The Brazilian Data Protection Authority (“ANPD”) published on July 17 the Resolution CD/ANPD nº 18, dated July 16, 2024, which approved the Regulation on the role of the Data Protection Officer (“DPO”). Here are some of its main provisions.
1. Appointment by Formal Act. Every Data Controller ("Controller") must appoint a DPO – either an individual or a legal entity – through a formal act (written, dated, and signed document), which may be requested by the ANPD.
2. Identity and Publicity. The identity (full name, if an individual, or company name, if a legal entity) and contact information that enables communication between the data subjects and authorities with the DPO must be kept up to date and disclosed on the data controller’s website (in a clear, precise, and easily accessible location). For data controllers without a website, the disclosure of the DPO’s identity and contact information should occur through any other available communication channels, especially those commonly used to contact data subjects.
3. Alternate DPO. In case of absence, vacancy, or impediment of the primary DPO, an alternate must be formally designated.
4. DPOs for Processors. The appointment of a DPO by Data Processors ("Processors") is not mandatory but will be considered a best practice.
5. Qualifications. The data Controller must establish the necessary professional qualifications for the DPO, considering the knowledge about the data protection legislation, as well as the context, volume, and risk of the processing activities performed.
6. Facilitation of Activities. The processing agent must (a) provide the DPO with the necessary means to perform his/her duties; (b) seek assistance and guidance from the DPO when carrying out activities and making strategic decisions related to data processing; (c) ensure the DPO has the technical autonomy needed to fulfill his/her activities; (d) ensure data subjects have swift, effective, and appropriate means to communicate with the DPO and exercise their rights; and (e) provide the DPO with direct access to the highest hierarchical levels within the organization.
7. Types of DPO. The DPO can be an individual or a legal entity, an employee, or a service provider of the processing agent.
8. Communication. The DPO must be able to communicate clearly and in Portuguese.
9. Certification. No specific certification or registration with any specific body is required for the DPO.
10. DPO Functions. The DPO will be responsible for (a) accepting complaints and communications from data subjects, providing clarifications, and taking appropriate actions; (b) receiving communications from the ANPD and taking necessary actions; (c) guiding employees and contractors of the processing agent on good data protection practices; (d) performing other duties defined by the processing agent or supplementary regulations; (e) assisting and guiding the processing agent in the development, definition, and implementation, as appropriate, of (i) incident communication; (ii) Record of Processing Activities ("ROPA"); (iii) Data Protection Impact Assessment (“DPIA”), when necessary; (iv) risk mitigation measures considering potential processing risks; (v) necessary security measures for data protection; (vi) internal policies compliant with the LGPD and ANPD regulations and guidelines; (vii) contractual clauses related to data protection; (viii) international data transfers; (ix) governance rules and best practices on data processing; (x) products and services that adopt privacy by design and by default; and (xi) other strategic decisions related to data processing.
11. Responsibility. The DPO does not have personal liability for data processing compliance.
12. Cumulative Roles. The DPO may hold multiple roles and perform duties for more than one processing agent, provided he/she can fully meet his/her responsibilities related to each processing agent and there is no conflict of interest.
13. Conflict of Interest. The DPO and the processing agent must, respectively, declare and take care to avoid situations that constitute conflicts of interest, including conflicting internal duties or duties at different processing agents, as well as the accumulation of DPO activities with other activities involving strategic decision-making on data processing. The existence of a conflict of interest will be verified on a case-by-case basis and may result in penalties for the Controller. If a conflict of interest is identified, the Controller must (i) not appoint the person as DPO; (ii) take measures to eliminate the risk of conflict of interest; or (iii) replace the designated person.
The Cescon Barrieu Technology and Data Protection team remains available to assist you with topics related to personal data protection.
