated processing.

The Regulation does not exempt small data processing agents from complying with the LGPD. Compliance with the LGPD law remains necessary. What the Regulation does is adapt some of the obligations set out in the LGPD to make them suitable and affordable for the micro and small companies to comply with. These are the following:

When requested by the data subject, the LGPD states that companies must make available the information about the processing of personal data, such as the purpose, form and duration of the processing.

According to the LGPD, this can be done (A) by electronic means, secure and suitable for this purpose,(B) or in printed form.

But to simplify this process and to make the response more important than the format, the Regulation provides a third option for micro and small companies to respond to data subject’s request of access, namely:

(C) Any other means that ensures the rights provided in the LGPD and the facilitated access to the information by the controller.

The LGPD requires companies to register all of their data processing in detail, such as indicating the: a) controller’s name and contact information; b) the purpose of the processing; c) the categories of recipients to whom the personal data has been or will be disclosed; d) information about international transfer of the data with the safeguards taken, and others.

For the small data processing agents, the Regulation states that this data processing register can be done in a simplified manner and that the ANPD will provide a model for it.

Even though the model is not yet available, it is still good news for micro and small companies to know that registering the operations will not be that complex and demanding, making it easier for them to be compliant with data protection legislation.

Sometimes micro and small companies are businesses that don’t require much technology to function, or, in other cases, their businesses do not have relevant information security risks.

For this reason, the Regulation states that small data processing agents can take the essential and ultimately necessary administrative and technical measures, based on minimum information security requirements for the protection of personal data.

The ANPD has issued a guide of Information Security for small data processing agents suggesting that they should have at least an information security policy regarding controls related to the processing of personal data, such as a) security copies; b) use of passwords; c) access to information; d) sharing of data; e) updating of software; f) use of electronic mail; g) use of e-mail and h) use of antivirus software.

As mentioned in the beginning, the LGPD demands that the controller of personal data designates a Data Protection Officer to act as a communication channel between the controller, the data subjects and the ANPD.

The Regulation loosens this rule stating that small data processing agents do not have the obligation to designate a DPO and that it is enough for them to open a communication channel for the data subject in order to: a) receive complaints b) and to provide answers and clarifications.

Small data processing agents will be allowed double the time granted in the LGPD to provide responses in the following situations:

A. In meeting the requests of data subjects regarding the processing of their personal data.

B. When communicating to the ANPD and the data subject the occurrence of a security incident that may cause risk or relevant damage to the data subjects.

C. On deadlines established in regulations, documents, reports and records requested by the ANPD from other processing agents

For example, the ANPD recommends that data privacy incidents, such as data breach, are communicated within two workdays to the data subject. In case of small data processing agents, this period is four days.

Also, the small data processing agents may provide the confirmation of existence or give access to personal data to the data subject up to fifteen days from the date of request, whereas in the LGPD the deadline is to provide this answer immediately after the solicitation.

Finally, if requested by ANPD, the small data processing agents will have the obligation to show proof that they comply with the legal provisions of the Regulation within fifteen days.

The new Regulation made the requirements issued in LGPD more suitable for micro and small businesses to comply with. But even with the simplification of the procedures by the Regulation, the running of a LGPD compliance program in your company is still very much needed.

Being compliant with the always changing data privacy laws and regulations around the world can be a challenge, but with Palqee’s specialised counselling and support that will not be a concern and you will be ahead of your competitors.

Palqee is an online platform to manage data processing and fully implement a compliance program to data protection laws. We have the answer for what your business needs to easily and affordably comply with any requests from the data protection authorities and data subjects.

Our platform will provide you and your employees an uncomplicated experience while going through the data privacy program we offer. Palqee’s platform is user friendly and accessible to everyone, you don’t have to worry about being an IT expert to operate it and manage the tasks.

At Palqee we keep it simple: with a guided and jargon-free compliance program we help you increase your efficiency while improving your security and protecting your business. Get in touch with us or book a demo here.