Brazilian Data Protection Authority publishes guidelines on the role of “Brazilian Data Protection Officer”

On December 19, the Brazilian Data Protection Authority (“ANPD”) published the Guidelines to the Performance of the ‘Brazilian Data Protection Officer’ as provided for in the LGPD” to assist society in interpreting the Brazilian General Data Protection Law (“LGPD”) and in the effective performance of the activities it establishes.

The guidelines also indicate good practices for personal data processing agents.

Below are the main topics addressed in the guidelines:

“ENCARREGADO” or DPO

• Although the term Data Protection Officer (“DPO”) is commonly used to define the concept of “encarregado” as provided for in the LGPD, the responsibilities of the “encarregado” and the DPO as provided for in the GDPR are not the same, particularly considering that they originate from different legal systems.

APPOINTMENT OF “BRAZILIAN DPO” AND SUBSTITUTE “BRAZILIAN DPO”

• The appointment of the “Brazilian DPO” is mandatory for the controller and optional for the processor (although most organizations do perform the controller role, such as in relation to their employees).

• The guide provides for the possibility of not appointing a Brazilian DPO in the case of small businesses, highlighting exceptions to this rule and the requirement that such small businesses provide a communication channel with the data subject.

• The Brazilian DPO must be appointed through a “formal act” but does not need to be informed to the ANPD nor published on the processing agent’s website, although it must be kept and presented to the authority when requested.

• This “formal act” may be an amendment to an employment contract, in case the Brazilian DPO is employed by the processing agent, for example.

• When appointing the Brazilian DPO, the processing agent must consider the organization’s and its employees’ profiles, as well as the benefits and limitations of choosing an individual or a legal entity in each case, in order to make the best possible choice according to its status and the context of the data processing. In addition, the Brazilian DPO must be able to communicate in Brazilian Portuguese.

• Given that unforeseeable events may lead the appointed Brazilian DPO to vacate its function, it is recommended that, in order to prevent the sudden interruption of the Brazilian DPO’s activities, a substitute be appointed simultaneously with the formal appointment of the main Brazilian DPO.

• The appointment of a substitute must follow the same mandatory procedures as in the appointment of the main officer, in addition to disclosing their identity and contact information.

• If the Brazilian DPO is a legal entity, a substitute must also be appointed for the individual in charge.

DISCLOSURE OF THE BRAZILIAN DPO’s IDENTITY AND CONTACT INFORMATION

• The Brazilian DPO’s identity and contact information must be disclosed on the controller’s website. However, if the processing agent does not have this resource available, it can disclose such information through any other communication methods, preferably those commonly used to contact data subjects (including physical communication media in prominent and easily accessible locations).

DETAILS, ACTIVITIES AND DUTIES OF A BRAZILIAN DPO

• In addition to human, technical, and administrative resources, it is recommended that the processing agent also consider other aspects, such as providing appropriate deadlines, finances and infrastructure for the Brazilian DPO to fulfill their duties.

• The guide reinforces that, although the Brazilian DPO provides assistance and guidance across several activities, they are not responsible before the ANPD for the controller’s compliance with personal data processing rules.

• The Brazilian DPO must have technical autonomy and access to those responsible for strategic decisions that may affect or involve personal data processing, as well as to other areas of the organization.

• In addition to knowledge on data protection legislation and other regulations published by the ANPD, a Brazilian DPO will also benefit from acquiring multidisciplinary knowledge regarding risk management, data management and governance, compliance and auditing, and information security.

• The Brazilian DPO does not need to be registered with the ANPD, private associations or have any specific certifications to perform their role.

• The guide also brings insights and recommendations regarding the Brazilian DPO’s role established in the LGPD and CD/ANPD Resolution No. 18, of June 16, 2024. The ANPD recommends, for example, that the Brazilian DPO participate in the creation of the internal privacy policy and the privacy notice aimed at the external public, and that they assist the processing agent in analyzing data protection contractual clauses and in complying with international transfer requirements.

CONFLICTS OF INTEREST

• The Brazilian DPO must perform their role autonomously and must not perform any other duties that may result in conflict of interest, such as activities that involve strategic decision-making by the controller regarding personal data processing.

• There is not, however, any conflict of interest if such decision-making is regarding personal data processing directly related to the Brazilian DPO’s duties.

• In general, conflicts of interest happen when the Brazilian DPO accumulates management positions that involve decisions regarding the means and goals of personal data processing, such as in sectors in charge of managing human resources, information technology, finances, or health. This is because accumulating these roles can interfere with the objectivity and technical autonomy required to perform their activities.

• The Brazilian DPO can work in more than one organization, but it is necessary to assess, depending on the economic sector involved, on the type of processing performed, or on the nature of the organizations, if the concomitant activities will affect the objectivity and technical judgment of the Brazilian DPO before scenarios involving conflicting decisions, exchange of privileged or strategic information, among others.

• A good practice to mitigate conflicts of interest is creating an internal organizational unit, separate from any other that makes strategic decisions related to personal data processing within the organization.

Demarest’s Privacy, Technology and Cybersecurity and Telecommunications, Media and Technology (TMT) teams are available to provide any further clarifications.