After gathering contributions on the regulation of the application of Federal Law No. 13,709/18, known as the Brazilian General Data Protection Law ("LGPD"), for micro-enterprises, small businesses, startups, innovation companies that process personal data with economic purposes and for non-profit legal entities (such as associations, foundations, religious organizations and political parties) which took place between February and March this year, marking the beginning of the National Data Protection Authority ("ANPD") dialogue with civil society, ANPD, proceeding with the regulation of the matter, formally started, on August 30, 2021 the Public Consultation on the draft resolution that disposes about the application of the Law for small data processing agents.

Contributions from the society can be sent until September 29, 2021 and must be made through the Participa+Brasil platform. In addition, a virtual Public Hearing was scheduled for the presentation of proposals and suggestions, on September 14 and 15, 2021. Those interested in holding oral presentations at the hearing must register beforehand by September 9th.

The resolution draft made available by ANPD adopted the criteria of size of the processing agent and the risk that the data processing may cause to the data subject to facilitate the application of the LGPD to the sector, through flexibility and waiver of certain obligations provided for by law.

Among the flexibility provided for in the draft proposed for the sector, small data processing agents are exempt from the obligation to keep records of data processing operations, as well as are not required to indicate the data protection officer.

The draft also addresses different deadlines for responding to requests from data subjects and for communicating to ANPD and the data subjects about incidents, and provides for the possibility of adopting simplified and differentiated procedures, such as a report on the impact of data protection and a policy of information security.

It is noteworthy that, even if simplified, the information security policy should include minimum requirements for the protection of personal data, also considering the level of risk to the privacy of data subjects and the reality of the processing agent, aiming to protect them from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing. ANPD will provide guidance on information security for small data processing agents.

The resolution draft can be accessed here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.