*Co-authored with João Pedro Nazareth. Originally published in JOTA.

The LGPD identifies two relevant actors in personal data processing activities: the Controller and the Processor, both of which it collectively refers to as Data Processing Agents (Article 5, IX).

A textual analysis of the law makes it clear that, although related, Controllers and Processors are distinct figures. However, this conceptual separation has been rendered ineffective due to the prevailing interpretative approach regarding the obligations assigned to Controllers and Processors.

By expanding the law’s applicability to any relevant agent regardless of their designation in relation to specific processing operations, obligations that are legally attributed to Controllers become applicable to any agent that acts as a Controller in at least one processing activity. Consequently, obligations assigned to Controllers are now imposed on any actor engaged in data processing, regardless of the function they perform in their activities. As a result, the concept of Controller is effectively reduced to that of Data Processing Agent. This requires further clarification.

According to Article 5 of the LGPD, a Processor “carries out the processing of personal data on behalf of the controller,” whereas a Controller “is responsible for decisions regarding the processing of personal data” (Article 5, VI). Thus, the law places the notion of “control” at the center of the distinction between these two types of processing agents.

A factual mechanism for distinguishing Controllers from Processors is the segmentation of these roles according to the specific data processing activity performed. This reflects the understanding that processing agents are not inherently Controllers or Processors; rather, they assume those roles in relation to specific operations.

In this regard, the European Data Protection Board (EDPB) states that the status of “Controller” or “Processor” must be determined based on the activities in a specific context. The Brazilian Data Protection Authority (ANPD) follows this reasoning, noting that an entity may be both a Controller and a Processor, depending on its various processing operations. This distinction is relevant because, under the LGPD, Controllers—among other duties—bear the burden of proving consent (Article 8, §2), ensuring transparency (Article 10, §2), and preparing data protection impact reports (Article 10, §3).

However, this distinction is undermined by the widespread interpretation that classifies as Controllers all actors performing processing activities to fulfill legal or regulatory obligations. Consequently, the obligations originally reserved for Controllers are extended to all activities of data processing agents.

All data processing operations, regardless of their nature, must be justified according to Articles 7 or 11 of the LGPD, which set forth the legal bases authorizing both Controllers and Processors to process personal data. Among these bases is the performance of a legal or regulatory obligation.

According to the dominant interpretation—which largely stems from the wording of Articles 7(II) and 11(II)(a) of the LGPD (“compliance with a legal or regulatory obligation by the controller”)—agents processing data in fulfillment of obligations imposed by legislation or regulation are deemed Controllers, regardless of the degree of actual control they exercise over decisions regarding that obligation—often, it should be noted, none at all.

Thus, the existence of legal and regulatory obligations implies that any data processing agent will inevitably perform at least one activity in which it qualifies as a Controller.

This interpretation results in governance obligations assigned to Controllers being extended to all data processing agents, since all are considered Controllers at some point. For instance, the obligation to appoint a Data Protection Officer (Article 41) is imposed on the entity as a whole and ends up applying beyond the activities it performs as a Controller. This creates a scenario in which the definitions of “Controller” and “Data Processing Agent” converge.

The ANPD reinforces this confusion by mistakenly including “data processing agents” among those responsible for appointing a Data Protection Officer in its Security Incident Reporting Regulation, contradicting Article 41 of the LGPD. In the Regulation on the DPO, the Authority also overlooks the fact that Article 6 is rendered meaningless: “The appointment of a DPO by processors is optional [...]”. If any processing agent that at any time performs the role of Controller is subject to all obligations of a Controller (including the obligation to appoint a DPO), then there is no such thing as a “Processor” for the purposes of Article 6.

To resolve this confusion, two approaches are proposed: (i) defining the State as the Controller in processing operations carried out under Articles 7(II) and 11(II)(a) of the LGPD; and (ii) modulating the legal effects of Controller status and its associated obligations.

One solution would be to recognize the State as the Controller in cases of compliance with legal and regulatory obligations, while private actors would act as Processors. This would acknowledge the State’s control over decisions relating to the processing of personal data—such as which data to process and for how long—and would allow for the existence of actors operating exclusively as Processors, benefitting from the best practices recommended by the ANPD. However, this solution may pose challenges, such as imposing additional responsibilities on the State, which would then formally act as Controller in such activities.

Another solution would be to adopt the approach of the GDPR, modulating the effects so that, in specific legal scenarios, certain processing agents fulfilling regulatory obligations are equated with Controllers, even if they are not so in practice. The CNIL (French Data Protection Authority), for instance, adopts a similar interpretation by excluding from data protection impact reports those processing activities resulting from legal obligations.

Although the LGPD reaches a conclusion similar to the European framework—that is, data processing activities based on regulatory obligations must comply with duties directed at Controllers—it creates confusion by failing to explicitly establish the exceptional nature of such scenarios, thereby obstructing conclusions that would otherwise arise from this context.

In conclusion, there is a conceptual confusion between Controllers and Data Processing Agents, resulting from an interpretative framework that extends Controller obligations to all agents. Any actor that, at any point, acts as a Controller—even under a legal or regulatory mandate—is broadly treated by the law as a Controller.

To overcome this confusion, it is proposed to: (i) dissociate the role of Controller from private actors and assign it to the State in cases of legal obligation, and (ii) allow legislative modulation to treat some agents as Controllers only exceptionally, without eroding the conceptual distinction between these categories.