Brazil: Data Protection Authority Issues Guidelines for Processing Agents and Proposes new Inspection Mechanisms
ANPD publishes Guideline for the Definition of Processing Agents and the Data Protection Officer
The Brazilian National Data Protection Authority (ANPD) published on 28 May 2021, a Guideline for the Definition of Processing Agents and Data Protection Officer, which aims to establish directives on processing agents – data controller and data processor – and the data protection officer (DPO), by means of legal definitions and practical examples. Regarding the definition of processing agents, the Guideline determines that the definition must consider the specific context, that is, each processing activity of personal data.
Specifically, concerning controllers, ANPD clarifies that the professionals subordinated to a legal entity or as members of public bodies are not controllers. The Guideline also establishes the difference between joint and separate controllerships. The first one refers to the hypothesis in which the personal data processing activity involves more than one controller making common decisions, while the latter refers to the decision being made solely by one controller.
Concerning the processors, the Guideline defines that the main difference between a controller and a processor is the power of decision, provided that the processor’s actions are restricted to the purposes determined by the controller. It states that the processor will always be a person or an entity distinct from the controller. In addition, it recommends that the hiring of a sub-processor must be preceded by formal authorisation from the controller.
Finally, with respect to the DPO, ANPD recommends that its appointment be made by a formal act, such as a service agreement or an administrative act. The Guideline also emphasises the importance of the DPO’s independence and the availability of resources, including appropriate deadlines, finances, and infrastructure, for the performance of its duties.
Public Consultation on the ANPD’s Inspection Standard is Open
Also on 28 May 2021, the Brazilian National Data Protection Authority published the opening of a public consultation on the draft resolution related to the inspection and application of sanctions by ANPD, for a period of thirty (30) days. The resolution provides for the inspection mechanisms, such as monitoring, guidance, and preventive activities, as well as the sanctioning administrative process for the investigation of infractions against data protection legislation, under the ANPD’s attributions.
Besides the guidance and preventive activities, the inspection activities are important to highlight, which includes the monitoring of the data processing activities that will be carried out by the General-Coordination of Inspection and will have, as one of its main goals, analysing the compliance of processing agents related to the personal data protection.
The sanctioning administrative process will consist of four phases: initiation; instruction; decision; and appeal. The first instance decision will be rendered by the General-Coordination of Inspection and may be reviewed by means of an appeal to the Board of Directors.
Finally, if approved, the resolution will be effective as of the date of its publication, except for the provisions referring to the inspection activity, which will be effective as of January 2022.