On December 19, 2024, the Brazilian Data Protection Authority (“ANPD”) published its Guide on the Role of the Data Protection Officer (“DPO”). The document complements ANPD’s Regulation on the subject, issued on July 16, 2024, providing detailed guidance to assist stakeholders in interpreting the law and regulation and properly performing the DPO’s responsibilities, serving as a reference for best practices in data protection management.

The Guide highlights key aspects of DPO designation, role and responsibilities. Notable points include:

• Eligibility: the DPO can be an individual or a legal entity but should not be a team or department within the organization. If the controller relies on a third-party vendor or an internal team to provide DPO services, a specific individual must still be assigned as the DPO.
• Location: while the Guide does not mandate that the DPO must be located in Brazil, it underscores the need for proficiency in Portuguese to ensure effective communication with data subjects, the controller, and the ANPD. This requirement may discourage the appointment of international or regional DPOs.
• Designation process: DPOs must be formally appointed by an appropriate company official, as per the company’s articles of incorporation. The designation must outline the DPO’s role and activities in a documented act, which must be retained and presented to the ANPD upon request. The Guide includes a model document to assist controllers with the designation process.
• Substitute: in cases of absence or vacancy, a formally designated substitute must ensure the DPO’s responsibilities are fulfilled without disruption. The substitute should ideally be designated concurrently with the primary DPO, rather than only after the position becomes vacant.
• Information to be disclosed: the DPO’s identity and contact information – such as email address and phone number – must be clearly published on the organization’s website. For individuals, their full name must be disclosed. For legal entities, the entity's name, along with the full name of the responsible individual, should be provided.
• Conflicts of Interest: the DPO must act autonomously and cannot hold roles that create conflicts of interest, such as positions involving strategic decision-making related to the processing of personal data by the controller. According to the Guide, conflicting positions are observed when the DPO holds leadership, managerial, or executive roles responsible for determining the means and purposes of personal data processing, such as those in human resources, information technology, finance, or health departments. While a DPO may serve multiple organizations, potential conflicts and their ability to perform duties effectively must be assessed.

Organizations are encouraged to review the guide carefully to align their practices with these updated recommendations.

Our team has been assisting clients in compliance with privacy and data protection legislation and is closely monitoring all new developments in this matter. For further information, e-mail us at info@lickslegal.com.

‍