Issuance of Regulation on the Role of the Data Protection Officer

On July 17, 2024, the National Data Protection Authority (ANPD) published Resolution CD/ANPD No. 18/2024, which approved the Regulation on the Role of the Data Protection Officer (DPO).

We summarize below the main provisions set out by the Regulation:

Appointment of the DPO

• The DPO’s appointment shall consider the DPO’s knowledge of the data protection legislation, as well as the context, volume and risk of the processing activities carried out by the organization
• It is mandatory for controllers (except for Small Processing Agents), and optional for processors, when it will be considered a good practice of governance
• It must be formalized by means of a formal act, which may be requested by ANPD
• A formally designated substitute DPO shall perform the duties in the event the DPO is absent, impeded or the position is vacant

About the DPO

• Either an individual or a legal entity
• Either an internal member of the organization or an external service provider (individual or legal entity)
• Identity (as well as contact information) disclosed in an easily accessible location on the organization’s website
  • If the DPO is an individual – full name
  • If the DPO is a legal entity – corporate name and full name of the individual responsible within the legal entity
• Freedom from undue interference and access to high level management of the organization
• Ability to communicate clearly and precisely with the data subjects and the ANPD, in Portuguese
• The organization (and not the DPO) is responsible vis-à-vis the ANPD for the legal compliance of its processing activities

Conflict of interests

• Conflicts of interest must be avoided and reported by the DPO to the organization
• Conflicts of interest are the situations that may compromise, influence or affect, in an improper manner, the DPO’s objectivity and technical judgement
• Such situations may be configured by the accumulation of the DPO’s activities with others, including those that involve strategic decision-making on the processing of personal data
• May lead to sanctions to the organization

The Regulation establishes additional duties to those set forth in LGPD, such as assisting and guiding the organization in:

(i) the registration and reporting of data breaches;

(ii) the definition and implementation of policies and internal processes that ensure compliance with the LGPD; and

(iii) implementing Privacy by Design for the organization’s products and services, among other duties.

With the entry into force of the Regulation, it is essential that the organizations review their practices regarding the DPO, to ensure compliance with the new provisions.

Our Privacy and Data Protection team is prepared to guide and assist our clients in relation to the appointment, role and function of the DPO, among other topics. For more information, please contact the team’s leaders, Adriano Chaves and Marcia Issler Mandelbaum.