Publications - 01/11/21

The concept of Joint Controllership according to the guidelines published by the Brazilian National Data Protection Authority

The Law 13.709/2018, Brazilian Data Protection Law (“LGPD”), represents a milestone in the Brazilian legislation, responsible for regulating the processing of personal data by individual and legal entities, establishing legal concepts and striving to constitute an effective national personal data protection system.

Since LGPD came into force, the Brazilian National Data Protection Authority (“ANPD”) has been issuing guidelines on specific topics in order to facilitate and guide the interpretation and application of the law, in addition to clarifying doubts relating to certain concepts and aspects of LGPD.

Among the publication issued by the ANPD so far, the Guideline for the Definition for Personal Data Processing Agents, despite not having a bidding nature, is a relevant and enlightening document.

This publication aims to determinate guidelines to data processing agents, legal concepts, clarify the respective responsibility of each of these actors, provide examples on the topic regarding the clarifications addressed by the ANPD, and give answers to recurring questions on the topic.

The main point addressed in the Guideline concerns to the definition and possibility of joint controllership. Although LGPD specifically defines what is a data controller and a data processor, it does not mention or clearly establishes the possibility of a data processing dynamic with two data controllers, a situation that, in practical terms, can occur frequently and is regulated, for example, by the European Data Protection Law, GDPR.

In general terms, the main difference in a joint controllership relationship of data processing is that the decision-making power to define the purposes of the processing is divide by two or more responsible parties. The ANPD Guideline mentions the European regulation, which stipulates joint controllership in situations of “joint participation” when defining the “purposes and means of data processing”.

Furthermore, under the understanding and guidelines issued by the European Data Protection Committee (EDPB), the purposes of data processing, in this context, can be taken from common or convergent decisions of the data controllers.

Common decisions are those in which two or more entities have a common intention in relation to the purposes and means of processing personal data, while convergent decisions are those in which there are divergent decisions, however these are complementary, in the sense that the data processing would not be feasible without the participation of both data controllers.

Finally, ANPD, through this Guide, presents the basic criteria that needs to be fulfilled in order to identify the existence of joint controllership in the context of the Brazilian Data Protection Law, which are: (i) more than one data controller with decision-making power on the processing of personal data; (ii) existence of mutual interest of two or more data controllers, based on their own purposes, in the same data processing; and (iii) two or more data controllers are responsible for making common or converging decisions about the purposes and basic elements of the data processing.

Finally, despite the importance of this type of document published by ANPD, as this Guideline is not binding, there is still a long journey along the way for companies to have more security regarding the interpretation and application of the LGPD, which will begin to become clearer when more concrete positions by the Brazilian Authority are taken, such as the application of sanctions provided for by the LGPD.