Brazil: Brazilian Data Protection Authority regulates the role of DPOs

On July 17, 2024, the Brazilian Data Protection Authority (ANPD) published Resolution No. 18/2024 (Resolution), which regulates the role of personal Data Protection Officers (DPOs), created by Law No. 13.709 of August 14, 2018 (General Data Protection Law – LGPD).

The new regulation defines the responsibilities of the data protection officer, establishes guidelines for the disclosure of contact information, and addresses situations of conflict of interest. The appointment of the DPO should be formalized by the data controller, outlining the scope of their role and the activities they will perform.

Appointment and Characteristics of Data Protection Officers

Pursuant to the Resolution, DPOs may be individuals or legal entities, either internal or external to the data controller, and must be formally appointed through a document that clearly outlines their role and responsibilities. In public agencies, the appointment should occur whenever there are personal data processing operations, preferably involving a civil servant or employee with an “unblemished reputation”, and it must be published in the relevant Official Gazette. Additionally, the data controller must prominently display and keep updated the identity and contact information of the DPO on their website in a place that is easily accessible.

Data controllers must provide adequate means for DPOs to perform their duties, ensuring access to organizational leaders and maintaining effective communication channels for data subjects. For small-scale data controllers, the ANPD has waived the requirement for a DPO, provided that an effective communication channel with data subjects is established. In the case of data controllers, the appointment is optional, being considered a “good governance practice policy”.

Activities and Duties of Data Protection Officers

To be appointed as a DPO, the Resolution requires that they communicate clearly with data subjects and with the ANPD in Portuguese, without the need for registration with a specific entity, certification, or specialized professional training. It is incumbent upon the data controller to define the necessary qualifications.

The main activities of DPOs include accepting complaints and communications from data subjects, providing clarifications, taking appropriate measures, receiving communications from the ANPD, advising employees and contractors on personal data protection practices, and carrying out other duties assigned by the data controller or supplementary regulations. 2

Conflict of Interest

The Resolution addresses conflict of interest situations in detail, stipulating that the DPO must act with ethics, integrity, and autonomy. DPOs can hold multiple positions and work for more than one data controller, provided there is no conflict of interest. Conflicts of interest may arise from internal responsibilities or between different data controllers, or from the accumulation of activities involving strategic decisions regarding data processing by the controller.

DPOs must disclose any situation that could constitute a conflict of interest, and the ANPD will assess the existence of such conflicts, with the possibility of applying sanctions as per the LGPD.

Immediate Implementation

The Resolution takes effect immediately, emphasizing the importance of compliance with the LGPD and the need for strict and transparent personal data processing management.

* * * * * * * *

For more information on the above or other matters, please contact Maristela SA Rossetti (mar@rraa.com.br) or Gilberto Rossetti (gmr@rraa.com.br).

This article is based on publicly available information and given for informational purposes only. It is not intended as legal advice foreign subsidiary as a comprehensive analysis of the matters referred to herein.