Six years after its enactment and four years after it entered into force, on July 17, 2024, the Brazilian Data Protection Agency (Autoridade Nacional de Proteção de Dados (ANPD)) has issued a regulation developing the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD)) and clarifying the regulatory framework for Data Protection Officers (DPOs) in Brazil (ANPD Resolution No. 18/2024, the “Resolution”).
Article 41 of the LGPD establishes that data controllers must appoint a data protection officer (DPO), details their main responsibilities, and requires that the DPO’s identity must be made public. It also invites the ANPD to establish complementary rules for the definition and attribution of the person in charge, including cases of exemption from the appointment requirement, depending on the nature and size of the entity or the volume of the data processing operations.
Interestingly, this article is silent on data processors, for whom the appointment does not appear to be mandatory (this differs from the regime of the EU GDPR, established in Article 37).
In this regard, the Resolution provides that all data controllers must appoint a DPO, with the exception of so-called “small-scale” data controllers (as defined in Article 11 of the Regulation on the application of the LGPD to Small-scale Data Controllers, approved by ANPD Resolution No. 2 of January 27, 2022).
It also states that the DPO appointment requires a formal instrument, as opposed to a mere internal designation referred to in the controller’s privacy notices and protocols. This formal instrument must be made available to the DPA upon request.
Similar to the EU GDPR, the DPO can be either an employee or a contractor of the data controller, can operate on a group-wide basis, and does not take personal responsibility for the controller’s compliance with the LGPD.
However, unlike the situation in many EU jurisdictions, both Article 41 of the LGPD and the Resolution clarify that the identity of the DPO must be disclosed to the public; and where the DPO is a legal entity, its corporate name must be disclosed.
The Resolution does not specify the required qualifications for the appointment of the DPO, only that they must not have a conflict of interest and must have knowledge of data protection law (Article 7 of the Resolution).
The statute and duties of the DPO follow those of the GDPR. The Resolution stipulates that the DPO must have the necessary autonomy to perform his or her duties, but does not state that the DPO is protected from being dismissed or punished by the controller for performing his or her duties (as required by Article 38(3) of the GDPR). The DPO is responsible for, among other things, reporting data breaches, keeping records of processing activities, conducting data protection impact assessments, and ensuring that internal processes and policies comply with the LGDP.