ROPA Template Proposal for Small Processing Agents
Technical Note No. 33/2022, published by the Brazilian Data Protection Authority (ANPD), proposes a template for a Record of Personal Data Processing Activities (ROPA) for small processing agents, whether controllers or processors.
The proposed template is under public consultation until December 4, 2022, with a definitive version expected to be published in 2023.
ROPA is mandatory under the Brazilian General Data Protection Law (LGPD), for all processing agents in accordance with its Article 37. However, among the various exceptions and exemptions to small processing agents, a simplified ROPA may be adopted, as provided for in Resolution CD/ANPD No. 2/2021.
ROPA is essential to learn all data flows within an organization, as it is built upon the map of all personal data processing activities, as well as for data management, whether in response to requests from data subjects or competent authorities or even in the event of an information security incident. Additionally, it is the result of the principle of accountability, which is established in various data protection laws around the world – including the LGPD.
Given that the LGPD does not contain minimum requirements for ROPA, the ANPD stated in its Technical Note that the proposed template will be non-binding. Therefore, adopting it will be a good practice – i.e. implementation is not mandatory. The proposed template can even be freely modified by the agents.
The proposed ROPA template for the minimum information to be mapped and recorded includes:
- The types of processed personal data.
- A list of processed personal data.
- A list of sensitive processed personal data.
- The categories of data subjects involved.
- The purpose of the processing activity.
- The legal basis for the processing activity.
- The sources of personal data.
- The sharing of personal data, if applicable, indicating the name of the processing agent who will receive the data.
- The list of organizations processing personal data on behalf of the controller, if applicable.
- The data retention period.
- Information about data disposal.
- The security measures adopted.
- Any third countries or international organizations to which personal data is transferred.
- Safeguards for international transfers, if applicable.
The template proposed by ANPD remains under public consultation, however it is recommended that organizations, mainly those who do not fit within the definition of small agents, already review their records or even start their data mapping, considering at least the abovementioned information. Furthermore, it is not recommended that potential changes to the proposed model disregard the minimum requirements suggested by the ANPD, as outlined above, whether by small, medium or large processing entities.