March 31, 2021

The Brazilian Data Protection Authority (ANPD) publishes its bylaws, which establishes its structure and operation


In compliance with its regulatory schedule for 2021 and 2022 and its strategic plan for 2021-2023, the Brazilian Data Protection Authority (ANPD) published its bylaws on March 9, 2021.

The ANPD aims to protect the fundamental rights of freedom and privacy and the free development of the personality of natural people. Although the ANPD is part of the Presidency of the Republic, the ANPD claims to be autonomous, including in its decision-making.

In general, the ANPD's bylaws establish its organizational structure, competencies, decision-making instruments and normative and administrative procedures.

The structure of the ANPD is composed of the Board of Directors, the National Council for Persona Data Protection (advisory body), bodies that shall assist the Board (General-Secretariat, General-Coordination of Administration and General-Coordination of Institutional and International Relations), internal bodies (Internal Affairs, Ombudsman and Legal Advisory) and other specialized bodies (General-Coordination of Standardization, General-Coordination of Inspection and General-Coordination of Technology and Research).

The goal of these bodies is to realize the competencies that the LGPD (Brazilian General Data Protection Law - n. 13.709/2018) establishes for the ANPD.

The competencies for the Board of Directors include:

  • Editing regulations regarding data protection and privacy and data protection impact assessments;
  • Issuing provisions regarding anonymization techniques, ways to make public the data processing by public entities, interoperability standards for data portability and standards for security measures to be taken to protect personal data against possible security breach incidents;
  • Approving governance rules and best practices regarding personal data processing;
  • Reviewing the administrative penalties enforced by its General-Coordination of Inspection (Note: The penalties will start being applied only in August 2021);
  • Deliberating on the appropriate level of data protection for countries or international organizations; and
  • Establishing the content of the standard contractual clauses in international data transfer.

Among these competencies, impact assessments and penalties will be regulated in the first half of 2021. In addition, the evaluation of the appropriate level of data protection and the definition of the standard contractual clauses for international data transfer will be made in the first half of 2022.

The General-Coordination of Inspection has an essential role for the performance of the ANPD. Its main competences are:

  • Performing inspections and enforcing penalties under article 52 of LGPD;
  • Issuing decisions in first instance in the administrative process for penalties of the ANPD;
  • Conducting or ordering audits in order to verify discriminatory practices in automated processing of personal data;
  • Receiving petitions from data subjects against controllers.

Another highlight of the ANPD’s bylaws is the content regarding the administrative procedures that will be handled by the ANPD under the LGPD, the Administrative Process Law (Law n. 9.784/1999), and other applicable rules. The procedures for applying penalties will be described in regulations, as established by articles 52 and 53 of the LGPD.

As a general rule, the requests addressed to the ANPD will be handled as follows: (i) the body that receives the request will forward it to the competent body for the assessment of the process, if necessary; (ii) if the application does not meet the requirements of the Administrative Process Law, it will be dismissed by the competent body; (iii) the request will be analyzed by the competent body and can be forwarded to a higher authority for further deliberation; and (iv) if there is a problem with the request, the applicant is required to correct it within 15 days.

The Board of Directors can implement preventive measures to avoid a serious and irreparable harm or one that is difficult to repair either in its exclusive discretion  or at the request of one of the interested parties. These measures can be applied during or before an administrative procedure, if there is an imminent risk, and must be complied with until there is a final judgment.

Finally, the ANPD bylaws establish that the highest instance of appeals for administrative proceedings will be the Board of Directors. In addition, when the Board of Directors works as the first instance of decision, the decision issued may be reconsidered, upon a reasonable request.

For more information related to this Legal Update, please contact our Data Privacy and Intellectual Property group.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.