On July 17, the Brazilian National Data Protection Authority (ANPD) published Resolution CD/ANPD n. 18/24, which establishes the regulation on the performance of the Data Protection Officer (DPO). The approved text was long awaited and brought important aspects to be considered by the entities. We present the main points below.

Internal or external DPO

The resolution confirms the consolidated practice in the market regarding the existence of an external DPO, by providing that the person in charge may be an individual – a member of the processing agent's organizational staff or external – or a legal entity. This is the model called "DPO as a Service", that is, instead of appointing an internal employee, the company chooses to hire a third party (individual or legal entity).

There are several professionals, consultancies and law firms that currently offer this type of service. Despite this, we understand that the notional is, whenever affordable basis on an end-to-day basis, for the person in charge to live the day-to-day of the company, interacting with areas and people, to better understand the organization's processes and products.

Disclosure of the identification of the person in charge

The resolution expressly determines that the identification data of the person in charge must be available on the company's website. It is not enough just to have the service channel, it is definite to identify the person in charge with their full name, effective for individuals. In the case of legal entities that act in the "DPO as a Service" format, the corporate name or title of the establishment must be presented, as well as the full name of the responsible individual.

This point can become a target of discussions, as it is understandable that professionals and companies do not feel comfortable disclosing these details, including to put forth the person.

Conflicts of interest

Any situation that may affect the DPO judgment  regarding  his function will characterize the conflict – situation that can result  in a  sanction specific by the ANPD. What was at maximum a good practice, therefore, becomes a point of extreme attention for governance.

Companies must make a careful evaluation of the nominees, to detect the vel nonexistence of conflicts of interest in the performance of the function.

One of the best ways to accomplish this is to conduct the analysis as a individual case. One must to entertain to hold in mind the employee's position, rank, status, internal duties, technical autonomy, accumulation of activities, budget binding, remuneration profile, decision-making, among other aspects.

It is recommended that the processing agent study and document their assessment and decision. He must be ready to account for his activities.

Appointment of DPO and his or her substitute by formal act

The resolution reaffirms the obligation to and sum of companies that use (process) personal data in their activities as controllers (i.e., make decisions about this data) to appoint DPOs. The obligation is already expressly provided for in article 41 of the Brazilian General Data Protection Act (LGPD).

The new rule also determines the appointment of a substitute, who will fulfill the duties in the event of the absence of the DPO. Companies need to record the appointment of both in a formal act, that is, in a written, bearing a date and signed document, which, in a clear and unequivocal manner, demonstrates the intention of the processing agent to designate the person in charge.

This document may be requested whenever the ANPD deems necessary – such as in cases of communication of security incidents (acknowledged and agreed jointly with Resolution CD/ANPD n. 15/24).

As determined, therefore, in a personalized format for each organization. In other words, it is not enough to copy and paste the text of articles 15 and 16 of Resolution CD/ANPD 18/24, which deal with the activities and duties of the DPO. It is definite to formulate and write what are the specific functions of the person in charge within a given corporate governance.

With this, the ANPD wants to avoid merely formal appointments or those that occur in specific situations (for example, in a hurry, after incidents). These types of attitudes highlight the agent's lack of ongoing commitment to a culture of privacy.

We emphasize that the act of appointment must not be published, but rather registered and filed with the company. The disclosure refers only to the identification of the person in charge, both the holder and his substitute. It is advisable that, to get to the information about the person in charge, no more than three clicks on the company's website are required.

Greater detail of the activities and duties of the function

The resolution details which activities and duties must be performed by the DPO. For example, its debt security essential aspects in recording and reporting incidents, conducting risk assessments and providing guidance on data protection in commercial contracts signed by the company stands out.

The roster is extensive and there is an expectation from regulators that companies are prepared to meet it in their planning and protocols. Documents and evidence that detail and support the good performance of the person in charge are a great way for the company to prove its commitment.

The responsibilities of the person in charge include:

  • accept complaints and communications from data subjects, provide clarifications and adopt appropriate measures;
  • receive communications from the ANPD and adopt measures;
  • guide the processing agent's employees and contractors on the practices to be taken in relation to the protection of personal data;
  • perform the other duties determined by the processing agent or established in complementary rules; and
  • Provide assistance and guidance on topics related to the protection of personal data, which includes the registration and communication of security incidents, risk assessments, internal processes and policies, commercial contracts, international data transfer and good governance practices.

As already mentioned, it is relevant that these activities are acknowledged and agreed jointly with specific reality of the corporation's practice and governance.

Designation of the DPO

The obligation to appoint the so-called small carriage agents – such as micro-enterprises, small carriage businesses, startups and depersonalized entities – are exempt from the obligation to appoint the data officer. These agents, however, need to have an efficient channel to serve data subjects and the ANPD.

It is worth remembering that not each such agent of small carriage will be exempt from the appointment. Specific situations of Resolution CD/ANPD n. 2/22 were maintained. Companies – notwithstanding of size and kinds – continue to be required to appoint a full and substitute person in charge – that:

  • carry out high risk treatment for the holders, obtain gross revenue higher than the limit established in article 3, II, of Complementary Law 123/06 or, in the effective for startups, in article 4, paragraph 1, I, of Complementary Law 182/21; or
  • belong to an economic group de facto or de jure, whose comprehensive revenue exceeds the limits mentioned above.

Controller Commitment

The new regulation also reinforces the expectation that controllers commit to the good performance of the function. To do this, companies must be able to demonstrate that:

  • they offer the ways and means necessary for the performance of these activities;
  • effectively engage the person in charge in the organization's routines;
  • ensure technical autonomy to professionals; and
  • give professionals direct access to senior leadership.

With the regulation, privacy and data protection governance programs gain new contours. It is relevant for companies to revaluation their structures, policies, and practices to ensure that their program meets the new conditions.

Our Digital Law and Data Protection team is available to conduct and support measures to comply with the new regulation.