On May 28, 2021, the National Data Protection Authority (“ANPD”) published a “Guide for Definitions of Agents for the Processing of Personal Data and the Data Protection Officer“, which establishes non-binding guidelines for such agents.
The document seeks to explain who can perform the function of controller, processor and DPO, their legal definitions, the respective liability regimes, as well as concrete cases that exemplify the explanations.
One of the points that the Guide sought to clarify was that agents should be defined based on their institutional nature. Thus, subordinate individuals, such as employees , public servants or work teams of an organization are not considered controllers or processors, since they act under the directive power of the controllers or processor.
Moreover, other relevant points addressed were the possibility of the existence of joint controllers and sub-processors, which were not expressly provided for in the Brazilian General Data Protection Law (“LGPD”), as well as the importance of contracts between controllers and processors as best practices of data processing, where the regime of activities and respective responsibilities should be established between the parties.
Regarding the use of sub-processors, the guide states that the operator must notify the controller if it intends to use the services of sub-processors.
The Guide is subject to comments and contributions by civil society and will be updated as new regulations are published by ANPD.
Another document open to comments and suggestions is the draft resolution that provides for the supervision and application of sanctions by ANPD, which was submitted to public consultation by Order of May 27, 2021. Suggestions can be sent electronically until June 28, 2021, through the Participa Mais Brasil platform.
For more information, please contact Saud Advogados.