National Data Protection Authority (ANPD in portuguese) regulates General Personal Data Protection Law for small businesses

Based on the competences provided for in article 55-J, XVIII of the General Law for the Protection of Personal Data (LGPD in portuguese), the National Data Protection Authority (ANPD in Portuguese) regulated the application of the Law in order to facilitate the adaptation of small treatment agents to the requirements of adequacy to the LGPD, as well as guarantee the protection of the fundamental rights of privacy, intimacy and freedom of the holder.

With the new regulation, the small treatment agent will be able to:

  1. comply with the obligation to prepare and maintain a record of personal data processing operations, contained in art. 37 of the LGPD, in a simplified way. The ANPD will provide the template for the simplified record known as data inventory or data mapping;
  2. adopt a simplified security incident reporting procedure;
  3. do not indicate the Data Protection Officer (DPO) for the processing of personal data required in art. 41 of the LGPD, but must provide a communication channel for requests from the data subject. However, any appointment of DPO will be considered a good practices and governance policy;
  4. establish a simplified information security policy; and
  5. have double deadlines to meet some of the requirements of the LGPD.

Could be considered small treatment agents: small business owners, startups, legal entities governed by private law, including non-profits, as well as natural persons and depersonalized private entities that process personal data, assuming oblications typical of a controller or operator.

However, even if it is a small treatment agent, the regulation establishes that it will not be able to benefit from the differentiated legal treatment those who:

  1. perform high-risk treatment for the holders;
  2. earn gross revenue higher than BRL 4,800,000.00 in the calendar year or, in the case of startups, higher than BRL 16,000,000.00 in the calendar year or BRL 1,333,334.00 multiplied by the number of months of activity in the previous calendar year, when its activity is less than 12 months; or
  3. belong to an economic group, whose global revenue exceeds the limits referred to in item (ii), as applicable.

The regulation considers high-risk personal data processing to be one that cumulatively meets at least one general criteria and one specific criteria, among the following:

1. general criteria:

  1. large-scale processing of personal data; or
  2. processing of personal data that may significantly affect the interests and fundamental rights of the holders;

 2. specific criteria:

  1. use of emerging or innovative technologies;
  2. surveillance or control of areas accessible to the public;
  3. decisions made solely on the basis of automated processing of personal data, including those aimed at defining the personal, professional, health, consumer and credit profile or aspects of the holder’s personality; or
  4. use of sensitive personal data or personal data of children, teenagers and the elderly.

To access the complete resolution in portuguese, click on the link: 


Our specialties

aSee our main areas of expertise