New ANPD Resolution marks the International Data Protection Day

January 28th is the International Data Protection Day. This date, chosen on April 26, 2006 by the Council of Europe, goes back to Convention 108 of 1981, the first treaty aimed at protecting the individual’s freedoms, private life, and personal data.

This celebration highlights the relevance of the matter for society, catalyzed by technological advances and the volume of personal data used in different ways. In addition, the celebration emphasizes the need for surveillance to curb abusive practices, capable of jeopardizing the rights and freedoms of individuals.

In Brazil, this movement is already happening. This is the second year that we celebrate the date with our Brazilian General Data Protection Regulation (LGPD) in force, with the proactive role of the National Data Protection Authority (ANPD), as well as the recent approval by the National Congress of the Proposal of Amendment to the Constitution 17 (PEC 17/2019), which includes the protection of personal data into the list of fundamental rights and guarantees.

The ANPD has been publishing guidelines for those who handle personal data, as well as conducting public hearings to address issues in the LGPD. And, as a commemorative highlight for the date, it was published today the Resolution CD/ANPD no. 2, of January 27, 2022, approving the regulation of application of the LGPD for small processing agents. The differentiated regulation for micro and small businesses was already planned as per the ANPD’s Regulatory Agenda for the 2021-2022 biennium.

The Resolution refers to micro-enterprises, small businesses, and startups, provided they do not perform high-risk treatment for the data subjects.

The main point of attention refers to the fact that it is not mandatory for these agents to appoint a Data Protection Officer (DPO), as long as they provide a communication channel with the data subject. However, the Resolution clarifies that the appointment of a DPO may be considered a good practice policy for the company.

In addition, small processing agents will be granted double time:

• in complying with the data subject’s requests;
  .
• in communicating to the ANPD and the data subject the occurrence of the security incident;
  .
• in providing clear and complete declarations, in which case the period will be 30 days.
  .

The resolution represents a considerable progress in data protection in Brazil, since it demonstrates the ANPD’s commitment to regulating the law, especially with the aim of facilitating the business environment for those who are most sensitive.

Should you need more information about the LGPD, strategies for compliance or trends in the national and international scenarios, please do not hesitate to contact our Digital Law team at digital@kasznarleonardos.com.