ANPD's New Regulation on Guidelines and Responsibilities of Data Protection Officers in Brazil
- Cristiane Manzueto,
- Rodrigo Leal,
- Ana Leticia Allevato,
- Diego Semeraro,
- Vítor Montovani
The Brazilian Data Protection Authority (ANPD) has published its new regulation on the Data Protection Officer’s (DPO) role. A central figure in privacy governance, the DPO serves as the liaison between the data controller, the data subject, and the authority, acting as the primary contact for issues involving personal data within an organization.
The obligation to designate a DPO has been in place since the enactment of the General Data Protection Law (LGPD) in 2020. The ANPD has already levied sanctions on companies who have failed to comply with this obligation.
The LGPD established basic provisions for the selection, disclosure, and role of the DPO, leaving to the current regulation the specific duties and responsibilities of this role.
WHO SHOULD APPOINT A DPO?
The Data Controller, who is responsible for decisions regarding the processing of personal data, must appoint a DPO as stipulated by the LGPD.
The Data Processor, in seeking to follow best practices for data governance, may proactively appoint a DPO, which would be a favorable factor in the assessment of potential sanctions.
Small Data Processing Agents, however, are exempt from appointing a DPO but must maintain an open communication channel for data subjects, per the "Regulation for Small Data Processing Agents."
WHO CAN ASSUME THE POSITION OF DPO?
The DPO can be a natural person, either a member of the organization or not, or a legal entity and must be able to communicate clearly in Portuguese with data subjects and the ANPD.
There is no prerequisite for registration, certification, or specific training. It is up to the data controller or processor (or “data processing agent”) to establish the professional qualifications for the role, considering (i) knowledge of data protection legislation and (ii) the complexity and risks of their processing activities.
The DPO may hold other positions or serve as the DPO for multiple companies provided the DPO can fully perform their duties. However, both the data processing agent and the DPO must evaluate potential conflicts of interest that may arise:
- Between the DPO’s internal duties or roles in different companies; or
- With activities involving making strategic decisions about data processing on behalf of the controller (except those data processing activities inherent to the DPO’s duties).
The DPO is also responsible for informing the data processing agent of any conflict of interest that may emerge. In the event of a conflict, the data processing agent must refrain from appointing the conflicted individual or legal entity to the role of DPO, implement measures to mitigate the risk of conflict of interest, or replace them with another suitable DPO.
The inability of the DPO to act or its absence, such as due to being on vacation, should not affect the rights of data subjects or communication with the ANPD. In such cases, a formally appointed substitute should assume the DPO’s duties.
HOW IS A DPO DESIGNATED?
The DPO must be formally designated in a written document that includes:
- Date and the DPO’s signature;
- Clear and unequivocal designation of the DPO; and
- The roles and activities of the DPO, which must at least include those set forth in the regulation.
This document may be requested by the ANPD.
WHAT ARE THE DPO’S DUTIES?
The DPO is responsible for:
Handling external requests: Coordinating and assisting, internally, to resolve requests from data subjects and the ANPD.
Data governance: Assisting in the creation and implementation of records, reports, supervision mechanisms, security measures, internal policies, contractual instruments, international data transfers, best practices, governance rules, and other strategic decisions over how personal data is processed.
The regulation allows the data processing agent discretion to stipulate additional responsibilities and opens the door for future complementary regulations.
WHAT ARE THE CONTROLLER’S DUTIES?
The controller must:
Provide resources and autonomy: Supply the DPO with the necessary human, technical, and administrative resources and ensure the DPO has technical autonomy to perform their duties without interference. The DPO must have direct access to leaders and decision-makers involved in strategic data processing decisions, with the freedom to navigate all areas and levels of the organization.
Seek assistance and guidance: Consult with the DPO on activities and strategic decisions related to data processing.
Facilitate communication and access: Ensure effective communication channels for data subjects and the ANPD. The DPO's contact information must be prominently displayed and easily accessible on the data processing agent's website and should include:
- Name:
- Full name, if a natural person.
- Corporate name or establishment title along with the full name of the responsible natural person, if a legal entity.
- Contact details.
If the data processing agent does not have a website, this disclosure may be made through any other available communication means, preferably those already used for contact with data subjects.
Compliance with the LGPD: Finally, the data processing agent is ultimately responsible for compliance in data processing and adequately addressing potential demands from the ANPD and data subjects.
***
The full text of the regulation is available the government's website in Portuguese.