Data Protection Officers and Brazil’s General Data Protection Law
Brazilian National Data Protection Authority guidelines have sought to address questions regarding data protection officers
Subjects
According to the Brazilian Data Protection Law (LGPD), data controllers appoint a data protection officer (Encarregado de Proteção de Dados – DPO), responsible for privacy and data protection issues and for acting as a point of contact for communication with data subjects and the Brazilian National Data Protection Authority (ANPD).
How the LGPD defines DPOs
DPOs play a key role in organizations’ compliance with the LGPD’s provisions, as well as in promoting secure use of personal data and protection of data subjects’ rights. Under the terms of the LGPD, a DPO can be either an individual or legal entity whose activities consist of:
-
Accepting complaints and communications from data subjects, providing explanations and adopting necessary measures;
-
Receiving communications from the ANPD and adopting related measures;
-
Guiding and instructing the data processing agent’s employees and third-party contractors in relation to data protection practices;
-
Carrying out other duties as determined by the controller or set forth in complementary rules the ANPD issues in the future.
However, the LGPD does not establish specific criteria for DPOs in regard to the following aspects:
-
The DPO’s professional qualifications and expertise;
-
The DPO’s nationality or place of residence – therefore, the LGPD does not expressly require the DPO to be based in Brazil;
-
The position or role the DPO holds within the organization;
-
The language(s) the DPO should be able to communicate in.
ANPD guidelines
In order to address these shortcomings, on May 28, 2021, the ANPD issued its Guidelines on Data Processing Agents and DPOs (available in Portuguese), which established certain non-binding guidelines that data controllers should consider when appointing a DPO. The main aspects of the guidelines are outlined below:
-
The DPO may be a natural or a legal person, and may be internal or external to the organization;
-
All organizations must appoint a DPO. However, the ANPD has the power to waive this obligation, depending on the nature and size of the entity, or the volume of data processed. In January 2022, the ANPD approved a resolution determining that small processing agents (e.g., micro-enterprises, small businesses, startups, etc.) are not required to appoint a DPO, though it is still considered a good practice;
-
The guidelines recommend that DPOs are appointed by a formal act, such as a service agreement or corporate document (e.g., in the minutes of a shareholders’ meeting or board of directors’ meeting);
-
The DPO should have the autonomy to freely carry out their duties, though the ANPD has not specified where it would recommend DPOs to be placed within the hierarchy of organizations;
-
A data protection team may support the DPO;
-
Data controllers may determine professional qualification requirements for their DPOs in line with their organizations’ data protection and information security needs. This is in contrast to other data protection authorities in Europe, which have already defined the specific skills and knowledge they expect of DPOs;
-
A single DPO may act on behalf of different entities as long as it is able to carry out its duties effectively. As such, before appointing a DPO, data controllers should assess if it will be able to handle multiple requests from different entities;
-
The DPO is responsible for ensuring the organization complies with the LGPD. However, processing agents (controllers or processors) remain liable for any data processing they carry out.
As these guidelines are non-binding, they may be reviewed by the ANPD at any time, which may also consider contributions submitted by interested third parties. This notwithstanding, the guidelines reveal the ANPD’s current view of the matter, and are also expected to be used when other competent authorities and Brazilian courts interpret and apply the LGPD provisions.
How should the current guidelines be interpreted?
Although they represent an important development in relation to how the LGPD is interpreted, the ANPD’s guidelines are not enough to settle all legal discussions regarding DPO appointments and their respective duties. On the one hand, DPOs activities require certain minimum qualifications, expertise and skills – especially those concerning communication, data protection knowledge, and the ability to guide and instruct employees and third parties. On the other hand, other skills and professional qualifications remain unsettled and have been left up to data controllers to judge.
Therefore, in the future, we should expect the ANPD to provide further guidance on several aspects of the LGPD that remain uncertain or vague. Until then, it appears that data processing agents will have to determine what their data governance programs expect of DPOs by considering good practices, as well as sectorial authority and self-regulatory agency regulations.
For further information on the topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.