New resolution published in the Federal Official Gazette makes the implementation of certain aspects of the law more flexible
Informing the CPF number to get a discount. Registering biometrics to enter a commercial building. These are actions that many of us do frequently, but for the most part, without questioning what is made of our personal information. The answer to this question is important, after all, personal data has never been more valuable.
In order to create the legal bases for the processing of personal data, the General Data Protection Law (LGPD) was created (Law 13,709/2018), which is equivalent to the General Data Protection Regulation (GDPR) of the European Union (EU). It guarantees legal certainty regarding the use of personal data of all people in Brazilian territory.
In force since August 2020, LGPD brought a series of obligations for all companies that process personal data. From investing in data security, training employees, to appointing a Data Protection Officer (DPO). It is important to emphasize that the fines and sanctions in case of non-compliance with the rules are onerous.
In principle, companies were also required to respect the LGPD provisions. However, Resolution CD/ANPD No. 2, of January 27, 2022, was published in the Federal Official Gazette (DOU), which deals with the application of the General Data Protection Law for micro and small companies. The objective is to make the implementation of certain aspects of the law more flexible and to facilitate adaptation.
Among the main simplifications brought by the resolution, we highlight the following:
– Small processing agents are not required to indicate the person in charge of the processing of personal data required in art. 41 of LGPD.
– The small processing agent that does not appoint a person in charge must provide a communication channel with the data subject to comply with the provisions of art. 41, § 2, I of LGPD.
– Small processing agents must adopt essential and necessary administrative and technical measures, based on minimum information security requirements for the protection of personal data, also considering the level of risk to the privacy of data subjects and the reality of the processing agent.
– Small-scale processing agents may comply with the obligation to prepare and maintain a record of personal data processing operations, contained in art. 37 of LGPD, in a simplified way. The National Authority of Data Protection will provide a model for the simplified registration referred to in the caput.
It is important to note that the new resolution does not exempt companies from complying with the LGPD, according to Art. 6:
– The waiver or flexibility of the obligations set forth in this regulation does not exempt small processing agents from complying with the other provisions of the LGPD, including the legal bases and principles, other legal, regulatory and contractual provisions relating to the protection of personal data, as well as the holders’ rights.
Regardless of the flexibilities, large, medium and small businesses must properly protect employee, business partner and customer data. At Pryor Global, we are ready to help your business comply with the LGPD. Find out more about our solutions and download our e-book on the General Data Protection Law for free.