Brazilian Data Protection Authority launches guide on the role of the data protection officer

Brazilian Data Protection Authority launches guide on the role of the data protection officer

The Brazilian Data Protection Authority (ANPD) recently published a guide entitled “The role of the data protection officer”, complementing Resolution CD/ANPD No. 18 of July 16, 2024, which regulates the role of the data protection officer. This professional is responsible for mediating communication between data subjects, the companies or organizations that use them and the ANPD. The aim of the guide is to provide clear guidelines for hiring and carrying out the activities of the data protection officer (DPO), ensuring that they act in accordance with Law nº 13709/2018, the General Data Protection Regulation (GDPR).

The material frequently uses the terms “data subject”, “controller” and “operator”, which are precisely defined in Article 5 of the GDPR. According to the law: the data subject is the natural person to whom the personal data refer; the controller is the natural or legal person, whether governed by public or private law, who makes the decisions about data processing; and the operator is the person who carries out the data processing on behalf of the controller. Operator and controller are identified in the law as “processing agents”.

In addition, the guide points out that article 41 of the GDPR requires the controller to indicate the person responsible for processing personal data, the DPO. For example, in the case of a private company in the home health care sector that uses its patients’ health data (controller) and then shares it with its unit responsible for issuing follow-up reports (operator), the controller must appoint a DPO.

Another important point addressed is Resolution CD/ANPD No. 2, of January 27, 2022, which, in its article 11, establishes that small processing agents are exempt from appointing a DPO, except in the following cases: agents that process high-risk personal data; that obtain gross revenue of more than R$ 4.8 million per calendar year (or R$ 16,000,000.00 in the case of startups); and agents belonging to economic groups whose global revenue exceeds these limits. It should be noted that even if they are exempt, small agents must guarantee a communication channel with data subjects.

In public sector, the appointment of the DPO can be attributed to the institution’s highest authority or delegated, according to administrative legislation, and must be published in the Official State Gazette. For private agents, the communication to the ANPD is not mandatory, and the appointment can be made by the competent manager by means of a Formal Act, a model of which is available in the guide. The DPO can be an individual (such as an employee of the organization) or a legal entity hired for this role and must be able to communicate fluently in Portuguese.

The material also addresses the duties of the controller, such as disclosing the identity and contact details of the DPO in an accessible place, so that data subjects can exercise their rights; ensuring the necessary resources for the performance of the functions of the DPO; and ensuring their access to those responsible for strategic decisions related to the processing of personal data.

It is desirable for the DPO to have knowledge of data protection, risk management, governance, compliance and information security. This is due to their responsibilities, described in article 41, paragraph 2, of the GDPR and specified in the guide, which include guiding and advising the controller on issues related to the protection of personal data, as well as responding to complaints and communications from data subjects.

Among the main duties of the DPO, established by paragraph 2 of article 41 of the LGPD, are: accepting complaints and communications from data subjects, providing clarifications and adopting appropriate measures; receiving communications from the ANPD and adopting the necessary measures to meet its requests, internally forwarding the demands to the competent units and providing guidance to the processing agent; guiding the processing agent’s employees and contractors on personal data protection practices; and assisting in the creation and implementation of internal processes and policies that ensure compliance with the GDPR. The guide emphasizes that the DPO does not have the power to make decisions about the processing of personal data, as these decisions are the sole responsibility of the controller.

Finally, the guide illustrates situations in which there may be a conflict of interest in the role of the DPO, such as the cumulative exercise of certain positions and their work in more than one organization. To avoid such conflicts, it is recommended to evaluate the economic sector, the type of treatment and the nature of the organizations involved. The ANPD also suggests the creation of an exclusive organizational unit for the processing of personal data, ensuring that the DPO can act without influence from other areas.

The Guide can be accessed via the link: Performance of the Data Controller

Note: For quick release, this English version is provided by automated translation without human review.