The National Data Protection Authority (ANPD) published on January 28 resolution CD/ANPD 02, which approved the regulation of application of the General Law on the Protection of Personal Data (LGPD or Federal Law 13.709/18), the text of which is immediately valid for organizations classified as small processing agents, which includes Startups.

Startup is a nascent business organization or in recent operation, whose performance is characterized by innovation applied to business models or to products or services offered. The company does not need to be in the technology segment to be considered startup, but innovation, inseparable from this type of business, is usually tied to digital technologies. Frequently the digital business of Startups around data, including personal data, which is why the intersection of the themes startup and data protection is so important. The ANPD Regulation, when conceptualizing startup in paragraph III of Article 2, recalls the framework of the Supplementary Law 182/21 itself (Legal Framework of Startups).

In Brazil, the LGPD provides for differentiated treatment for Startups data processing agents, which has been regulated by the ANPD not only to Startups, but also for innovation companies, small businesses and micro-enterprises. Submitted to public consultation on August 27, 2021, the regulation went through several stages until its final deliberation and unanimous approval by the Board of Directors on January 24 of this year.[1]

The ANPD expressly acknowledged that reducing regulatory burden and stimulating innovation are key factors for the development of Startups and, consequently, for the growth of the country itself (Order 41/2021/SG/ANPD). In this regard, a study conducted by the Brazilian Association of Startups and Deloitte[2] revealed that of the 2,486 Startups analyzed throughout the national territory, 83% have annual revenues of less than R$ 1 million, i.e., the majority did not reach a minimum level of maturation, much less the breakeven. This means that any reduction in compliance costs, including data processing obligations, will certainly contribute to fostering the Startups.

However, there are limits for such benefits, which exclude those who perform high-risk treatment for holders or those who received gross revenue spree sofa exceeding R$ 16 million in the previous calendar year – or a new amount of R$ 1,333,334, multiplied by the number of months of activity in the previous calendar year, when less than 12 months, regardless of the corporate form adopted.

The processing of high-risk personal data shall be deemed to meet, cumulatively, at least one general criterion and a specific criterion. The Regulation lists as general criteria:

  • the processing of personal data on a large scale, i.e. when covering a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency and geographical extent of the processing carried out; and
  • the processing of personal data which may significantly affect the interests and fundamental rights of the holders, which shall be characterized, inter may other situations, in those where the processing activity may prevent the exercise of rights or the use of a service, in addition to causing material or moral damage to the holders, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft.

As specific criteria, four hypotheses are foreseen:

  • the use of emerging or innovative technologies;
  • surveillance or control of publicly accessible areas;
  • decisions taken solely on the basis of automated processing of personal data, including those intended to define the personal, professional, health, consumer and credit profile or aspects of the personality of the holder; and
  • the use of sensitive personal data or personal data of children, adolescents and the elderly.

Still on the subject of high risk, as this is a complex issue, the Regulation itself provides that the ANPD will be able to provide guides and guidance in the future, with the aim of assisting small treatment agents in the assessment of high-risk treatment.


Measures bring cost reduction


Another relevant mitigation in the regulatory burden concerns the obligation to record transactions involving the processing of personal data (ROPA – record of processing activities). Under the new regulation, small agents can record personal data processing operations in a simplified manner, according to a model yet to be provided by the ANPD.

In relation to the person in charge of personal data, by many known as DPO (Data Protection Officer), small agents, such as Startups they will no longer be obliged to indicate that figure, as required by Article 41 of the LGPD. However, this exemption does not exempt them from providing a communication channel with the data subject to comply with the provisions of Article 41, § 2, I, of the LGPD, which provides as the activity of the person in charge "accepting complaints and communications of the data subjects, providing clarifications and adopting measures".

The ANPD has also relaxed the safety incident communication by indicating that it will have the issue in simplified procedure under specific regulations.

Regarding deadlines, there is flexibility for small-sized agents, including Startups. The regulation grants them double term in cases provided for by law, in clear recognition of their condition and smaller service structure.

In addition, small processing agents may establish a simplified information security policy, which includes essential requirements for the processing of personal data, in order to protect themselves from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of improper or unlawful processing.

No less important is the permission granted to small treatment agents and Startups, including those who carry out high-risk treatment, to organize themselves through entities representing the business activity, legal entities or natural persons for the purposes of negotiation, mediation and reconciliation of complaints submitted by data subjects.

The ANPD may ask the entrepreneur to prove the framework of his company. In other words, the data protection authority may require proof that business activity is a startup (or small business in general). The deadline is 15 days to meet the requirement.


Privacy by design


Although not expressly mentioned in the new ANPD Regulation, the concept of privacy by design is an important tool at the disposal of Startups for risk management and compliance with personal data protection standards. Although not explicitly mentioned in the regulation, it reflects the need to incorporate the culture of data protection into the business, including those in the pre-operational phase, since the design of the technology.

This is even more relevant in the innovation environment of Startups, considering that decisions made during the design of the business can have long-term impacts, impairing the company's ability to generate value, project repetition and gain scale. Implementing data protection from the design of the project, therefore, should be a priority, mainly because of the growing wave of cyber-attacks that affects from large corporations, such as companies with stock exchanges, to small companies and Startups.


[1] Nthe terms of Order 41/2021/SG/ANPD.

[2] Mapping of the Brazilian Startup Ecosystem 2021.