The Brazilian Data Protection Authority (ANPD) recently published a record of processing activities (ROPA) model template to be adopted by small processing agents. As part of a legal requirement under Article 37 of Law No. 13,709 of 2018 – LGPD, organizations (either playing a role as controllers or processors) are required to maintain a record of the processing activities they carry out.
The mandatory information in the ROPA template includes:
- Corporate name, company’s Brazilian taxpayer number, address and organization’s main business activity
- Name, email and phone number of the person in charge of the ROPA (e.g., the data protection officer)
- Date of when the ROPA has been first filled out and of every other update
- Processing activity name and purpose
- Categories of data subjects (e.g., children, adolescents, elderly people)
- Categories of personal data (e.g., name, ID number, address)
- Third-party sharing activities, indicating the name of the recipients of personal data and the purposes of such disclosure
- Security measures (e.g., access control, backups, pseudonymization, firewall)
- Retention period
- If, for example, a company is collecting personal data of job candidates with the purpose of evaluating and selecting them, ANPD indicated that job candidate’s personal data should be kept up to one year. This one-year-term is not a binding requirement, but serves as a guidance of ANPD’s understanding on the matter.
In addition to the list above, controllers and processors may add further information to their records of processing activities, such as sources of personal data and details regarding cross-border transfers.