Alerts
- 2 January 2025
-
ANPD Publishes Guidelines on the Role of the Data Protection Officer (DPO)
On December 19, 2024, the Brazilian National Data Protection Authority (ANPD) published a supplementary guideline, in Portuguese, to Resolution No. 18, entitled “Role of the Data Protection Officer (DPO)” (“Guidelines“). These Guidelines aim to clarify specific aspects related to the appointment and role of the DPO.
The Guidelines provide ANPD’s interpretation and understanding of issues regulated by Resolution CD/ANPD No. 18/2024, which approved the Regulation on the Role of the Data Protection Officer (DPO) (“Resolution“).
Following the publication of the Resolution, Lefosse has prepared an informational resource to assist in understanding key points of the new Resolution on the DPO’s role, offering analysis and recommendations for companies and private-sector entities.
In this document, we now present additional insights into the primary points outlined in the Guidelines, which may impact on data protection governance frameworks:
1. Guidance on the Appointment of the DPO
As per the Resolution, the appointment of the DPO must be formalized through a “formal act” that specifies the scope of duties and activities to be performed by the DPO. The Guidelines clarify that, while this formal act does not need to be submitted to the ANPD, it must be retained by the organization and made available to the authority upon request.
Additionally, the Guidelines provide two document templates for the formal appointment of a DPO: one tailored for individuals and another for legal entities.
2. Appointment of a Substitute DPO
The Guidelines recommend appointing a substitute DPO at the same time as the primary DPO, rather than waiting to designate one individual or entity only in case absence of the primary DPO. This approach ensures the continuity of the DPO’s functions without interruption if the primary DPO becomes temporarily or permanently unavailable.
There are no restrictions on appointing an external service provider as a substitute DPO (referred to as “DPO as a Service“). This option can be particularly useful in scenarios where an internal substitute is not readily available when needed.
3. DPO Profile and Role
The Resolution establishes, and the Guidelines reinforce, that the DPO can be either an individual or a legal entity retained by the organization as a service provider. If a legal entity is appointed, an individual within that entity must be designated as the person responsible for fulfilling the DPO role. This individual must possess comprehensive knowledge of the organization’s data protection practices and be capable of acting autonomously and independently.
Furthermore, the Guidelines highlight key capacities expected from the DPO to effectively perform his or her duties, as follows:
(I) Proficiency in the Portuguese Language
According to the Guidelines, the DPO must be able to communicate effectively in Portuguese with both data subjects and the ANPD. While the ANPD acknowledges that the DPO may collaborate with a data protection team or committee, the Guidelines emphasize the importance of the DPO’s proficiency in Portuguese. Therefore, appointing someone who relies on an interpreter or translator to carry out his or her duties is not advisable.
(II) Qualifications of the DPO
The DPO must have a thorough understanding of the Brazilian General Data Protection Law (LGPD), ANPD regulations, and the nature of the data processed by the organization. Additionally, the Guidelines suggest that the DPO should ideally have expertise in risk management, information security, compliance, and auditing, as these are closely related to data protection. The Guidelines further clarify that specific certifications are not required for the DPO role.
4. Conflict of Interest Situations
The Resolution previously stated that the DPO may hold multiple roles within the organization, provided that there is no conflict of interest. However, it offered limited guidance on which practical situations might result in such a conflict.
The Guidelines now clarify that a conflict of interest arises when the DPO holds senior, managerial, or executive positions responsible for defining the means and purposes of data processing. These roles could undermine the objectivity and technical independence essential to the DPO’s responsibilities.
To prevent such conflicts, the ANPD recommends establishing a “separate organizational unit” for the DPO, distinct from the areas responsible for strategic decisions regarding data processing. This approach would ensure that the DPO’s decisions are not influenced by conflicting interests.
In this context, hiring an external DPO can be an effective solution for organizations, allowing them to benefit from a qualified and experienced professional without requiring the establishment of an internal team solely dedicated to these tasks. Furthermore, from the ANPD’s multidisciplinary perspective, outsourcing the DPO role could offer access to a broader range of regulatory and technical expertise, without the need to hire internal staff focused exclusively on data protection.
5. Other Key Considerations
- The Guidelines state that data controllers must ensure the DPO has the necessary technical and administrative resources to perform his or her duties. This includes making sure the DPO has direct access to strategic decision-makers and autonomy to act freely to ensure compliance with the LGPD. The organization must also provide appropriate financial and infrastructure resources for the DPO to carry out their responsibilities.
- The Guidelines also emphasizes that the DPO is not legally responsible for ensuring that the organization’s data processing activities are compliant with the law; that responsibility lies with the organization itself.
It is important to note that the current version of the Guidelines remain open to public comments and contributions. The ANPD has indicated that the Guidelines will be updated as necessary, in response to new regulations and evolving interpretations. Suggestions regarding this version can be submitted to the ANPD through the Fala.br Platform.
Despite the very recent introduction of both the Resolution and the Guidelines, the ANPD has already initiated oversight proceedings on this matter, which shows the authority’s focus on this issue. In our view, this is a key aspect for organizations to consider when updating their data protection governance programs.
Our Technology and Data Protection team is monitoring changes and updates affecting privacy and data protection matters. For further clarification on this or other topics of interest, please contact our team.
Tem alguma dúvida? Entre em contato com a nossa equipe marketing@lefosse.com
