Processor, controller... After all, who's who when it comes to LGPD?
There is no doubt that the General Data Protection Law was a milestone in the history of Brazil. Unlike what some people believe, the new law was not enacted simply to punish information leaks (which can inevitably happen to any company, no matter how much it has invested in this sector), but to promote, at the federal level, an increased awareness — of both corporations and citizens — regarding the fundamental right to privacy, which was already provided for in the 1988 Constitution.
However, the legislation has also confused many people by “creating” a series of new attributions and nomenclatures to determine the roles of the corporate executives who are responsible for the gathering, storing, and processing of the personal data of Brazilians. The most famous of these is the data protection officer — more popularly known in English as DPO —, responsible for overseeing all processes, and acting as a communication liaison with the National Data Protection Authority (ANPD).
However, there are also two other figures who still cause some confusion: the controller and the processor. After all, who are they, and what are their roles?
Controller: the name says it all
Let's start with the controller. As the name suggests, the controller is just as important as the DPO, since he or she is responsible for the collection, processing, and sharing control processes of the personal data under their responsibility. Under the LGPD, the controller is described as "an individual or legal entity, either governed by public or private law, who is responsible for decisions concerning the processing of personal data". In other words, the controller is a professional or a company that coordinates how personal data will be collected and processed.
It is a position of great responsibility. The controller needs to create processes that are in accordance with the legal premises of the law, and must also draft the Personal Data Protection Impact Report, which can be requested by the National Data Protection Authority - ANPD at any time. This professional is also responsible for explaining, through privacy policies, why each piece of information is collected and what it will be used for, as well as the rights of a citizen as “owner” of this asset.
Regarding accidental or criminal data exposure incidents, if the processing does not take place in accordance with the law, the controller may be held jointly and severally liable for the damage caused — of course, with the DPO as a “partner” in providing clarifications to the Authority.
Processor: you can be one
On the other hand, the processor's job is much simpler. We are talking about the professional or company that effectively handles the storage and use of collected personal data. In the official text of the LGPD, the processor is described as “an individual or legal entity, either governed by public or private law, who processes personal data on behalf of the controller”.
In other words, the processor is directly subordinate to the controller and must ensure that information is processed in accordance with the rules defined by the controller. Want some practical examples? A call center is a processor, as it utilizes user data to contact potential customers in order to offer services, respond to requests, or collect payments. Professionals or marketing agencies that collect leads can also be classified as processors.
Albeit following the controller's rules, the processor can also jointly respond to any security incidents that jeopardize an owner's privacy, especially if the incident is caused by non-compliance with the controller's instructions. However, again, it is with the help of the DPO that communication with the ANPD is established.
Teamwork
Now that you understand the roles of the DPO, the controller, and the processor, it's certainly easier to understand the LGPD. Each plays a slightly different role; however, the idea is that, together, all three will be able to maintain an efficient strategy to protect the data and privacy of their customers.
