New LGPD resolution for small companies in Brazil


published on 8 February 2022 | reading time approx. 2 minutes

The adequacy of micro and small companies to the General Data Protection Law (Law 13.709/2018 - LGPD) generates discussions since its implementation, now the new Resolution “CD/ANPD No. UNIÃO on January 28”, brings some flexibility in relation to the LGPD for micro and small companies, pointing to the dismissal of some obligations, and the simplification in the adaptation process.

Note that companies are not classified, for the purposes of applying this Resolution, those that:

  • Carry out high-risk processing for the data subjects, such as sensitive data or data of vulnerable groups (such as of children, adolescents and the elderly), surveillance or control data of publicly accessible areas, use of emerging or innovative technologies that may cause material or moral damage to the data subjects, and automated processing that affects the interests of the data subjects (such as profiling).
  • Earn gross revenue exceeding the limit established by specific law; or
  • Belong to an economic group in fact or in law, whose global income exceeds the limits referred in clause II, as the case may be.


This way, it is clear that it is not enough just to classify a company as small, but it is necessary to evaluate the level of risk of the data treatment, gross revenue, as well as the participation of the companies in economic groups, in which the global revenue must be considered.

Although the Resolution comes to relax some rules, the exemption from the obligations set forth does not exempt small business processors from complying with the other provisions of the LGPD, including the legal bases and its principles.

Appointment of the data controller (DPO)

Among the simplifications, the most talked about among experts is the appointment of the Data Officer. Even if your company is classified by the resolution, the appointment of a Data Officer by small treatment agents will be considered as good practice and governance policy in the eyes of the ANDP.

Rödl & Partner has developed two complementary projects to implement LGPD, namely:

  • Interim DPO - we act as your third party DPO to be an access bridge for your stakeholders and the legislation, as well as in front of the regulatory agency in case of questioning.
  • Training your DPO - we have also developed a specific training program so that we can prepare your DPO for eventual demands and how to act upon requirements.

 From the newsletter


Contact Person Picture

Philipp Klose-Morero

Managing Partner South America

+55 11 5094 6060

Send inquiry

 How we can help

 Read more

Deutschland Weltweit Search Menu