6/7/2021
Last Friday, June 28, the National Data Protection Authority (ANPD) published the “Guidelines for the Definitions of Personal Data Processing Agents and DPO”. In summary, the guide intends to clarify the concepts and issues related to the controller and the processor, as well as the person in charge. Thus, ANPD intends to establish guidelines that are not binding on treatment agents and explain who can exercise the role of controller, processor and DPO; the legal definitions; the respective liability regimes; concrete cases; and the frequently doubts about the subject.
We highlight below the main legal definitions provided in the Guide:
“Processing agents”: “Processing agents” are the controller and the processor of personal data, which can be natural or legal person, under public or private law. Subordinate individuals, such as employees, public officials, or work teams of an organization, are not considered controllers (autonomous or joint) or processor, as they act under the directive power of the processing agent.
Controller: It is the agent responsible for taking the main decisions regarding the processing of personal data and for defining the purpose of this processing. The concept has high practical importance, since the Brazilian Data Protection Law (Law no. 13.709/18 or “LGPD”) establishes specific obligations to the controller, such as preparing the Data Protection Impact Assessment (“DPIA”), proving that the consent obtained from the data subjects meets the legal requirements, and communicating to ANPD the occurrence of personal data breaches. It is also worth mentioning that the rights of the data subjects are, as a rule, exercised against the controller, who is responsible, among other measures, for providing information regarding the processing, ensuring the correction and deletion of personal data, and receiving a request for opposition to processing. Although the controller also handles personal data, the distinguishing element is the power of decision, assuming that the controller provides instructions for a third party (“processor”) to carry out the processing on its behalf.
Joint control: The same personal data processing may involve more than one controller. According to the LGPD, when more than one controller is directly involved in the treatment resulting in damages to the data subject, they will respond jointly. By adapting the European concept to the LGPD scenario, the concept of joint controllership can be understood as “the joint, common or convergent determination, by two or more controllers of the purposes and essential elements for the processing of personal data, through an agreement that establishes the respective responsibilities regarding the fulfillment of the LGPD”.
Processor: It is the agent responsible for carrying out the data processing on behalf of the controller and according to the purpose defined by it. The processor may only process the data for the purpose previously established by the controller. This demonstrates the main difference between the controller and the processor, which is the power of decision: the processor can only act within the limits of the purposes determined by the controller. Even though the controller has the main responsibility and the processor must act on his behalf, both share obligations and, consequently, the responsibility to keep the record of the personal data processing. In addition, both have the obligation of compensation if they cause patrimonial, moral, individual or collective damage to others, within the scope of their respective spheres of action.
Data Protection Officer (“DPO”): The DPO is the individual responsible for ensuring the compliance of an organization, public or private, with the LGPD. As a rule, every organization should appoint a person to assume this role. However, future ANPD regulations may provide hypotheses to waive the need to appoint the DPO, depending on the nature and size of the entity or the volume of data processing. As a good practice, it is considered important that the DPO is free to carry out their duties. With regard to their professional qualifications, these must be defined through a value judgment made by the controller who appoints them, considering knowledge of data protection and information security at a level that meets the needs of the organization’s operation.
It is worth reminding that the guide is subject to comments and contributions from civil society, which should be sent to [email protected]. Anyway, the publication of the guide is an important starting point for ANPD’s leading role in privacy and data protection in Brazil.
Coauthors: Ricardo Luis Fernandes da Silva, Esther Jerussalmy Cunha, Fabricio Polido and Ana Carolina Gontijo
