Brazil: The first steps of a long journey: Guidelines on processing agents and DPOs
While the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') marks a huge step in building Brazil's data protection framework, there is much work to be done in order to clarify its provisions and scope. Dirceu Pereia de Santa Rosa, Bernardo José Oliveira Araujo, and Clarissa Sanglard Hisse, from Fontes Tarso Ribeiro Advogados, discuss the first major effort in this regard, which covers areas such as processing agents, among others.
On 28 May 2021, the Brazilian data protection authority1 ('ANPD') published its first guidelines2 ('the Guidelines'), addressing the issue of how to identify processing agents and general requirements for data protection officers ('DPOs') in Brazil.
The Guidelines surfaced at a proper time, as public and private entities have experienced some confusion regarding the proper definition and identification of processing agents. The Guidelines also deal with missing areas in the LGPD, such as the concept of joint controllers.
The Guidelines are the first of its kind published by the ANPD and are structured in seven chapters. Nonetheless, we chose to divide this article into eight relevant topics, which are: (1) Processing agents; (2) Controllers; (3) Joint controllership; (4) Singular controllership; (5) Processor (operator); (6) Sub-processor; (7) DPOs; and (8) Additional comments.
As mentioned above, proper identification of the processing agents in a data processing activity has been a matter of confusion for Brazilian organisations, especially public entities. The main issue at stake refers to the status of subordinates that are dealing with personal data directly, such as employees or public servants, and whether they fit the legal concept of controller and/or processor. The Guidelines clarify that a subordinate individual does not qualify as a data processing agent, as it only acts under the directive power of the processing agent. To provide guidance regarding said queries, at the very beginning of the Guidelines, the ANPD states who should not be deemed as controllers (autonomous or joint) or operators, for example subordinate individuals such as employees, public servants, or the work teams of an organisation, that act under the directive power of the processing agent.
The LGPD sets forth that a processing agent is a controller or processor of personal data. The Guidelines elucidate that the qualification of an agent as one or the other must be based on the purpose of the specific processing under analysis. Therefore, the definition of controller and processor is relative, and an organisation can undertake both the roles of a controller and/or a processor depending on the specific processing activity.
The LGPD defines the controller as the natural or legal person, whether public or private, who has the power to make decisions regarding the processing of personal data. The Guidelines complement this legal definition by clarifying that the controller is the agent that defines the purpose and makes the main decisions concerning the processing of personal data, which ANPD considers as the 'essential elements' of a processing operation.
Although the Guidelines acknowledge that the role of a controller can be indicated in a contractual agreement, the document emphasises that the context and the relevant circumstances of the case should always be considered in an ultimate analysis. In other words, following the understanding already adopted by European data protection authorities, the identification of the controller must arise from the concept set forth by the LGPD, and follow the auxiliary parameters indicated in the relevant guidelines, always considering the technical context and the relevant circumstances of the case.
The concept of joint controllership was not originally addressed by the LGPD, but has now been clarified in the Guidelines. It refers to situations in which two or more controllers decide the purposes of the processing operation together.
Although the definition of a joint controllership is not expressly determined in the LGPD, the regulator understands that such concept can be extracted from the controller definition itself. To address the issue, the ANPD resorted to Article 26 of the General Data Protection Regulation (Regulation (EU) 2016/679) and the guidance of the European Data Protection Board, contained in the 'Guidelines 07/2020 on the concepts of controller and processor in the GDPR' published in September 2020. Adapting the European standards to the LGPD scenario, the LGPD defined the concept of joint controllership as 'the joint, common or convergent determination, by two or more controllers, of the purposes and elements essential for the processing of personal data, by means of an agreement establishing the respective responsibilities regarding the fulfilment of the LGPD.' (adapted translation)
In summary, ANPD states that a joint controllership may occur when: (1) more than one controller has decision-making power over the processing of personal data; (2) there is a mutual interest of two or more controllers, based on their own purposes, in the same processing operation; or (3) two or more controllers make common decisions about the purposes and essential elements of the processing operation.
In opposition to the joint controllership, the Guidelines also clarify that there will be a singular controllership when the purposes of the data processing are not common, convergent, or complementary. As an example, the ANPD illustrates that multiple controllers can, and often do, handle open government data, each for its own specific purposes. If these purposes are not common, convergent, or complementary, all data processing agents will be deemed singular controllers and a joint controllership will not be established.
According to the LGPD, a processor is the natural or legal person, whether public or private, that processes personal data on behalf of the controller. The Guidelines also complement this definition by stating that, in addition to acting on behalf of a controller and under its instructions, the processor is the agent that acts 'to the limit of the purposes determined by the controller'. Although the LGPD does not expressly determine that the controller and the processor must enter into a contract agreement to proceed with the data processing, the ANPD indicates that the establishment of an agreement between the controller and the processor is viewed as a 'best practice'. However, the LGPD was not as thorough when addressing the topics that should be included in a data protection agreement, only highlighting the need to indicate (i) the object, (ii) the duration, (iii) the nature, (iv) the purpose of the processing of the data, (v) the types of personal data involved, and (vi) the rights, obligations and responsibilities of the parties aiming to the compliance of the LGPD. In addition, the Guidelines state that it is the processor's obligation to inform the controller when using sub-processors and, as far as possible, to obtain their authorisation.
The sub-processor, which could also be defined as 'sub-operator' in the Brazilian system, is the one hired by the processor to assist him in the processing of personal data on behalf of the controller. Although the sub-processor figure is also not directly provided for in the LGPD, the regulator considers that the sub-processor may be deemed as an operator contracted by another operator. Thus, the ANPD asserted that 'the sub-operator is the one hired by the operator to assist him in performing the processing of personal data on behalf of the controller.'
According to the LGPD, controllers must appoint a DPO to act as a communication liaison between the controller, data subjects, and the ANPD. The DPO shall receive complaints and communications from data subjects; provide information and adopt new measures regarding data protection within the entity; receive communications from DPOs and take action to guarantee compliance with the Law; advise employees and contractors on obligations concerning personal data; and perform other duties determined by the controller or established in complementary rules.
The Guidelines clarify that the DPO or 'person in charge' may be both an employee of the institution or an external agent, of a natural or legal nature. This has brought a sense of security to consultancies and law firms that have been modeling DPO services in recent years. With regard to the reach of the requirement to appoint a specific person or entity 'in charge' in relation to the scope of the processing and the size/capacity of the controller, the ANPD indicated that, as a general rule, every organisation should assign a person-in-charge until the possibilities of dismissal are further regulated.
It is also important to mention a matter of a highly sensitive nature: the definition used by the ANPD to conceptualise the figure of the DPO. The document defines the 'Encarregado' as 'the individual responsible for ensuring the compliance of an organisation, public or private, to the LGPD'. This is probably the main controversy set forth by the Guidelines, since, in the original language of the LGPD, the DPO is not necessarily the individual responsible for ensuring compliance; the LGPD only states that the 'Encarregado' is the person appointed by the controller and operator to act as a communication channel between the controller, the data subjects, and the ANPD.
First and foremost, it is essential to praise the way in which the ANPD is contributing to the development of the data protection ecosystem in Brazil. The ANPD has been agile, responsive, and attentive to the main demands of companies and the public sector.
Although there is a huge workload, short deadlines, and scarce resources, the first manifestations have already been sufficient to demonstrate the seriousness and quality of the work and staff, in addition to a keen democratic spirit, being especially open to the participation and contributions of experts and academics.
However, in order to guarantee a more outright and clearer scenario regarding data protection on Brazil, there is still space to contribute with critical views and constructivist ideas, which should not be interpreted as disapproval. In this sense, there are some questions that may be relevant for further regulations and guidance by the ANPD:
- The Guide advanced considerably on issues that were raising disagreement and uncertainty among the interested parties but was little concerned with high-level doubts. For example, considering the trend towards outsourcing services, very common in technology sectors, such as programmers, designers, information security services, which elements should be considered by the involved local entities with regards to establishing data protection clauses for contracts agreements? Under the guise of the law, they could be considered operators, but on a daily basis, they seem to act in a manner that is very similar to internal workers or employees.
- The regulator did not comment on how the 'instructions on data processing' should be carried out and documented, for example, instructions from a controller to a processor. Thus, an important question remains: how should the instructions from the controller to the processor be carried out and how should processing agents document this process?
- The wording chose by the ANPD to define the DPO as 'a person responsible for compliance with the LGPD' was unfortunate. As mentioned above, this is possibly the Guideline's main inconsistency, as we believe that, in the LGPD system, the DPO is not necessarily the individual responsible for ensuring compliance, but rather the responsible for maintaining a communication liaison between the controller, data subjects, and the ANPD.
Finally, it is worth mentioning that the ANPD indicates that it is open to receive comments and propositions to improve the Guide, which should be forwarded to the following email: [email protected].
Dirceu Pereia de Santa Rosa Attorney at Law
Bernardo José Oliveira Araujo Attorney at Law
Clarissa Sanglard Hisse Attorney at Law
Fontes Tarso Ribeiro Advogados, Rio de Janeiro
1. The ANPD is an administrative body that was created to enforce the LGPD and has technical autonomy, despite being connected to the cabinet of the presidency. The ANPD is not only responsible for enforcing the LGPD, but also overseeing and issuing guidelines to any data protection laws. The ANPD has specific powers to issue guidelines for compliance with the requirements imposed by LGPD and apply administrative sanctions. Since the ANPD is now operational, it now has enforcement actions in place and has started enacting regulations.
2. For more information: https://www.gov.br/anpd/pt-br/assuntos/noticias/inclusao-de-arquivos-para-link-nas-noticias/2021-05-27-guia-agentes-de-tratamento_final.pdf