Brazil:
Brazilian Data Protection Authority's Most Relevant Publications To Date
10 November 2022
Tauil & Chequer
To print this article, all you need is to be registered or login on Mondaq.com.
The Brazilian Data Protection Authority (ANPD) has issued
important guidance covering a variety of privacy aspects including
security measures, determining controller and processor capacities,
and how the ANPD administrative process will be applied to
investigating companies and imposing penalties. We have gathered
those we consider the most relevant.
Publicizes the Brazilian National Data Protection
Authority's (ANPD) regulatory agenda for the biennium
2021-2022.
|A first glimpse into ANPD's activities plan. The agenda
includes a number of issues as well as the ways through which the
ANPD aims to discuss and disseminate them (resolution, guide or
ordinance).
|Some publications are still scheduled for 2022, including
resolutions on data subjects' rights, on the personal data
protection officer (DPO) and international data transfers, as well
as a best practices guide relating to the legal processing of
personal data in the Brazilian General Personal Data Protection Law
(LGPD).
Establishes the ANPD's internal regulations
|A thorough document for those who want to understand the
authority's procedures and limitations, which are all internal
regulations. The ANPD has a complex organizational structure that
includes various boards with different areas of activity and
competences. The internal regulation released by Ordinance No.
1/2021 covers the ANPD's whole organizational structure.
|The ANPD is described in Article 1 of the internal regulations
as "a body of the Presidency of the Republic." The ANPD
is now a special autarchy, with increased autonomy and procedural
ability, thanks to Provisional Measure No. 1.124/2022. It is worth
mentioning that the provisional measure has not yet been
transformed into legislation and is presently being debated in
Congress.
|Simplifies the LGPD's most important aspects for consumer
awareness. Also includes guidelines for public and private
organizations' activities in regards to personal data
processing in order to avoid violating consumer rights.
|An essential guide that symbolizes the ANPD's collaborative
activity with consumer protection organizations, taking into
account the Technical Cooperation Agreement between the ANPD and
SENACON.
Version 1.0
|Directs small processing agents to preserve the bare minimum of
information security, taking into account the processing
agent's economic capabilities while applying legal
requirements.
|Used as a general guide that establishes the minimum
requirements for information security measures in Brazil, which
must be surpassed by "medium" and "large"
processing agents—which will not be defined by the ANPD.
Approves the Regulation of the Supervision Process and the
Administrative Sanctioning Process in the scope of the ANPD.
|The ANPD has three different natures of action, according to
Article 15 of the Resolution No. 1 of 2021: monitoring, enforcement
and prevention. The main function of this resolution is to clarify
how these actions will be conducted, which are the procedures to be
followed by ANPD, and what we can expect to be the authority's
next steps, especially regarding the sanctions.
|This resolution was the missing piece for the application of
administrative sanctions by the ANPD to begin. Therefore, after the
publication of the resolution as of August 1, 2021, it became
possible to apply the sanctions listed in Article 52 of LGPD.
|Intends to specify criteria that can offer legal certainty to
operations that assist public organizations and bodies in the
adaptation and implementation of activities arising from the LGPD,
particularly related to the execution of policies and the provision
of public services.
|An interesting guide for private parties because it specifies
legal bases, such as consent and legitimate interest, and presents
the ANPD's perspective on their application.
|The Regulation on the Application of the LGPD for Small
Treatment Agents is approved. Once more, the ANPD tailors the LGPD
criteria to the economic capabilities of each processing
agent.
|Under current legislation, the resolution defines small-size
treatment agents (Article 2, I) as: micro companies, small-size
companies, startups and legal entities of private law, including
non-profit enterprises.
|The principal impact of Resolution CD/ANPD No. 2 for other
processing agencies is the definition of high-risk processing in
Article 4. As a result of this resolution, we know what the ANPD
considers high-risk processing, and we can more quickly determine
when a Data Protection Impact Assessment (DPIA) is required.
Version 2.0
|This handbook contains a high level of practical application to
which all processing agents (controllers, processors and joint
controllers) are susceptible and provides a great support in
assessing each processing capacity. It outlines the obligations and
procedures of the agents more thoroughly than the LGPD and
specifies who can fulfill each function
|Furthermore, it introduces the capacity of joint controllers,
which is not directly addressed in the LGPD.
|Given that 2022 is an election year in Brazil, the ANPD has
decided to produce a guide related to such circumstances and how
the LGPD shall apply.
|It contains highly important information and security
suggestions, mentioning the Information Security Guide for Small
Processing Agents and reinforcing the assumption that it brings the
criteria recognized as ANPD minimums.
|In addition, this guide covers the collection of cookies and
how the legitimate interest may serve on a lawful basis for such
processing activity.
|The ANPD has submitted for public consultation the draft
resolution that approves the Regulation of Dosimetry and the
Application of Administrative Penalties.
|The authority's aim is to promote the effectiveness of
administrative sanctions foreseen in the LGPD by establishing a
methodology to apply the sanctions, with clear parameters and
criteria.
|The methodology adopted by the ANPD for the application of
sanctions is crucial to understand the infractions which the agency
considers most serious as well as the most important compliance
measures for businesses.
|The ANPD has submitted a preliminary study for public
consultation regarding the legal bases applicable for the
processing of children's and adolescents' personal data, as
the lack of clarity of Article 14, Section 1, of the LGPD allowed
for different interpretations on whether consent would be the only
lawful basis for processing the personal data of minors.
|Based on the findings of the preliminary study, the ANPD
asserts that the processing of children's and adolescents'
personal data can be performed due to the legal bases provided for
in articles 7 and 11 of the LGPD, observing the applicable legal
requirements and the best interest principle.
|The Brazilian Data Protection Authority (ANPD) issued a
non-binding guidance on cookies with several recommendations for
controllers regarding this issue.
|Controllers are advised to implement a Cookies Notice and
first-and second-level Cookies Banners. Special attention should be
given to assessing the lawfulness of processing personal data
obtained from cookies.
|The ANPD also stressed accountability requirements related to
cookies, such as managing and documenting consent, as well as
carrying out a legitimate interest assessment as needed.
Visit us at
Tauil & Chequer
Founded in 2001, Tauil & Chequer Advogados is a full
service law firm with approximately 90 lawyers and offices in Rio
de Janeiro, São Paulo and Vitória. T&C represents
local and international businesses on their domestic and
cross-border activities and offers clients the full range of legal
services including: corporate and M&A; debt and equity capital
markets; banking and finance; employment and benefits;
environmental; intellectual property; litigation and dispute
resolution; restructuring, bankruptcy and insolvency; tax; and real
estate. The firm has a particularly strong and longstanding
presence in the energy, oil and gas and infrastructure industries
as well as with pension and investment funds. In December 2009,
T&C entered into an agreement to operate in association with
Mayer Brown LLP and become "Tauil & Chequer Advogados in
association with Mayer Brown LLP."
© Copyright 2020. Tauil & Chequer Advogados, a
Brazilian law partnership with which Mayer Brown is associated. All
rights reserved.
This article provides information and comments on legal
issues and developments of interest. The foregoing is not a
comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
discussed herein.
POPULAR ARTICLES ON: Privacy from Brazil
ICLG Data Protection 2019
OLIVARES
The ICLG to: Data Protection Laws and Regulations covers relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment ...
Data Protection 2022
OLIVARES
The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010...