ANPD - Resolution n. 2, 27/01/22
Regulations implementing Law 13.709/2018, for small treatment agents
The ANPD has approved the long-awaited LGPD Enforcement Regulation for small agents.
It is important to clarify that the Resolution does not exempt small agents from complying with the Law, quite the contrary, in its article 6 it clarifies that: "The exemption or relaxation of the obligations set out in this regulation does not exempt small processing agents from complying with the other provisions of the LGPD, including the legal bases and principles, other legal, regulatory and contractual provisions relating to the protection of personal data, as well as rights of the data subjects".
Main points of the Resolution:
- Beneficiaries: micro-companies, small-sized companies (entrepreneurial company, simple company, single-person limited company, in accordance with art. 41 of Law no. 14.195, of 26 August 2021, and the entrepreneur referred to in art. 966 of Law no. 10.406, of 10 January 2002 (Civil Code), including the individual microentrepreneur, startups, legal entities of private law, including non-profit entities, natural persons and disidentified private entities that perform personal data processing, assuming the obligations of a controller or operator.
- The obligation to prepare and maintain a register of personal data processing operations may be simplified. In this case, the ANPD will provide a model which may be used;
- Small data processors may organise themselves through business representation bodies for the purpose of negotiating, mediating and conciliating requests submitted by data subjects;
- It is possible to waive the appointment of a Chargé d'affaires/DPO, however their appointment, in the event of a breach, will be considered good practice and governance policy;
- Notwithstanding the exemption of the Officer/DPO, the agent shall provide a channel of communication with the data subject;
- The small agent may have a simplified information security policy, provided that it addresses the essential requirements for handling personal data, dealing with unauthorised access, destruction, loss of data, alteration, etc;
- Agents will have double time to comply with requests from cardholders, notify the ANPD and the cardholder in the event of a security incident, and provide a clear and complete statement.
Treatment agents will not be eligible to benefit who:
1) They carry out high-risk processing for the data subjects (large scale, affecting fundamental rights and interests);
2) They have a higher gross revenue foreseen in Law 123/06, art. 3, II; or startups, according to Law 182/21, art. 4, paragraph 1, I;
- Small Companies: those which, in each calendar year, have gross revenue greater than R$360,000.00 and equal to or less than R$ 4,800,000.00.
- Micro-company: that which, in each calendar year, has gross revenues equal to or less than R$ 360,000.00, while the individual microentrepreneur may have maximum annual revenues of R$ 81,000.00.
- Startups: is the individual entrepreneur, the individual limited liability company, the entrepreneurial companies, the cooperative societies and the simple societies with gross revenue of up to R$ 16,000,000.00 in the previous calendar year, or R$ 1,333.334.00 multiplied by the number of months of activity in the previous calendar year, when less than 12 months; which have up to 10 years of enrollment in the National Register of Legal Entities (CNPJ); and which meet one of the requirements listed in art. 4, § 1, item III, of Complementary Law No. 182/2021.
3) belong to an economic group with revenue exceeding that mentioned in item 2.
Even so, the ANPD may determine the small treatment agent to comply with the obligations exempted or made more flexible by the regulation.
Read the full Regulations here.
