ANPD publishes Resolution regulating the application of LGPD provisions to small businesses

Beneficiaries of the Resolution

This Resolution applies to micro-enterprises, small businesses, startups, legal entities governed by private law, as well as individuals and depersonalized private entities that process personal data. Small processing agents that carry out high-risk processing for data subjects (processing of personal data on a large scale or that may significantly affect the interests and fundamental rights of data subjects) are not eligible for the differentiated legal treatment provided for in the Resolution (except for the provisions on Negotiation, Mediation and Conciliation detailed below).

Benefits

The Resolution modifies the requirements for small processing agents such that:

• They can fulfil the obligation to prepare and maintain a record of personal data processing operations (ROPAs) in a simplified way.
• They can follow a simplified security incident reporting procedure.
• They are not obliged to indicate the person in charge of processing personal data (DPO).
• They can establish a simplified information security policy.
• They may provide a simplified declaration confirming the existence or access to the data subject's personal data within a period of up to (15) fifteen days, counting from the date of the data subject's request.
• Their deadline will be doubled to:
  • Respond to requests from data subjects;
  • Communicate to the ANPD and data subjects the occurrence of a security incident that may cause significant risk or damage to data subjects, except when there is a potential compromise to the physical or moral integrity of data subjects or national security;
  • Provide a clear and complete statement on the processing of personal data;
  • Present information, documents, reports, and records requested by the ANPD to other processing agents.
• They may be organized through entities representing the business activity, by legal entities, or by individuals for the purpose of negotiation, mediation, and conciliation of complaints presented by data subjects (Negotiation, Mediation, and Conciliation).

The adoption of measures to adapt to the LGPD, as well as the implementation of security and privacy policies, even if simplified, will be positively considered among the parameters and criteria for the application of administrative sanctions by the ANPD.

The waiver or flexibility of the obligations set forth in the Resolution will not exempt small-scale processing agents from complying with other LGPD provisions, including the legal basis and principles, and other legal, regulatory, and contractual provisions relating to the protection of personal data, as well as rights of data subjects.

Next Steps

Our Privacy and Cybersecurity team is available to assist our clients with the design and implementation of compliance measures through best practices for information security.

Authored by Julio Cesar de Oliveira Alves and Felipe Lacerda.