Introduction

ANPD has at last published Resolution 18, outlining rules on the appointment, duties and activities of a DPO in Brazil. Resolution 18 offers much-needed guidance for companies, data privacy professionals, and data privacy-related services, eg, insurance companies. This article aims to provide practical and accessible information to ensure that companies and their DPOs are well-informed and prepared to perform their roles in accordance with current legislation and regulation.

Appointment of a Data Protection Officer (DPO)

The appointment of a DPO must be accomplished through a formal corporate action, consisting of a written, dated and signed document clearly demonstrating the intention of the data controller or processor (together, “processing agents”) to designate a DPO. Processors are not obliged to appoint a DPO. However, if they do, ANPD will consider this a good governance practice, which can serve as a mitigating factor in sanctions proceedings. Small processing agents such as micro-enterprises, small businesses, and startups are exempt from appointing a DPO but must provide a communication channel for data subjects.

A company's DPO can be an individual or a legal entity. The identity and contact information of the company's DPO must be publicly disclosed, clearly and prominently, on the processing agent's website. If the DPO is a legal entity, the company must provide the legal entity's name and the name of the person within the entity who will undertake the DPO responsibilities.

Resolution 18 requires that the DPO be able to communicate clearly and precisely with data subjects and the ANPD in Portuguese.

Substitute

In the event of a DPO's absence, unavailability, or vacancy, a formally appointed substitute must assume the role. This ensures that the rights of data subjects are protected and communications with ANPD are not hindered.

Conflicts of interest

A DPO must be free from conflicts of interest. They should not be in any situation that could compromise, influence, or improperly affect their objectivity and technical judgment in performing their duties.

DPOs are permitted to hold multiple roles and perform activities for more than one data processing agent, provided they can fully meet their responsibilities for each processing agent and there is no conflict of interest.

Duties of Processing Agents

Companies must comply with three main duties to ensure that a DPO can fulfill his/her duties and obligations:

• Necessary Resources : Provide the necessary means (human, technical and administrative) for the DPO to perform his/her duties.

• Technical Autonomy : Ensure the technical autonomy of the DPO, free from undue interference.

• Access : Guarantee the DPO direct access to senior management and strategic areas of the company.

Activities and Duties of a DPO

There are no specific registrations or certifications required to perform the DPO role. The appointing controller has discretion to determine the professional qualifications of its DPO, taking into account whether the DPO's knowledge of data protection and information security appropriately matches the company's personal data processing requirements (see ANPD´s Guide to Processing Agents, available here , in Portuguese ). These are the three main activities and duties of a DPO:

• Interactions with Data Subjects and ANPD :

  • Accept complaints and communications from data subjects, provide clarifications and take appropriate actions, and

  • Receive and respond to communications from ANPD.

• Internal Guidance : Guide employees and contractors on data protection practices.

• Implementation of Regulations :

  • Record and report security incidents,

  • Keep records of data processing operations,

  • Prepare data protection impact assessments,

  • Defines technical and administrative security measures,

  • Conduct internal oversight and mitigate risks related to data processing, and

  • Develop processes and policies to ensure compliance with LGPD and ANPD regulations.