Facing the difficulties that were being raised by small business companies to adequacy to Law No. 13.709/2018 (Brazilian General Data Protection Law), and after studies conducted by the Brazilian National Data Protection Authority (“ANPD”), including Public Consultation and Public Hearing on the subject, on January 28, when the International Data Protection Day is celebrated, the Resolution CD/ANPD No. 2, of January 27, 2022, was published in the official Brazilian press, approving the Regulation that aims at more flexibility for small businesses regarding the application of the LGPD.
The Regulation applies to micro-enterprises, small businesses, startups, legal entities of private law, including non-profit ones, in the terms of the law, as well as natural persons and unpersonalized private entities that assume typical obligations of data controller or data processor, except for those that: (i) perform high-risk data processing for the data subjects, considered: (a) processing of personal data on a large scale or which could significantly affect the interests and fundamental rights of data subjects and, at the same time, which (b) uses emerging or innovative technologies, or, performs surveillance or control of publicly accessible areas, or takes decisions solely on the basis of automated processing of personal data, or uses sensitive personal data or data of children, adolescents and the elderly; (ii) generate gross revenue exceeding the limit established in art. 3, II, of Complementary Law no. 123/2006 or in the case of startups, in article 4, § 1º, I, of Complementary Law no. 182/2021, or (iii) belong to an economic group in fact or in law, whose global revenue exceeds the limits mentioned herein.
Among the benefits provided for in the Regulation, we can highlight the possibility of simplifying the manner through which the records required for personal data processing operations must be drawn up, as per the template for simplified registration yet to be made available by the ANPD, as well as simplifying the security incident reporting procedure, also according to specific regulations.
In addition, those companies subject to the Regulation are exempted from appointing a data protection officer, provided that a communication channel is made available to the public for complaints and communications by the data subjects, for clarifications and other measures, being such companies also benefited with the double of the deadlines that are established for (i) fulfilling the data subject’s requests, (ii) the communication of a security incident that may result in risk or damage, except when there is potential compromise to the physical or moral integrity of the data subject or to national security, (iii) the provision, in response to the rights of access and of confirmation of existence of data processing activities, of the clear and complete statement indicating the origin of the data, the absence of a record, the criteria used and the purpose of the processing activities, and (iv) the presentation of other information, documents, reports and records requested by the ANPD.
Regarding the provision of the simplified declaration, in response to the rights of access and of confirmation of existence of processing activities, which must be immediately fulfilled by the other processing data agents, for small business agents the deadline will be fifteen days.
It is important to notice the fact that some measures, when adopted by small business processing data agents, may be favorable to them in regard to the gradation of any penalty that they may suffer in the context of a possible violation of the law. In this sense, the appointment of a data protection officer, even with the exemption provided for in the Regulation, will be considered as a measure of good practice policy and governance by the small business agent.
Likewise, the implementation of a simplified information security policy will also be deemed as good practice and governance policy and will serve to demonstrate internal mechanisms and procedures adopted to minimize harm and enhance the safe and proper processing of data.
Finally, and in the same line, the adoption of essential and necessary administrative and technical measures, based on minimum requirements of information security for the protection of personal data, considering the level of existing risks, as well as the compliance with the recommendations and good prevention and safety practices disseminated by the ANPD, including by means of guidance guides, will also be considered in the gradation of a possible penalty.
Click here to access the Regulation.