The new regulation outlines the responsibilities of the Data Protection Officer, emphasizing the importance of compliance with the LGPD
On July 17, the Brazilian Data Protection Authority (ANPD) published the regulation on the role of the Data Protection Officer (DPO).
According to the Federal Law no. 13,709/18 (Brazilian Data Protection Law or LGPD), the DPO is defined as "the person designated by the controller and processor to act as a communication channel between the controller, the data subjects, and the Brazilian Data Protection Authority."
The new regulation provides detailed provisions regarding the role of the Data Protection Officer and the duties of the data processing agents to ensure the proper exercise of the DPO's functions. Among the provisions, the following points stand out:
Appointment by formal act: The appointment of the DPO must be made by a formal act of the data processing agent, indicating the form of action and the activities to be performed by the DPO. The document must be written, dated, and signed, in a clear and unequivocal manner, to demonstrate the data processing agent's intention to appoint as DPO a natural person or a legal entity.
Disclosure of the identity and contact information of the DPO: The data processing agent must disclose — in a clear and accessible manner — and keep updated the identity and contact information of the DPO, whether an individual or a legal entity. If a legal entity is appointed as the DPO, the corporate name or trade name of the establishment, as well as the full name of the individual responsible, must be disclosed.
Duties of data processing agents: Among the duties of data processing agents are (i) providing the necessary resources to the DPO, (ii) seeking their assistance and guidance for carrying out activities and strategic decisions related to the processing of personal data, (iii) ensuring the technical autonomy of the DPO, (iv) ensuring effective means for communication between data subjects and the DPO, and (v) ensuring that the DPO has direct access to decision-makers within the organization. Furthermore, the regulation emphasizes that data processing agents are responsible for compliance in the processing of personal data.
Activities and responsibilities: The regulation lists a series of duties for the DPO, which include, for example, (i) accepting complaints and communications from data subjects, providing clarifications, and taking appropriate measures; (ii) receiving communications from the ANPD and taking action; (iii) guiding the employees and contractors of the data processing agent regarding practices to be adopted in relation to personal data protection. Additionally, the DPO must guide and assist the data processing agent with activities such as: recording and communicating security incidents, documenting the records of processing activities (RoPA), preparing data protection impact assessments (DPIA), and implementing technical and administrative security measures to protect personal data and manage international transfers.
No specific technical qualifications required: In line with the clarifications made by the ANPD in the past year, the regulation reaffirms that performing the role of DPO does not require registration with any entity or any specific certification or professional training.
Conflicts of interest: The DPO may hold multiple roles and perform their duties for more than one data processing agent, provided there is no conflict of interest, meaning any situation that could compromise, influence, or affect the objectivity and technical judgment in the performance of their duties. In these cases, the regulation establishes that the DPO must inform the data processing agent about the situation, being responsible for the truthfulness of the information provided. Accordingly, it will be up to the data processing agent to (i) not designate the person to perform the role of DPO; (ii) implement measures to eliminate the risk of a conflict of interest; or (iii) replace the person designated to perform the role of DPO. It is also important to emphasize that non-compliance with these obligations may result in sanctions being applied by the ANPD.
Responsibility towards the ANPD: Despite the significant responsibilities assigned to the DPO, the regulation stipulates that exercising these functions does not confer on the DPO the responsibility, towards the ANPD, for the compliance of personal data processing carried out by the controller.
Considering the new regulation, we recommend that our clients reassess the current practices related to the DPO and their activities to ensure compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.