backResolution CD/ANPD No. 2/2022 sets out the regulation for applying Brazil’s General Data Protection Law (LGPD) to small-scale data controllers and processors, including microenterprises, startups, nonprofit organizations, and individuals acting as data agents. The aim is to ensure compliance with the law while offering simplified obligations adapted to the structure and capacity of these entities. Key simplifications include the option to maintain streamlined data processing records, extended deadlines to respond to data subject requests and report incidents, and the waiver of the requirement to appoint a data protection officer, provided there is a communication channel available to data subjects.
Despite these adjustments, small-scale agents must still comply with core LGPD principles and ensure basic security measures. The resolution also outlines what constitutes high-risk processing—cases in which simplified rules do not apply. Moreover, the ANPD may require full compliance when circumstances pose significant risk to data subjects. This regulation seeks to balance robust data protection with operational feasibility for small businesses. Acess Here.
share
