Advancing its regulatory agenda for the 2023-2024 biennium, Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados, published the regulation on the role of the data protection officer.
The regulation — the draft of which received 1,129 contributions during a one-month public consultation — was anticipated under Brazil's General Data Protection Law.
It aims to clarify aspects of a role that, until the LGPD's enactment, did not exist in Brazil's legal framework. Though most privacy professionals may be familiar with the DPO role as defined by other national privacy laws, Brazil's new regulation contains specifics that require attention by those working with organizations subject to the LGPD.
Nature, requirements of the role
When it comes to the nature of the DPO, the regulation did not surprise. Consistent with the ANPD's past position and common practice in Brazil since the LGPD's enactment, it stipulates the role of DPO can be performed by a natural person, whether a member of the organization's staff or not, or by a legal entity.
Additionally, it clarifies that the role does not require registration with any entity nor any specific certification or formal education, which aligns with the approach taken by most organizations in recent years.
The regulation does introduce, however, an explicit requirement that the DPO must be able to communicate with the ANPD and data subjects in Portuguese. While this can be seen as a natural consequence of the fact that communication with these stakeholders is one of the DPO's main tasks, and that Brazil's official language is Portuguese, the ANPD did not clarify whether the DPO must be able to communicate in the language themselves or whether they can rely on someone else ― like a team member or a professional translator to comply.
Conflicts of interest
DPOs are permitted to take on additional roles and serve in the position for more than one organization, provided it does not lead to a conflict of interest ― defined as a situation that could compromise, influence or improperly affect the objectivity and technical judgment in the performance of the DPO's duties.
While the regulation addresses the issue more briefly than other jurisdictions ― the EDPB's guidelines providing examples of roles likely to result in conflicts of interest, for example ― it does further clarify that a conflict of interest can arise in the context of a DPO's duties within a single organization, particularly involving activities that may require critical decision-making over the processing of personal information, or when a DPO serves multiple organizations.
Finally, the regulation also stipulates organizations must ensure their DPOs have technical autonomy to perform duties, and not "independence" as in the context of the EU General Data Protection Regulation. It also states a confirmed conflict of interest can result in sanctions to the organization.
Mandatory designation
Under the regulation, all organizations acting as a controller must designate a DPO. Exemptions are only granted for small-scale controllers, as defined by the ANPD's regulation on small-scale controllers and processors. Instead, organizations acting as small-scale controllers must maintain a channel to receive requests and communications from data subjects.
Organizations acting exclusively as a data processor are also not required to designate a DPO. However, both processors and small-scale controllers are incentivized to have a DPO as it is good practice that can contribute to the reduction of monetary fines issued by the ANPD.
It's also important to note that, in case of absences, impediments or vacancies, organizations must designate a substitute DPO, ensuring the response to data subjects' requests and the ANPD's communications are not negatively impacted.
Formalities of the designation
Organizations must designate the DPO though a formal act describing its duties, which must be provided to the ANPD upon request.
Participants in the public consultation questioned this requirement as the draft of the regulation did not clarify what would constitute a formal act. The regulation's final version states a formal act is a written, dated and signed document that clearly demonstrates the organization's intent to designate a DPO.
Organizations are also required to make publicly available and keep up to date the DPO's identity and contact details on its website, or any other means normally used to communicate with data subjects.
The regulation further states the DPO disclosure must include at least the individual's full name or the name of the legal entity. This mandatory requirement was significantly criticized during public consultation and differs from guidance provided by other supervisory authorities, including the EDPB and U.K. Information Commissioner's Office, which determined disclosure of the DPO's name is optional.
Responsibilities of the DPO
The LGPD established that the DPO must serve as the communication channel between the controller, data subjects and the ANPD. The regulation further details duties already provided under the LGPD, namely receiving and acting upon communications from data subjects and the ANPD, and providing guidance to organizations and staff regarding data protection.
For example, the regulation stipulates that the DPO's duty to guide the organization may include topics like data breach notification, records of processing activities, data protection impact assessments, and cross-border data transfers.
It also clarifies that the DPO is not personally liable for the controller's processing of personal information.
Organizations' responsibilities
Organizations must grant the DPO the technical autonomy necessary to perform outlined duties, including providing direct access to the highest-ranking individuals within the organization. The DPO must also have the necessary resources, both in terms of head count and technical and administrative support.
Finally, organizations must request the DPO’s assistance with activities involving personal information processing, and ensure data subjects have effective means to communicate with the DPO and exercise the rights provided under the LGPD.
Moving forward
While the regulation provided much clarity on the role of the DPO under the LGPD, some grey areas still require additional guidance from the ANPD moving forward.
To that effect, privacy professionals may be interested in the first ANPD Meeting of Data Protection Officers: Promoting Data Protection. The 1 Aug. hybrid meeting aims to be a reoccurring forum bringing together different sectors to discuss activities pertaining to the role of DPO.
Guilherme Peretti, CIPP/E, CIPP/US, CIPM, FIP, CDPO/BR, is associate director, privacy and data protection at Organon & Co.
