Defining the Processing Agents
Brazil's General Data Protection Law (LGPD) identifies processing agents as either controllers or processors[cite: 59]. The controller is the natural person or legal entity of either public or private law in charge of making decisions regarding the processing of personal data[cite: 55]. The processor is the natural person or legal entity of either public or private law that processes personal data on behalf of the controller[cite: 56].
Understanding this distinction determines your legal obligations when using third-party services to set analytics or functional cookies. It dictates who must respond to data subject requests, who maintains specific records, and who pays compensation if a data breach occurs.
Key Differences Between Controllers and Processors
The division of responsibilities relies heavily on who dictates the purpose and boundaries of the processing operation.
| Role | Primary Function and Obligation Under LGPD |
|---|---|
| Controller | Makes decisions regarding the processing of personal data [cite: 55]. |
| Processor | Processes personal data on behalf of the controller [cite: 56]. |
| Controller | Must appoint a data protection officer for data processing [cite: 327]. |
| Processor | Carries out processing according to instructions provided by the controller [cite: 323]. |
| Controller | May be required by the national authority to prepare a data protection impact assessment report [cite: 321]. |
Record Keeping and Compliance Duties
Both the controller and the processor must maintain records of the personal data processing operations they perform[cite: 320]. This requirement becomes especially critical when the processing relies on legitimate interest as a legal basis[cite: 320]. The national authority can demand that a controller prepare a data protection impact assessment report regarding their operations[cite: 321]. This report must describe the types of data collected, the methodology used for ensuring information security, and an analysis of the adopted safeguards and risk mitigation mechanisms[cite: 322].
A processor lacks the authority to alter these defined parameters. They carry out the processing entirely according to the instructions provided by the controller, who is then responsible for assessing compliance with both their own instructions and relevant legal rules[cite: 323].
Data Protection Officers
The LGPD places specific structural requirements on entities managing personal data. The controller must appoint a data protection officer for the processing of personal data[cite: 327]. The identity and contact data of this officer must be publicly, clearly and objectively disclosed, preferably on the controller's website [cite: 329].
Processors do not share this exact statutory obligation to appoint a named officer under Article 41, though they must still adhere to all secure processing standards.
Liability and Damage Compensation
When a processing activity causes any pecuniary, moral, individual or collective damage to others in violation of data protection legislation, the responsible processing agent is required to compensate for such damage[cite: 339]. Controllers directly involved in the processing activities that resulted in damages to the data subject are jointly liable[cite: 342]. The processor becomes jointly liable for damages when it fails to comply with the obligations of the data protection legislation[cite: 341]. They also face joint liability if they act contrary to the lawful instructions of the controller [cite: 341].
In these specific scenarios of statutory non-compliance or disobedience, the processor is considered equivalent to the controller for liability purposes[cite: 341]. Anyone who pays compensation for damages to the data subject has the right to demand compensation from other liable parties to the extent of their participation in the damaging event[cite: 345].
Legal proceedings for these damages can shift the usual expectations of proof. A judge in a civil proceeding can reverse the burden of proof in favour of the data subject[cite: 343]. This reversal can happen if the allegation appears true, if there is hyposufficiency for producing evidence, or if the evidence production is overly burdensome for the data subject[cite: 343].
Exceptions to Liability
Processing agents are not automatically held liable for every negative outcome. The LGPD specifies three explicit scenarios where processing agents avoid liability [cite: 346].
An agent is not liable if they prove they did not carry out the personal data processing attributed to them[cite: 347]. They also avoid liability if they prove that, despite carrying out the processing, there was no violation of the data protection legislation[cite: 348]. Finally, an agent is not liable if the damage results from the exclusive fault of the data subject or a third party[cite: 350]. Without meeting one of these conditions, a controller or processor who causes damage by failing to adopt required security measures is liable for the damages deriving from the data security violation [cite: 355].
Frequently Asked Questions
Can a processor be held jointly liable under the LGPD?
Yes, a processor is jointly liable if they fail to comply with data protection legislation or act against the controller's lawful instructions[cite: 341]. In these cases, the processor is treated as equivalent to the controller [cite: 341].
Who is required to appoint a data protection officer?
The LGPD mandates that the controller must appoint a data protection officer for the processing of personal data[cite: 327]. The officer's contact details must be publicly disclosed [cite: 329].
Are controllers and processors required to keep records?
Yes, both the controller and the processor must maintain records of the personal data processing operations they perform[cite: 320]. This is particularly important when processing relies on legitimate interest [cite: 320].
When can the burden of proof be reversed?
A judge may reverse the burden of proof in a civil proceeding in favour of the data subject[cite: 343]. This applies when the allegation seems true, when producing evidence is too burdensome for the data subject, or in cases of hyposufficiency [cite: 343].
What happens if a processing agent fails to adopt security measures?
Processing of personal data is deemed irregular if it fails to provide the security expected by the data subject[cite: 351]. An agent causing damage by failing to adopt adequate security measures is liable for the resulting damages[cite: 355].
Take Control of Your LGPD Compliance
If you operate as a controller under the LGPD, mapping your data flows and managing third-party vendor instructions requires strict oversight. Kukie.io detects, categorises, and helps you document the cookies acting as processors on your site. Run a free scan today to map your data relationships and maintain clear, compliant records.
