In times of LGPD (Brazilian General Data Protection Law), the importance of companies adapting and being regulated is well known. But what about non-profit organizations? Does the law apply in the same way?

It is common for third sector companies, or non-profit companiesWhile these companies may have technological limitations due to not generating profit, it's important to remember that large amounts of stored data are also very common among them. In this case, what happens to... compliance with the LGPD (Brazilian General Data Protection Law)?

Some of the non-profit activities of these institutions may pose a risk due to a certain amount of personal data which may contain anything from sensitive data to data from children and adolescents.

The resolution that allows for greater flexibility depends on several factors.

The fact is that every company, without exception, needs to be compliant with... General Law of Data ProtectionHowever, Resolution No. 02/2022 of the National Data Protection Authority (ANPD) brought a degree of flexibility to the privacy landscape. 

However, this flexibility depends on the company meeting the requirements:

Companies that process high-risk personal data;

– Companies that have earnings exceeding 4,8 million reais per year;

– Companies that belong to an economic group that has profits exceeding the above value;

It often happens that a non-profit organization does not generate enough income to remain operational, yet still possesses a... database very robust. In this case, this company is considered high risk due to its potential to affect the fundamental rights and guarantees of the data subjects.

Companies that process data using innovative technologies without human intervention can also be considered high-risk.

Finally, non-profit organizations that deal with sensitive dataData concerning children, adolescents, and the elderly do not benefit from the easing of restrictions.

In order to qualify for the flexibility provided by Resolution No. 02/2022, the non-profit organization must demonstrate that it meets the aforementioned requirements.

But what are these flexibilities?

The flexibilities permitted by the Resolution are:

• The possibility of submitting maintenance and operations records, as required by Article 37 of the LGPD (Brazilian General Data Protection Law), in a more simplified manner, using a template provided by the ANPD (National Data Protection Authority);
• The possibility of simplified communication when a security incident involving personal data occurs, through a template to be provided by the ANPD (National Data Protection Authority);
• The possibility of not needing a Data Protection Officer (DPO), while still requiring the presence of a person who has a deep understanding of the General Data Protection Law;
• The possibility of developing a simplified information security policy.

It is important to highlight that a data incident refers to any unauthorized access to personal data, not just hacker attacks, as is commonly believed. 

Finally, even if the company is eligible for the flexibilities, it cannot be forgotten that the guidelines of the General Data Protection Law also affect it. Proper handling of personal data is essential, always prioritizing the security of data subjects.