Failure to record personal data processing operations (article 37)

messi74

The record of personal data processing operations, commonly called “data mapping” or “ROPA (record of processing activities), is a record of all personal data processing operations that every company must keep, regardless of its size, since the ANPD can demand this evidence at any time.

In the inspection process in question, although the ANPD reported the absence of the aforementioned document, as no evidence was requested from the company, it was not penalized, which does not diminish the importance of having the records archived, since the document is essential for defining the legal bases, as seen above.

We realize, in any case, that it is essential to prepare and gambling data saudi arabia maintain the document updated in the company, so that the legal bases are defined correctly.

We have already written how to maintain company compliance in a few simple steps, which you can access here  .

Absence of Data Protection Impact Report – RIPD (article 38)
Regarding the failure to submit the RIPD , which is the Data Protection Impact Report, it is possible to assume that there was a determination to demonstrate the preventive measures of art. 32 of the Inspection Regulation (CD ANPD No. 1) and that the offending company did not demonstrate the preparation of this type of document upon request from the ANPD. This document is necessary for the controller to describe the personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as measures, safeguards and risk mitigation mechanisms.

Lack of proof of appointment of the person responsible for personal data (article 41)
The Data Protection Officer, commonly referred to in Brazil as DPO ( data protection officer ) , is the person or company responsible for the governance of personal data within an organization , as well as for communicating with the ANPD and the holders of personal data. The Law requires, in its article 41, that all companies must appoint a Data Protection Officer, under penalty of non-compliance and being subject to penalties.