Alerts
Updates in April of the National Data Protection Authority
This year, the National Data Protection Authority (“ANPD”), in compliance with the General Data Protection Law (Law 13,709/2018 – “LGPD”), disclosed the Regulation of the Supervisory Process and the Administrative Sanctioning Process. In a public hearing of the ANPD on the Administrative Sanctioning Process that took place in February, 6,900 requests from data subjects were received. In April, the ANPD indicated that applications should be made through the forms sent via electronic petition.
Another important step taken by the ANPD, also in April, was the Data Protection Impact Report (“RIPD”). The ANPD published on its website a question and answer material that, although preliminary, has already helped to resolve several doubts and controversies about the applicability of the RIPD.
(I) DATA SUBJECT REQUIREMENTS.
1. What requirements can be made to the ANPD?
Complaints and petitions of data subjects of personal data against the controller can be made directly to the ANPD through electronic petition – Electronic Petition of SUPER.BR (Single System of Electronic Process in Network).
1.1. What is a petition?
Article 18 of the LGPD establishes a series of rights that may be exercised by the data subject before the data controller. However, if the data subject is unable to exercise his rights before the data controller, or if he has not obtained a satisfactory answer, can send your request to the ANPD through a petition The petition can be analyzed by the ANPD in aggregate form and the data presented by the applicant may be shared with the controller.
1.2. What is reporting?
Complaints are communications made to the ANPD by any person, natural or legal, of alleged infringement of the LGPD, such as discriminatory processing of personal data, excessive collection of personal data, absence of data controller, absence of privacy policy/cookie policy, or absence of communication channel with the processing agent.
1.3. What is most important for my company?
Both forms already contain information on the Regulation of the Supervisory Process and the Administrative Process Sanctioning, that is, it is an indication that this document may serve for purposes of assessment of the LGPD.In addition, It is important to mention that anonymous complaints will not be received by the Electronic Petitioning channel of SUPER.BR, but by Plataforma Fala Br. That is, the controller when being triggered by a data subject, will have chances to track this request for his own defense, thus reinforcing the understanding of the registration and control of the data subjects requests and, consequently, on the governance of data protection, that assists the controller to have rules and proper documentation for accountability in relation to the fulfillment of rights of the data subjects before the ANPD.
(II) WHAT ARE THE MOST IMPORTANT QUESTIONS AND ANSWERS ABOUT RIPD FOR MY COMPANY?
2. What is RIPD?
The RIPD is the document through which the controller describes the processing of personal data considered to be at high risk, that is, those that represent risks to the guarantee of the general principles of protection of personal data provided for in the LGPD, civil liberties and fundamental rights of the data subject. In addition, the document should contain the measures, safeguards and risk mitigation mechanisms, in accordance with articles 5, item XVII, and 38 of the LGPD.
2.1 What specific situations does the ANPD recommend that the RIPD be prepared?
The RIPD should be developed in the following situations: (i) the processing may generate a high risk to the guarantee of fundamental rights and guarantees of the data subject; (ii) when the processing is based on the hypothesis of legitimate interest; (iii) for controllers in general, its processing operations, including those involving sensitive personal data; (iv) processing operations carried out for the exclusive purposes of public security, national defence, state security or criminal offence investigation and prosecution activities; and (v) for public officials, including determination as to the publication of the RIPD.
Despite the highlights brought by the ANPD, the authority emphasized that the criteria are not exhaustive, that is, the controller will be able to elaborate the RIPD in cases that it understands that the treatment is of high risk, but that it does not fit the situations described above.
Also, the ANPD pointed out that it is desirable that the RIPD be prepared before starting the data processing, in order to already assess the possible risks associated with the operation. However, if it is not possible, the document can be prepared as soon as it is identified that the treatment carries high risk, or even when requested by the ANPD itself.
Finally, the RIPD should be prepared for each project/ process with a set of operations aimed at the same purpose.
2.2 What to consider as “high risk” for the purpose of preparing the RIPD?
To characterize the concept of high-risk treatment, until the specific regulation on the subject is edited, the ANPD advises that the controller must verify whether, in the specific case, there is the presence of at least one general criterion combined with a specific criterion, as defined below:
General criterion: treatment on a large scale or that could significantly affect the interests and fundamental rights of data subjects.
Specific criteria: use of emerging or innovative technologies, surveillance or control of areas accessible to the public, decisions made solely on the basis of automated processing of personal data” or “use of sensitive personal data or personal data of children, adolescents and the elderly.
In addition, the ANPD determines that the large-scale treatment can be “characterized when covering a significant number of data subjects, considering also the volume of data involved, as well as the duration, frequency and geographical extent of the treatment”.
Regarding treatment that significantly affects interests and rights, the ANPD determines that it will be characterized, among other situations, in which the treatment activity can “prevent the exercise of rights or use of a service, as well as cause material or moral damage to the data subjects, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft”.
2.3 What criteria and methodologies should be used for risk management?
The ANPD foresees that “risk management is a systematic process of organizational management that determines the balanced application of controls in the face of the risk profile”. The ANPD makes it clear that the controller must have data governance that indicates what risks can be taken and through which guarantees against the activity of the controller.
The ANPD reiterates the need for data governance, when it brings as good practice the continuous review of the RIPD (checking new facts that may change the risks identified) or in case of new regulations or guidelines issued by the ANPD, showing, in this way, the need for RIPD monitoring. Continuous monitoring is one of the indicators of a data governance program.
2.4 What are the minimum requirements to be described in the RIPD?
In accordance with the sole paragraph of article 38 of the LGPD, the minimum requirements are (i) description of the types of personal data collected/processed; (ii) methodology used for the treatment and guarantee of information security; and (iii) analysis of the controller with regard to measures, safeguards and risk mitigation mechanisms.
The controller is recommended to describe the types of personal data processed, the processing operations (art. 5º, X, LGPD), their purposes (including legitimate interests) and legal hypotheses, and to assess the necessity and proportionality of the processing operations, the risks to the rights and freedoms of data subjects and the measures to be taken to minimise those risks.
Click here to check the list of data and information that ANPD recommends to include in RIPD: https://www.gov.br/anpd/pt-br/canais_atendimento/agente-de-tratamento/relatorio-impacto-a-protecao-dados-pessis-ripd
2.5 Does the RIPD need to be disclosed?
It is not mandatory to publish the RIPD, but considering that such act demonstrates compliance with LGPD principles, this can be considered a measure that demonstrates the controller’s concern with the privacy of the data subject. In the case of public entities and agencies, the RIPD should be published by determination of the ANPD or when not identified hypothesis of secrecy applicable to the case, in accordance with Law nº 12.527/2011. Important:
Separate version may be published to safeguard trade and industrial secrets and other information protected by law.
2.6 Participation of the DPO in the RIPD
Although desirable, the ANPD did not define as mandatory the participation of the person in charge during the RIPD preparation process.
3. Conclusion
By observing the material issued by the ANPD on the RIPD and on the applications of the data subjects, it is possible to note the evolution of the role of the ANPD, and demonstrates that a data protection governance program is essential for companies to be accountable to what is being required by the authority.
As for the RIPD, the ANPD does not expect only a descriptive document, but rather prepared and answered according to the controller’s personal data governance program, which focuses on the rights of data subjects. This same view was substantiated as to the requirements to be received by the ANPD, since to defend the controller it will be necessary to show some control over the requests of the data subjects and follow-ups of these requests. Finally, the points to be selected in the complaint form reflect the basic points of good practice of article 50 of the LGPD, as well as documents that demonstrate compliance with the principles established in the same law, such as transparency (when it says about the privacy and cookie policy), adequacy and minimization (when it exposes on the report of excessive data collection); among others.
To stay updated on issues related to privacy and data protection, keep following our publications.
In case of any doubts in the elaboration of the RIPD or other queries related to the theme, our team remains available.