Brazilian DPA issues guidelines on Data Protection Officers (DPO)

On July 17, 2024, the National Data Protection Authority (ANPD) published the guidelines on the appointment and requirements for the Data Protection Officer (DPO). 

We provide below a summary of the new and most important and aspects introduced by this regulation:

• The appointment of the DPO must be formal, in writing, with other requirements such as signature applicable to the legal instrument;
• The appointment of the DPO is mandatory for controllers and optional for processors and small processing agents (i.e., MEI, ME, EPP, Startups and condominiums, and this exception does not apply to small-sized organization that process sensitive data or carry out high-risk data processing operations);
• The DPO can be an individual or legal entity, internal or external – find out more about DPO as a Service here;
• The identity of the DPO must be publicly disclosed, including his or her full name (if an individual) or company name (if a company), on the organization’s website; it might not be enough to indicate the contact email only;
• Strategic decisions on data protection must be subject to the DPO assessment;
• The DPO must have technical autonomy to make decisions;
• The DPO is not required to have specific education or certification, but the organization may define the required technical qualification required for its DPO, including any specific requirement on education and certification;
• The duties of the DPO include those outlined in the LGPD (Art. 41), such as carrying out internal communication on matters related to privacy and data protection, directing requests from data subjects and the ANPD; in addition, the regulation expressly added other duties such as assisting in incidents, ROPAs, impact assessments, risk management, information security, contracts, international transfer, privacy by design and definition of good practices – in addition to advice on strategic data protection topics, as informed above; and
• Conflicts of interest in the DPO’s activity must be avoided, considering the DPO’s responsibilities within the organization and accumulation of functions.

Important actions to be assessed by organizations:

• Define educational and certification requirements for the DPO;
• Hire an external DPO or appoint an internal DPO – an individual or legal entity;
• Implement or revisit the DPO appointment legal instrument;
• Implement or revisit the DPO responsibility matrix;
• Review organizational processes in which the DPO will be involved, particularly in strategic decisions, communications from data subjects and ANPD, security incidents, and other requirements outlined in the LGPD;
• Publicize the identity with the name of the DPO on the organization’s website; and
• Review possible conflicts of interest.

The complete guideline is available in Portuguese here: https://www.in.gov.br/en/web/dou/-/resolucao-cd/anpd-n-18-de-16-de-julho-de-2024-572632074.

We suggest all clients consider assessing and reviewing the appointments, duties, and governance practices related to Data Protection Officers (DPO).