In a recent post, we discussed the latest developments in respect of the Brazil’s new federal data protection authority (the ANPD). Brazil’s general data protection law (the LGPD) has finally come into full effect in August 2021, bringing with it new obligations for companies in terms of handling personal data and strict penalties for non-compliance.
In May, the ANPD released their guidelines on concepts concerning data processing individuals and entities, such as agents, controllers, processors, and data protection officers. The guidelines are non-binding in nature, but provide some welcome clarity in relation to these positions.
The guidelines are now open to comments from the public and will be updated by the ANPD in future based on this consultation process.
Here, we give some brief explanations regarding some of the concepts addressed in the new guidelines.
1-Data Controllers and processors
Controllers and processors of personal data may be both natural or legal persons. Importantly, they are defined based on their institutional character.
Subordinate individuals, such as employees, public servants, or work teams of an organization, are not considered controllers or processors, as they act under instructions from others.
A controller is defined as the agent responsible for taking the main decisions regarding the processing of personal data and for defining the purpose of such processing. These decisions include the instructions given to contractors (processors) to carry out processing of personal data.
The LGPD establishes significant obligations for the controller (e.g, preparing impact assessment reports, vouching for the consent given by data subjects, and communicating with the ANPD about possible data breaches).
A processor is an agent responsible for carrying out the data processing and acting according to the purpose defined by the controller (i.e. the processor can only act within limits of determined by the controller).
The processor may only process the data for the purpose previously established by the controller. Hence, the main difference between the controller and the operator under Brazilian law is the power to make decisions.
4-The Data Protection officer (DPO)
The DPO is responsible for ensuring an organization’s compliance with the LGPD. The law has not determined under what circumstances an organization must appoint a DPO or indeed the exact professional qualifications required for this position.
Thus, it should be assumed that every organization must appoint a DPO with expertise relevant to meet the organization’s needs.
In future, it is possible that the ANPD will dispense with the need to appoint the DPO in certain circumstances, depending on the nature and size of the entity or the volume of data processing operations.
The above guidelines (In Portuguese) can be accessed here.
For a deeper understanding of how the new law will impact your business in Brazil, please contact one of our data protection and technology experts.