The National Data Protection Authority (ANPD) released a Guidance Guide for the Definitions of Personal Data Processing Agents and the Data Protection Officer on May 27, 2021.
The guide starts by clarifying that the controller and the operator of personal data are processing agents, which they can be natural or legal persons, under public or private law. The guide also clarifies that subordinated individuals, including administrators, cannot be controllers or operators, as they act under the directive power of the treating agent. Partners and public servants are included in this impediment.
An interesting point highlighted by the code is that a legal entity that is the controller for a certain data processing, can be operator for another data processing, according to its performance.
The controller is the agent responsible for taking the main decisions regarding the processing of personal data and for defining the purpose of this processing and, as a rule, will be a legal entity. The following specific obligations of the controller are highlighted:
1. Prepare personal data protection impact report
2. Prove that the consent obtained from the holder meets the legal requirements
3. Communicate to ANPD the occurrence of security incidents
4. Provide information regarding treatment
5. Ensure the correction and deletion of personal data
6. Receive application for opposition to treatment
With respect to the public service, the situation is sui generis, since the controller is a legal entity governed by public law, such as the Union, States, Municipalities or the Federal District, focusing on Direct Public Administration, but the LGPD attributed it to depersonalized public bodies typical controller obligations. Thus, in operations for the processing of personal data conducted by depersonalized public bodies, the legal entity under public law, to which the bodies are linked, is the controller of personal data and, therefore, responsible for complying with the LGPD. And with respect to Indirect Public Administration, the legal entity regulation established by the LGPD is followed.
The controller may, however, be a natural person (individual) if he is responsible for the main decisions regarding data processing, such as individual entrepreneurs, self-employed, etc.
What differentiates the controller from the operator is that the former has the power to decide on the processing of data. Thus, it must be the controller’s attributions to establish:
1. The purpose of treatment
2. The nature of the personal data processed
3. Duration of treatment
The guide also seeks the definition of Article 26 of the European data protection law (GDPR) to define joint controllership, when there is the presence of 2 or more controllers in the same treatment, making common decisions (two or more entities have one common intention on the purposes and means of processing and take decisions together) or convergent (decisions complement each other in such a way that the processing would not be possible without the participation of both controllers): When two or more controllers jointly determine the purposes and means of this treatment, both are jointly responsible for the treatment. These determine, by mutual agreement and in a transparent manner, their respective responsibilities for compliance with this regulation, in particular with regard to the exercise of the data subject’s rights and the respective duties to provide the information referred to in Articles 13 and 14, unless and insofar as their respective responsibilities are determined by the law of the Union or of the Member State to which they are subject. The agreement may designate a point of contact for data subjects.
However, the guide makes it clear that there will be no joint controllership if the treatment objectives are different. If these purposes are not common, convergent or complementary, both will be unique controllers in relation to data processing.
The operator, which is most often a legal entity, is the agent responsible for carrying out the data processing on behalf of the controller and according to the purpose defined by it, that is, the operator can only act within the limits of the determined purposes by the controller.
The guide highlights the main obligations of the operator:
A contract between the controller and the operator is also recommended, regulating the following items: (i) the object, (ii) the duration, (iii) the nature and (iv) the purpose of data processing, the types of personal data involved and the rights and obligations and responsibilities related to compliance with the LGPD.
The only hypothesis that equates the operator with the controller is with respect to joint liability, established in item I of Article 42 of the LGPD, when damage occurs as a result of irregular treatment carried out by the operator, when not complying with the law or by not observing the instructions of the controller.
Next, the guide infers the figure of the sub-operator, which, despite not being explicit in the law, can be found in more complex data processing chains and that ANPD considers its joint responsibility with the operator and controller, under the terms of the provision mentioned above. Sub-operator, therefore, is the one hired by the operator to help it carry out the processing of personal data on behalf of the controller. It is recommended that if the operator hires a sub-operator, it requests formal authorization from the controller to do so.
Finally, the guide presents the figure of the data protection officer, who can be a natural or legal person, an employee of the organization or an external agent, defining him/her as the individual responsible for ensuring the compliance of an organization, public or private, with the LGPD. As a general rule, every organization should appoint a person to assume the role of data protection officer. However, future ANPD regulations may provide hypotheses to waive the need to appoint the data protection officer, depending on the nature and size of the entity or the volume of data processing operations.
The guide lists the main duties of the data protection officer:
1. Accept claims and communications from holders, provide clarifications and take measures
2. Receive communications from the national authority and take action
3. Guide the entity’s employees and contractors about the practices to be taken in relation to the protection of personal data