Brazilian Data Protection Authority begins inspection of 20 companies for lack of Data Controller and adequate communication channel

Brazilian Data Protection Authority begins inspection of 20 companies for lack of Data Controller and adequate communication channel

On December 13, the Brazilian Data Protection Authority (BDPA) began an inspection process involving 20 large companies that failed to indicate the contact person for the processing of personal data, as required by Article 41 of the General Personal Data Protection Law (LGPD). According to the provision, “the controller must appoint a person in charge of the processing of personal data”, and in this way, the BDPA indicates that the inspection aims to ensure that the companies notified comply with the legal requirements, regularizing the appointment of a person in charge or a functional communication channel.

According to Art. 41, § 1 of the LGPD, the identity and contact information of the person in charge must be publicly disclosed in a clear and objective manner, preferably on the controller’s website. Paragraph 2 also lists the activities of the person in charge, which are: I – to accept complaints and communications from data subjects, provide clarifications and adopt measures; II – to receive communications from the national authority and adopt measures; III – to guide the entity’s employees and contractors regarding the practices to be taken in relation to the protection of personal data; and IV – to carry out other duties determined by the controller or established in complementary rules.

Paragraph 3 of the article also states that the national authority may establish complementary rules on the definition and duties of the person in charge, including the possibility of waiving the need for their appointment, depending on the nature and size of the entity or the volume of data processing operations. In this sense, the BDPA states that the supervisory measure also extends to organizations that, “in addition to not providing an adequate communication channel to serve data subjects, offer channels that are not effective, making it difficult to exercise rights such as access, correction and deletion of personal data”.

Likewise, the authority points out that the measure is part of the so-called Monitoring Cycle, an instrument that evaluates the actions carried out in the monitoring of a given period, and is aligned with the Priority Themes Map 2024-2025, which aims to guarantee the rights of data subjects as one of the central axes of action of the BDPA.

Of the organizations notified, all are private companies, whether startups, multinationals or publicly traded companies listed on the stock exchange. They also cover various economic sectors, such as technology, telephony, education, health, transportation and retail. The authority concludes by stating that, if irregularities on the part of the companies persist, they may be subject to administrative sanctioning proceedings, which include the application of penalties provided for in Article 52 of the LGPD, such as warnings and fines. The full list of inspected organizations can be accessed on the BDPA website.

The original article, published by the BDPA, can be accessed via this link: ANPD fiscaliza 20 empresas por falta de Encarregado e canal de comunicação adequado