Maintaining Records of Data Processing Activities in line with the LGPD

According to the Brazilian Data Protection Law (LGPD), companies have the obligation to maintain up-to-date records of their personal data processing activities. Furthermore, they must comply with the principle of accountability wich means that they must be able to demonstrate compliance with data protection laws at any time.

To help your company with the compliance of this legal obligation, we conduct data mapping exercises to understand how your company operates and what assets it manages. Analyzing the data flow is important to accurately determine the legal basis for the processing of personal data.

In that process, it is essential to comply with the principles of the LGPD, especially the principle of data minimization (the collection of personal data that is not really necessary for achieving a certain purpose must be prevented).

What do records of processing activities need to contain?

The LGPD does not describe in detail the content of the records of processing activities (ROPAs). For guidance, we consider the GDPR and the recommendations of the EU data protection authorities.

Therefore, we create and maintain records of data processing activities containing at least the following information:

• Name and contact details of the controller and, if applicable, the joint controller, the controller's representative and the Data Protection Officer;
• Purposes of the data processing;
• Comprehensive description of the categories of data subjects and the categories of personal data;
• Recipients of the personal data;
• Mapping of international data transfers, including the mechanism for the transfer;
• Deletion deadlines for the different categories of data;
• Documentation of technical and organizational security measures.

Of particular note are the documentation of consent and the assessment of legitimate interest, which are explicitly required by the LGPD.

We also document i) privacy notices, ii) processing contracts between the controller and processor, iii) DPIA reports, iv) data breaches, and v) personal data retention and erasure documentation. 

To facilitate the recording and updating of new processing activities, we strongly recommend the use of DSN port, our multi-functional Management System that offers comprehensive data protection management under the module privacy.