Brazilian National Data Protection Authority’s guide on the role of the data protection officer
Fabio Alonso Vieira
Kestener Vieira Torronteguy Spegiorin Advogados, São Paul
fabio.vieira@kvlaw.com.br
Eduarda Mourad Baldavira
Kestener Vieira Torronteguy Spegiorin Advogados, São Paulo
eduarda.baldavira@kvlaw.com.br
Introduction
The role of the data protection officer (DPO) emerged in Brazil with the advent of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados or LGPD ), in 2018. Article 5(VII) of the LGPD defines a DPO as the person appointed by the data controller and operator mainly to act as a communication channel between the data controller, the data subjects and the National Data Protection Authority (Autoridade Nacional de Proteção de Dados or ANPD).
The LGPD expressly establishes the possibility of the ANPD regulating, through complementary rules, the definition and duties of the DPO, including the circumstances in which the DPO may be dismissed, considering the nature and size of the entity or the volume of the data processing operations.
Accordingly, on 16 July 2024, the ANPD published Resolution No 18/2024, outlining the rules on the appointment, duties and activities of a DPO in Brazil. Following the publication of the Resolution, the ANPD published, in December 2024, a complementary guide on the role of the DPO, interpreting and presenting the ANPD’s position on matters addressed by the Resolution.
The guide’s main goal is to assist society with the interpretation of the law and the proper performance of the activities provided for in the LGPD, as well as to serve as an indication of good practices for companies involved in personal data processing.
In this article, we present the key points outlined in the guide that impact the data protection governance structures of companies in Brazil.
The designation of a DPO
The DPO may be an individual, such as an employee of the organisation or a legal entity contracted for this purpose. Considering that the DPO is the channel of communication between the data subject, the data controller and the ANPD, the guide strictly recommends that the DPO should be able to communicate in Portuguese.
The designation of the DPO must be made through a formal act by the data controller, which should outline the ways of acting and the activities to be performed.
The guide explains that a formal act means a dated and signed document that clearly and unequivocally demonstrates the data controller’s intention to designate a natural person or a legal entity as their DPO.
There is no obligation to inform the ANPD about the designation or to publish the formal designation act on the data controller’s website. However, the data controller must retain this document and present it to the ANPD if requested.
A substitute DPO
DPO absences, impediments or a DPO vacancy should not prevent the exercise of data subjects’ rights or the communication by the business with the ANPD. In these cases, the responsibilities of the DPO must be assumed by a substitute formally appointed by the data controller.
The guide recommends that the appointment of a substitute be made simultaneously with the formal designation of the primary DPO, including their identity and contact information.
The DPO’s profile
In addition to outlining the DPO appointment process, the guide introduces certain desirable characteristics of the individual who should occupy this position.
Although the DPO does not have decision-making authority regarding the processing of personal data, they are responsible for assisting with activities that are typically multidisciplinary and aimed at preserving the privacy and personal data of data subjects.
The LGPD does not specify the profile, knowledge or skills required for fulfilment of the DPO role, thereby granting data controllers greater freedom of choice when considering suitable candidates for the position. However, the Resolution states that the data controller is responsible for defining the professional qualifications required to perform the DPO’s duties, taking into account their knowledge of data protection legislation, as well as the context, volume and risk of the data processing operations carried out by the business.
With regard to the technical capacity of the person required to perform the DPO’s duties, the guide highlights that, in addition to knowledge of personal data protection legislation and the regulations and publications produced by the ANPD, multidisciplinary expertise in areas such as risk management, data management, governance, compliance and auditing and information security can be highly valuable.
Familiarity with the organisation’s core activities is also crucial for fulfilling the DPO’s role, as it enables them to provide more effective guidance to the data controller on best practices for safeguarding personal data and ensuring compliance with the LGPD and ANPD guidelines.
Conflicts of interest
The Resolution defines a conflict of interest as a situation that may compromise, influence or improperly affect the objectivity and technical judgment in terms of the performance of the DPO’s duties.
Given the responsibilities of the DPO, the duty to avoid situations that may lead to a conflict of interest is essential to effectively ensuring the data controller’s compliance with the LGPD.
The guide offers an interpretation of what may be considered a conflict of interest, indicating that such conflicts arise when the DPO holds positions of leadership, management or direction, namely roles responsible for determining the means and purposes of the personal data processing. Holding such positions may interfere with the objectivity and technical autonomy that are essential to the DPO’s role.
To avoid this type of conflict, the ANPD suggests the creation of a ‘separate organisational unit’ for the DPO’s activities, distinct from areas responsible for strategic decisions regarding data processing. This would help ensure that the DPO’s decisions remain independent and unbiased.
Outsourcing the DPO function may also be a way for organisations to rely on a qualified and experienced professional without the need to establish an internal team dedicated exclusively to these activities.
Conclusion
The role of the DPO has become a key element in ensuring the compliance by organisations with data protection laws, especially in regard to the implementation of the LGPD. As highlighted throughout this article, the DPO serves as a channel of communication between the data controller, data subjects and the ANPD. The guidelines provided by the ANPD offer valuable insights into the expectations and operational frameworks for the DPO within Brazilian organisations.
Finally, it is important to highlight that, although they share the same title, the role of the DPO under the LGPD is not identical to that under the European Union’s General Data Protection Regulation (GDPR).
While both frameworks establish the role of the DPO as an essential position in an organisation, the GDPR imposes stricter and more specific requirements in regard to the appointment and qualifications held by the DPO, particularly for large-scale data processors and those handling sensitive personal data.
On the other hand, the LGPD offers more flexibility in defining the necessity and scope of the DPO’s role, allowing organisations to adapt the position to the size of the organisation and the data processing activities involved.
Ultimately, the establishment of a well-defined and qualified DPO within organisations is critical not only for compliance with the LGPD, but also for promoting a culture of privacy and data protection. The DPO’s role, whether internal or outsourced, remains central to safeguarding personal data and ensuring transparency and accountability in regard to data processing activities.