SHARE

November 02, 2022

Brazil Limits New Privacy Law's Obligations on Small Entities

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

On Jan. 27, 2022, Brazil's Data Protection Agency (ANPD) adopted Resolution ANPD No. 2 (the "Resolution"), limiting Brazil's Data Protection Law (LGPD) obligations on small entities.

Processing Agents

Similar to the European GDPR, the LGPD categorizes businesses subject to the law as either "controllers" or "processors." However, the LGPD also groups these two categories together under one definition: "processing agent."[1] Processing agents are generally required to meet a number of compliance obligations similar to the obligations placed on controllers and processors under the GDPR.

Processing agent obligations include:

  1. Keep and maintain a record of processing operations (e.g., a data inventory)[2]
  2. In some circumstances, conduct data protection impact assessments[3]
  3. Verify processors' compliance with controller's processing instructions[4]
  4. Appoint a data protection officer[5]
  5. Adopt security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing[6]
  6. Notify the ANPD and impacted data subjects of security incidents that create risk or relevant damage to the data subjects[7]

Small Processing Agents

This Resolution limits the LGPD obligations of "small-sized processing agents." The Resolution defines "small-sized processing agents" as micro-companies, small companies, startups, and "legal entities governed by private law," including non-profits and depersonalized private entities that process personal data.[8]

Micro-companies and small companies are businesses and simple partnerships and proprietorship LLCs as determined by Brazilian law.[9]

Startups, on the other hand, are "business or corporate organizations nascent or in recent operation, whose performance is characterized by innovation applied to a business model or to products or services offered."[10]

Obligations of Small-sized Processing Agents

Generally, if an organization falls within the definition of a small-sized processing agent, it has simplified LGPD compliance obligations.[11]

The ANPD's simplified obligations for small-sized processing agents include:

  1. Keeping and maintaining a record of personal data processing operations under Art. 37 of the LGPD in a "simplified way."[12]
  2. "Flexible" or "simplified procedure" for security incident reporting.[13]
  3. Small-sized processing agents do not have to appoint a data protection officer.[14]
  4. Adoption of a "simplified" information security policy that includes "essential and necessary requirements for processing personal data."[15]
  5. Small-sized processing agents will have twice the amount of time to respond to (i) data subject requests, (ii) security incident response notification to ANPD and data subjects,[16] and (iii) in response to requests for information and documents from the ANPD.[17]

Why it Matters

The way in which a business is classified impacts how the ANPD expects a company to comply with the LGPD. While the ANPD is expected to provide further guidance on the obligations of small-sized processing agents, businesses should analyze whether they can benefit from the simplified obligations.

*Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.


[1] LGPD Article 5(IX)

[2] LGPD Article 37

[3] LGPD Article 38

[4] LGPD Article 39

[5] LGPD Article 41

[6] LGPD Article 46

[7] LGPD Article 48

[8] Resolution Article 2(I)

[9] Resolution Article 2(II)

[10] Resolution Article 2(III)

[11] Unless the small-sized processing agent conducts "high risk treatment" as defined in the Resolution. The ANPD has signaled that small-sized processing agents engaged in "high risk treatment" will be subject to separate guidelines, which appear to be forthcoming. 

[12] Resolution Article 9.

[13] Resolution Article 10

[14] Resolution Article 11

[15] Resolution Article 13

[16] Unless there is a "potential compromise to the physical or oral integrity of the holders or to the national security."

[17] Resolution Article 14(I-II)

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

E2 Law Podcast: Episode 20 | Empire Environmental - Review of New York's Cap-and-Invest Program to Reduce Emissions and Achieve Climate Goals

By Steven C. Russo Greenberg Traurig January 27 , 2023

In this episode of Greenberg Traurig's E2 Podcast, attorneys Steven Russo, Zackary Knaub, and Jane McLaughlin discuss New York State’s cap-and-invest program to limit greenhouse gas emissions and share revenue with New Yorkers from disadvantaged communities to help cover utility bills, transportation costs, and decarbonization.

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

More From Cybersecurity

California AG Announces Investigation of Mobile Apps' CCPA Compliance

By Gretchen A. Ramos Greenberg Traurig January 31 , 2023

On Jan. 27, 2023, the California Attorney General announced his office is investigating and sending letters to businesses in the retail, travel, and food industries with popular mobile apps that allegedly are not in compliance with the California Consumer Privacy Act (CCPA) by failing to offer a consumer opt-out mechanism for sales, or honor rights requests submitted via authorized agents.

U.S. Supreme Court Dismisses as 'Improvidently Granted' Case on Scope of Attorney-Client Privilege

By Stephanie L. Adler-Paindiris Jackson Lewis P.C. January 30 , 2023

In a per curiam opinion, the U.S. Supreme Court has dismissed the writ of certiorari granted in In re: Grand Jury, No. 21-1397, writing only that it was “improvidently granted.”

5 Trends to Watch: 2023 Data Privacy & Cybersecurity

By Gretchen A. Ramos Greenberg Traurig January 26 , 2023

While ransomware attacks have been on the rise since 2020, a recent trend has emerged where threat actors are bypassing ransomware malware and encryption tactics and going straight to data theft.

Featured Stories
Closeclose
Search
Menu

Working...