November 02, 2022

Brazil Limits New Privacy Law's Obligations on Small Entities

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

On Jan. 27, 2022, Brazil's Data Protection Agency (ANPD) adopted Resolution ANPD No. 2 (the "Resolution"), limiting Brazil's Data Protection Law (LGPD) obligations on small entities.

Processing Agents

Similar to the European GDPR, the LGPD categorizes businesses subject to the law as either "controllers" or "processors." However, the LGPD also groups these two categories together under one definition: "processing agent."[1] Processing agents are generally required to meet a number of compliance obligations similar to the obligations placed on controllers and processors under the GDPR.

Processing agent obligations include:

  1. Keep and maintain a record of processing operations (e.g., a data inventory)[2]
  2. In some circumstances, conduct data protection impact assessments[3]
  3. Verify processors' compliance with controller's processing instructions[4]
  4. Appoint a data protection officer[5]
  5. Adopt security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing[6]
  6. Notify the ANPD and impacted data subjects of security incidents that create risk or relevant damage to the data subjects[7]

Small Processing Agents

This Resolution limits the LGPD obligations of "small-sized processing agents." The Resolution defines "small-sized processing agents" as micro-companies, small companies, startups, and "legal entities governed by private law," including non-profits and depersonalized private entities that process personal data.[8]

Micro-companies and small companies are businesses and simple partnerships and proprietorship LLCs as determined by Brazilian law.[9]

Startups, on the other hand, are "business or corporate organizations nascent or in recent operation, whose performance is characterized by innovation applied to a business model or to products or services offered."[10]

Obligations of Small-sized Processing Agents

Generally, if an organization falls within the definition of a small-sized processing agent, it has simplified LGPD compliance obligations.[11]

The ANPD's simplified obligations for small-sized processing agents include:

  1. Keeping and maintaining a record of personal data processing operations under Art. 37 of the LGPD in a "simplified way."[12]
  2. "Flexible" or "simplified procedure" for security incident reporting.[13]
  3. Small-sized processing agents do not have to appoint a data protection officer.[14]
  4. Adoption of a "simplified" information security policy that includes "essential and necessary requirements for processing personal data."[15]
  5. Small-sized processing agents will have twice the amount of time to respond to (i) data subject requests, (ii) security incident response notification to ANPD and data subjects,[16] and (iii) in response to requests for information and documents from the ANPD.[17]

Why it Matters

The way in which a business is classified impacts how the ANPD expects a company to comply with the LGPD. While the ANPD is expected to provide further guidance on the obligations of small-sized processing agents, businesses should analyze whether they can benefit from the simplified obligations.

*Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

[1] LGPD Article 5(IX)

[2] LGPD Article 37

[3] LGPD Article 38

[4] LGPD Article 39

[5] LGPD Article 41

[6] LGPD Article 46

[7] LGPD Article 48

[8] Resolution Article 2(I)

[9] Resolution Article 2(II)

[10] Resolution Article 2(III)

[11] Unless the small-sized processing agent conducts "high risk treatment" as defined in the Resolution. The ANPD has signaled that small-sized processing agents engaged in "high risk treatment" will be subject to separate guidelines, which appear to be forthcoming. 

[12] Resolution Article 9.

[13] Resolution Article 10

[14] Resolution Article 11

[15] Resolution Article 13

[16] Unless there is a "potential compromise to the physical or oral integrity of the holders or to the national security."

[17] Resolution Article 14(I-II)

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Schedule A I-140: Fast-Track Green Card for Nurses and Physical Therapists

By Caterina Cappellari Greenberg Traurig May 26 , 2023

Most employment-based permanent residency applications require the applicant to go through the PERM labor certification process where the U.S. Department of Labor (DOL) certifies that there are not sufficient U.S. workers able, available, and qualified to fill a position.

SCOTUS to Warhol Foundation: Your Use of Previously Licensed Work Isn't Fair

By Steven J. Wadyka Jr. Greenberg Traurig May 26 , 2023

On May 18, 2023, the United States Supreme Court issued its long-awaited decision in Andy Warhol Foundation for the Visual Arts, Inc. v. Goldsmith, a case that presented the Court with an opportunity to bring clarity to the often highly subjective standards lower courts apply when deciding the issue of fair use of visual works of art under copyright law.

Supreme Court Issues Decision Sharply Limiting Clean Water Act Jurisdiction over Wetlands

By Bernadette M. Rappold Greenberg Traurig May 26 , 2023

Sometimes the most monumental Supreme Court decisions spring from the most modest facts.

More From Cybersecurity

Processing Sensitive Personal Information under U.S. State Privacy Laws

By Zachary S. Schapiro Greenberg Traurig May 23 , 2023

As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT).

Labor Department Releases New Guidance on Agency Enforcement of PUMP for Nursing Mothers Act

By Patricia Anderson Pryor Jackson Lewis P.C. May 19 , 2023

The U.S. Department of Labor Wage and Hour Division (WHD) has published guidance for agency officials responsible for enforcing the “pump at work” provisions of the Fair Labor Standards Act (FLSA), including those enacted under the 2022 Providing Urgent Maternal Protections for Nursing Mothers Act (PUMP Act).

Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates

By David A. Zetoony Greenberg Traurig May 15 , 2023

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners.

Featured Stories