x
x
Linkedin Instagram
  INSCREVA-SE NO LEFOSSE ENERGY DAY 2024

Alerts

  • 26 December 2024
  • Tweet nosso site
  • Compartilhe no Facebook.
  • Compartilhe no LinkedIn.
  • Compartilhe no Whatsapp.

ANPD publishes guidance on the role of the Data Protection Officer

On December 19, 2024, the ANPD published a complementary guide to Resolution No. 18, Role of the person responsible for processing personal data, to clarify specific points about the appointment and performance of the Data Protection Officer.

The guide interprets and presents the National Data Protection Authority (ANPD)’s understanding of topics regulated by Resolution CD/ANPD nº 18/2024, which approved the Regulation on the performance of the Data Controller (Regulation), also known as the Data Protection Officer (DPO).

On the occasion of the Regulation’s publication, Lefosse prepared some informational material to help readers understand the main points of the new Regulation on the role of the Data Protection Officer with analysis and recommendations for companies and entities in the private sector.

Here, we present additional information on the main points presented by the guide, which can impact aspects of corporate data protection governance structures:

1. Guidelines on how the appointment of the Person in Charge should be carried out

According to the Regulation, the appointment of the Person in Charge must be formalized using a formal act, which includes the forms of action and the activities that will be performed by this professional. The guide emphasizes that the formal act does not need to be communicated to the ANPD but must be kept by the organization and presented to the authority when requested.

The guide also includes two document models for appointing the Person in Charge for an individual and a legal entity.

2. Appointment of the substitute Manager

The guide recommends that a replacement for the Person in Charge be made jointly with the incumbent. In other words, it is not advisable for the substitute to be appointed only in cases of the incumbent’s absence or impediment. This ensures the continuity of the manager’s duties without interruptions in case the incumbent Manager is temporarily or permanently absent.

There is no impediment to a service provider outside the organization being appointed as an outsourced substitute Manager (DPO as a Service), which can even be a useful path for situations in which no substitute can take on the role when necessary.

3. Profile and performance of the Manager

The Regulation establishes, and the guide reinforces, that the Data Protection Officer may be an individual or a legal entity hired by the organization as a service provider, in the case of a legal entity, an individual responsible for acting as Data Protection Officer must be appointed and disclosed. This person must have full knowledge of the organization’s data protection practices and be able to act autonomously and independently.

Additionally, the guide provides some understanding about the skills expected of the Person in Charge to adequately develop their duties, as indicated below.

      (I) Proficiency in Portuguese

  • According to the understanding presented in the guide, the Data Protection Officer must communicate efficiently with data subjects and with the ANPD in Portuguese. Although the ANPD recognizes the possibility of the Data Protection Officer working with a data protection team or committee, the guide indicates that the Data Protection Officer must be fluent in Portuguese. In other words, based on the understanding of the guide, it is not advisable to appoint a Data Protection Officer who depends on an interpreter or translator to perform their duties.

      (II) Qualifications of the Person in Charge

  • The Data Protection Officer must have in-depth knowledge of the LGPD, ANPD standards, and the nature of the data processed by the organization. In addition, the guide indicates that the Data Protection Officer should know about risk management, information security, compliance, and auditing since these areas are directly related to the protection of personal data. The guide also reinforces that the Data Protection Officer doesn’t need to obtain specific certifications.

4. Situations of conflict of interest

The Regulation already established that the Data Protection Officer could accumulate functions within the organization in the absence of a conflict of interest. However, it presents a very vague understanding of what could, in fact, be interpreted as a conflict of interest.

In turn, the Guide presented an interpretation of what can be understood as a conflict of interest, indicating that conflicting positions are observed when the Data Protection Officer accumulates leadership, management or directorship positions responsible for determining the means and objectives of the processing of personal data, since acting in positions of this nature may interfere with the objectivity and technical autonomy necessary for the Data Protection Officer.

In the guide, to avoid this type of conflict, the ANPD suggests creating a specific organizational unit for the Data Protection Officer to act in, separate from the areas responsible for strategic decisions on data processing. This would ensure that their decisions are not influenced by conflicting interests.

In this scenario, the outsourced Data Protection Officer hiring model can allow organizations to have a qualified and experienced Data Protection Officer without establishing an internal team dedicated exclusively to these activities. Furthermore, in the ANPD’s multidisciplinary vision for the Data Protection Officer’s performance that the Guide presents, the use of the outsourced Data Protection Officer can be useful to ensure that organizations can access a greater set of regulatory and technical skills without the need to hire professionals internally in a center dedicated exclusively to data protection.

5. Other important aspects

  • According to the guide, data controllers have a duty to ensure that the Data Controller has the technical and administrative conditions to perform their functions. Among other aspects, it is necessary to ensure that the Data Controller has direct access to strategic managers and can act freely to ensure compliance with the LGPD and proportional financial and infrastructure resources to perform his/her necessary functions.
  • The guide reiterates that the Data Protection Officer is not legally responsible for the compliance of the organization’s data processing, a task that falls to the latter.

It is worth noting that the current version of the guide will still be subject to comments and contributions from society. The ANPD informs in the guide itself that it will be updated, as necessary, as new regulations and understandings are published. Suggestions regarding this version can be sent to the ANPD Ombudsman’s Office through the Fala.br platform.

Furthermore, despite the novelty of both the Regulation and the guide, the ANPD has already established inspection processes on the subject, signaling the importance given by the body to the topic, which, in our understanding, is one of the aspects that deserve to be highlighted when updating data protection governance programs.

Our team, which specializes in Technology, Data Protection, and Intellectual Property, closely follows the changes and updates that impact the sector. For further information on this or other topics that may interest you, please contact our team.


Voltar

Newsletters

Subscribe to our newsletters

Sign up

Our Offices

SÃO PAULO

Tabapuã Street, 1227 - 14th floor
04533-014 Itaim Bibi
São Paulo SP Brazil
+ 55 11 3024-6100

RIO DE JANEIRO

Flamengo Beach, 200 – 20th floor
22210-901 Flamengo
Rio de Janeiro RJ Brazil
+ 55 21 3263-5480

BRASÍLIA

SCS Block 09, Parque Cidade Corporate Building,
Tower B - 8th floor - 70308-200 South Wing
Brasília DF Brazil
+ 55 61 3957-1000

  • email
  • linkedin
  • instagram
  • youtube
  • youtube
lefosse

2024. ® All rights reserved | Privacy Policy