The protection of personal data is an institute that depends on cooperation, contribution and collaboration between the parties involved in a personal data processing activity.
In my day-to-day life, I often come across situations in which one of the parties, that is, one of the Processing Agents, is unwilling to cooperate, contribute or collaborate with the other, be it a Controller – who determines the purposes and means by which the operation with the data will take place, or an Operator – who carries out the operation based on the Controller’s instructions.
It is necessary to start from the premise that in order to build a sustainable ecosystem, with regard to the legal requirements of the General Personal Data Protection Act (“LGPD”), as well as international best practices, a balance is needed between the responsibilities and tasks of the Processing Agents.
When two or more Processing Agents act in an operation with personal data, cooperation is an essential part of building the legitimacy and legality of the activity.
Regardless of the classification of the Processing Agent, as well as the processing in question – e.g. collection, storage, sharing, use, processing, disposal – in order to comply with the fundamentals and principles of the LGPD, it is necessary for all the Agents involved to contribute – within the limits of their responsibility, and actively collaborate – by carrying out a common job.
Therefore, cooperating here means having the main objective of guaranteeing the legitimacy and legality of a given personal data processing operation.
An operational and practical example, as well as a classic and routine one – especially in the oil and gas industry – is the application of resources by an oil company to Research, Development and Innovation (RD&I). Research, Development and Innovation Technical Regulation No. 3/2015 of the National Agency of Petroleum, Natural Gas and Biofuels (ANP), which establishes definitions, guidelines and standards for the application of resources, as well as rules for proving R,D&I activities and the respective expenses incurred, Chapter 06 makes it a legal and regulatory obligation to keep information and documents for a period of 5 (five) years – counting from the end date of the project, including contracts and tax documents relating to the transfer of funds and payments, as well as expenses incurred within the scope of R,D&I projects or programs.
It also establishes that institutions accredited by the ANP, i.e. universities or research and development institutions, as well as Brazilian companies, must send the contracting oil companies information and documents relating to the projects or programs they carry out.
Due to the lack of clarity in the Technical Regulations, and especially with regard to the rendering of accounts for personnel expenses and their supporting documents, which does not detail the data, information, documents and records that must be filed and kept for a period of 5 (five) years, the Oil Companies can and must request from the Accredited Institutions and/or Brazilian Companies contracted for R,D&I the personal data they deem necessary and appropriate to comply with their legal and regulatory obligation, with the aim of supporting and promoting their own activity, as well as guaranteeing, in the event of an inspection, a suitable and effective record capable of proving the contributions made.
In this sense, it is up to the Treatment Agents involved in RD&I to act in a cooperative manner, guaranteeing reciprocal access to information and documentation on the project or program.
Personnel costs are also included in this list, and it is not up to either party to oppose or deny access to information and data, or not to share it.
On the other hand, it is always the duty of all Processing Agents to collaborate and contribute to guaranteeing the application of the general principles of personal data protection, especially transparency and free access to such operations, each within the limits of their responsibility and their respective relationships with the data subjects involved.
Regardless of the economic segment or regulatory framework, cooperation is fundamental to achieving a sustainable personal data protection ecosystem.