Small processing agents (SPA) are small businesses, start-ups, and non-profits companies that process personal data. If they aren’t processing high-risk or large-scale data, then there is a consideration that the regulations for data processing under LGPD may be lessened. High risk processing relates to:
- Sensitive data or the data of vulnerable groups
- Surveillance or control of publicly accessible areas
- The use of emerging technology which may harm data subjects
- Automated processing of personal data that affects the data subjects’ interests
Large scale processing is characterized when it involves a significant number of data subjects in terms of:
- The volume of data involved
- Its duration, frequency, and geographical extent
Large-scale processing does not include processing of employee data or any data that is for administrative purposes of the SPA.
Below are some of the exemptions that may be available to SPAs:
- SPAs will not be required to appoint a Data Protection officer as long as there is a communication channel for the data subjects to use
- SPAs will be able to present Privacy Impact Assessments in a simplified form if required, under the term of the regulation
- SPAs may be represented by other entities for advisory services as well as negotiation, mediation and resolving complaints with data subjects
Value Privacy can review and advise on your company’s privacy processes. While LGPD is still new it is easy to slip up with where exactly your company falls and what that means for how you should be handling data. Let us simplify the process for you, contact us to find out how we can help.