The Brazilian Data Protection Authority (ANPD) has published its
new regulation on the Data Protection Officer's (DPO) role. A
central figure in privacy governance, the DPO serves as the liaison
between the data controller, the data subject, and the authority,
acting as the primary contact for issues involving personal data
within an organization.
The obligation to designate a DPO has been in place since the
enactment of the General Data Protection Law (LGPD) in 2020. The
ANPD has already levied sanctions on companies who have failed to
comply with this obligation.
The LGPD established basic provisions for the selection,
disclosure, and role of the DPO, leaving to the current regulation
the specific duties and responsibilities of this role.
WHO SHOULD APPOINT A DPO?
The Data Controller, who is responsible for
decisions regarding the processing of personal data, must appoint a
DPO as stipulated by the LGPD.
The Data Processor, in seeking to follow best
practices for data governance, may proactively appoint a DPO, which
would be a favorable factor in the assessment of potential
sanctions.
Small Data Processing Agents, however, are exempt
from appointing a DPO but must maintain an open communication
channel for data subjects, per the "Regulation for Small Data
Processing Agents."
WHO CAN ASSUME THE POSITION OF DPO?
The DPO can be a natural person, either a member of the
organization or not, or a legal entity and must be able to
communicate clearly in Portuguese with data subjects and the
ANPD.
There is no prerequisite for registration, certification, or
specific training. It is up to the data controller or processor (or
"data processing agent") to establish the professional
qualifications for the role, considering (i)
knowledge of data protection legislation and (ii)
the complexity and risks of their processing activities.
The DPO may hold other positions or serve as the DPO for multiple
companies provided the DPO can fully perform their duties. However,
both the data processing agent and the DPO must evaluate potential
conflicts of interest that may arise:
- Between the DPO's internal duties or roles in different companies; or
- With activities involving making strategic decisions about data processing on behalf of the controller (except those data processing activities inherent to the DPO's duties).
The DPO is also responsible for informing the data processing
agent of any conflict of interest that may emerge. In the event of
a conflict, the data processing agent must refrain from appointing
the conflicted individual or legal entity to the role of DPO,
implement measures to mitigate the risk of conflict of interest, or
replace them with another suitable DPO.
The inability of the DPO to act or its absence, such as due to
being on vacation, should not affect the rights of data subjects or
communication with the ANPD. In such cases, a formally appointed
substitute should assume the DPO's duties.
HOW IS A DPO DESIGNATED?
The DPO must be formally designated in a written document that includes:
- Date and the DPO's signature;
- Clear and unequivocal designation of the DPO; and
- The roles and activities of the DPO, which must at least include those set forth in the regulation.
This document may be requested by the ANPD.
WHAT ARE THE DPO'S DUTIES?
The DPO is responsible for:
Handling external requests: Coordinating and
assisting, internally, to resolve requests from data subjects and
the ANPD.
Data governance: Assisting in the creation and
implementation of records, reports, supervision mechanisms,
security measures, internal policies, contractual instruments,
international data transfers, best practices, governance rules, and
other strategic decisions over how personal data is
processed.
The regulation allows the data processing agent discretion to
stipulate additional responsibilities and opens the door for future
complementary regulations.
WHAT ARE THE CONTROLLER'S DUTIES?
The controller must:
Provide resources and autonomy: Supply the DPO
with the necessary human, technical, and administrative resources
and ensure the DPO has technical autonomy to perform their duties
without interference. The DPO must have direct access to leaders
and decision-makers involved in strategic data processing
decisions, with the freedom to navigate all areas and levels of the
organization.
Seek assistance and guidance: Consult with the DPO
on activities and strategic decisions related to data
processing.
Facilitate communication and access: Ensure
effective communication channels for data subjects and the ANPD.
The DPO's contact information must be prominently displayed and
easily accessible on the data processing agent's website and
should include:
- Name:
-
- Full name, if a natural person.
- Corporate name or establishment title along with the full name of the responsible natural person, if a legal entity.
- Contact details.
If the data processing agent does not have a website, this
disclosure may be made through any other available communication
means, preferably those already used for contact with data
subjects.
Compliance with the LGPD: Finally, the data
processing agent is ultimately responsible for compliance in data
processing and adequately addressing potential demands from the
ANPD and data subjects.
The full text of the regulation is available the government's website in Portuguese.
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2024. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.