Navigation

ANPD releases Resolution on the Data Protection Officer (DPO)

Friday, 26th july 2024

ANPD publishes resolution on the role of the Data Protection Officer (DPO)

On July 17th, the Brazilian National Data Protection Authority (“ANPD”) published Resolution No. 18/2024, which approves regulation on the role of the Data Protection Officer (DPO). 

The new regulation establishes detailed provisions on the appointment, identity, contact information, definition, attributions, and activities performed by the DPO, pursuant to Section 41 of the General Personal Data Protection Law (“LGPD” - Law No. 13,709/2018), as well as defines situations characterized as conflicts of interest and provides the processing agents´ duties to ensure the proper exercise of the activities of the DPO. 

The main aspects of Resolution No. 18/2024 are the following:

  • Appointment of the DPO: the appointment must be done by a formal act of the processing agent, dated and signed, indicating the forms of action and activities that will be performed by the DPO.
  • Identity and contact information:  the processing agent must disclose and keep the identity and contact information of the DPO updatedin a prominent and easily accessible location on the website of the processing agent. If the DPO is an individual, their full name must be disclosed. If the DPO is a legal entity, the corporate name or the title of the establishment, as well as the full name of the natural person responsible, must be disclosed.
  • Characteristics of the DPO:  the DPO can be either an individual or a legal entity. DPO must be able to communicate with the data subjects and with the ANPD, clearly and precisely, and in Portuguese language. The exercise of the activity does not require registration with any class entity, certifications, or specific professional training.
  • Activities of the DPO: the regulation establishes the following main attributions of the DPO: (i) accepting the data subjects´ complaints and adopting the appropriate measures for response and decision-making; (ii) receiving communication from the ANPD and adopting the appropriate measures for response and decision-making; (iii) guiding employees and contractors regarding best practices to be observed in relation to personal data; (iv) perform the other duties determined by the processing agent or established in other relevant rules.
  • Conflicts of interest: the DPO may accumulate functions or provide services to several processing agents, if the DPO is able to fulfill all the corresponding duties without causing conflicts of interest between the functions or the processing agents and the decision-making on data processing. The existence of a conflict of interest will be verified in the specific case and may lead to the application of a sanction to the processing agent under the terms of Section 52 of the LGPD. The DPO must declare to the processing agent any situation that may constitute a conflict of interest, being responsible for the veracity of the information provided.
  • Processing agent´s duties: the regulation establishes the following main duties of the processing agent: (i) providing the necessary resources for the DPO develops the activities; (ii) requesting the assistance and guidance of the DPO to carry out activities and strategic decisions related to the processing of personal data; (iv) ensuring technical autonomy for the DPO to develop the activities; (v) ensuring effective and adequate means for the communication of the data subjects with the DPO; and (vi) guaranteeing the DPO direct access to decision-makers in the organization.
  • Processors: the appointment of a DPO by a processor is optional, but this appointment is considered a good governance practice.
  • Responsibility towards the ANPD: although the regulation establishes several obligations of the DPO, the document expressly provides that the DPO is not responsible before the ANPD for the compliance of the data processing carried out by the controller and processor.

NNB Advogados has a team highly specialized in privacy and data protection, being qualified to assist companies in advisory and litigious demands. To learn more about how we can assist you, please contact us.