The National Data Protection Authority releases a proposal for a Regulation on the role of the Data Protection Officer, defining issues such as their technical qualifications, the requirement to publish their identity, prohibition of conflicts of interest and the possibility of having multiple Data Protection Officers..
The Brazilian National Data Protection Authority (ANPD) has released on November 7th the draft regulation ("Regulation") regarding the role of the Data Protection Officer ("DPO"). The Regulation clarifies some doubts related to the technical qualification of the DPO, as well as his/her duties and responsibilities. In summary, the draft Regulation establishes the following main points:
-
Appointment by Formal Act. Every Data Controller must appoint a Data Protection Officer through a formal act. This means that, starting from the approval of the Regulation, the Data Protection Officer must be formally appointed (through minutes or similar instrument) by the governing body responsible for such appointment, as provided in the governance policy or similar document of the Data Controller.
-
Data Protection Officer for Public Legal Entities. The Data Protection Officer of a legal entity governed by the Law on Access to Information should preferably be a stable public servant with impeccable reputation.
-
Multiple Data Protection Officers. It is possible to appoint more than one Data Protection Officer for the same Data Controller.
-
Publicity. The appointment of the Data Protection Officer must be published in an official communication channel.
-
Data Protection Officers for Data Processors. The appointment of a Data Protection Officer by Data Processors is not mandatory, but it is considered a good practice for purposes of determining penalties.
-
Qualifications. The data Controller must establish the qualifications of the Data Protection Officer, taking into account the volume and risk of the processing operations carried out.
-
Identity and Contact Information on the Website. The identity (full name, if an individual, or legal name, if a legal entity) and contact information (details that enable the data subjects and authorities to contact the Data Protection Officer) of the Data Protection Officer must be kept up to date and disclosed on the data Controller’s website (in a clear, accurate, and easily accessible location).
-
Facilitation of Activities. The data Controller must (a) provide the necessary means for the Data Protection Officer to perform his/her duties; (b) grant the Data Protection Officer technical autonomy and access to senior management to enable the performance of his/her functions; and (c) provide means for the Data Protection Officer to have a humanized interaction with data subjects and the ANPD.
-
Types of Data Protection Officers. The Data Protection Officer can be an individual or a legal entity, an employee or a service provider of the data Controller.
-
Substitute Data Protection Officer. In case of absence, vacancy, or impediment of the Data Protection Officer, a substitute should be appointed.
-
Communication. The Data Protection Officer must be able to communicate clearly and in the Portuguese language.
-
Certification. There is no requirement for any certification or registration of the DPO with any specific body.
-
Cumulation of Positions. It is possible to cumulate functions as long as there is no conflict of interest.
-
Functions of the Data Protection Officer. The Data Protection Officer should (a) accept complaints and communications from data subjects and take appropriate actions; (b) receive communications from the ANPD and take appropriate actions; (c) provide guidance to employees of the data Controller on best practices for data protection; (d) perform other duties as defined, including (i) drafting incident reports; (ii) preparing the record of data processing operations (ROPA); (iii) preparing impact assessments when necessary; (iv) identifying and analyzing potential risks of data processing; (v) defining the necessary security measures for processing; (vi) implementing relevant legislation and best practices related to personal data; (vii) analyzing contractual clauses related to data protection; (viii) implementing international data transfers in an appropriate manner; and (ix) formalizing governance rules regarding the processing of personal data.
-
Responsibility. The Data Protection Officer does not have personal liability for the compliance of data processing.
-
Conflict of Interest. The Data Protection Officer must inform the Data Controller of any situation that may generate a conflict of interest. The conflict is presumed when the Data Protection Officer is the person responsible for decisions related to data processing.
Any contributions can be made until December 7th through the following link: https://www.gov.br/participamaisbrasil/regulamento-encarregado.
