ILN Data Privacy Paper


Legislative Framework

acknowledged its legality. This recognition was made in the ANPD's 'Guidelines for Definitions of Personal Data Processors and DPO', where a sub-processor is defined as an entity 'hired by the processor to aid in processing personal data on behalf of the controller.' The Guidelines also clarify that the sub-processor maintains a direct relationship with the processor, rather than with the controller. 4.1.4 Data Protection Officer (“DPO”) The Data Protection Officer (“DPO”) is designated by the controller to serve as the liaison among the controller, data subjects, and the ANPD. According to Article 41, the controller must appoint a DPO, who will oversee the data processing operations. According to ANPD’s resolution[1], small processing agents are exempt from appointing a DPO. These agents include micro-enterprises, small businesses, startups, and legal entities governed by private law, such as non-profit organizations, as defined by current legislation. This category also extends to natural persons and depersonalized private entities involved in personal data processing and undertaking the typical responsibilities of a controller. However, if a small processing agent decides not to appoint a DPO, they must establish an alternative communication channel with the data subjects, to comply with the resolution. [1] CD/ANPD RESOLUTION No. 2, OF JANUARY 27, 2022. Available at: cd/anpd-n-2-de-27-de-janeiro-de-2022- 376562019#wrapper

4.1.Key stakeholders 4.1.1 Data subject

The term ‘data subject’ refers to the natural person associated with the personal data being processed. Essentially, it denotes the individual who is related to the personal data. 4.1.2. Controller The controller is defined as the "natural or legal person, whether governed by public or private law, who is responsible for decisions relating to the processing of personal data". As the primary authority, the controller decides the purposes for which personal data is processed and sets the guidelines for processors on how to handle this data processing on their behalf. 4.1.3 Processor The processor is defined as the “natural or legal person, whether governed by public or private law, who carries out the processing of personal data on behalf of the controller”. In practical terms, the processor is most often a company hired by the controller to carry out data processing following instructions provided by the controller. Additionally, it is a common practice for processors to engage sub- processors to assist in data processing activities. Although the LGPD did not initially define this concept, the ANPD later

Made with FlippingBook - PDF hosting