.jpeg)
The National Data Protection Authority (ANPD) published Resolution CD/ANPD #18/2024, dated July 16, 2024, which sought to fill an important gap in detailing the activities of the Data Protection Officer and the responsibilities of data processing agents that support their activities.
1. Definitions of Data Protection Officer and Data Processing Agents
According to the General Data Protection Law (LGPD) and the aforementioned Resolution, the Data Protection Officer who is appointed by the Controller and the Processor to act as the communication channel between the Controller, the data subjects and the ANPD.
Data processing agents are divided into two key roles: the Controller and the Processor. The first one, the Controller, is the natural or legal person, of public or private law, who is responsible for decisions regarding the processing of personal data. The Processor is the natural or legal person, of public or private law, who processes personal data on behalf of the Controller.
2. Duties of the Data Processing Agents
According to Resolution CD/ANPD #18/2024, Data Processing Agents, and not the Data Protection Officer, are the ones responsible for the compliance with personal data processing. Their duties are:
Duties of the Data Processing Agents
1. Providing the necessary means for the Data Protection Officer to perform their duties, including human, technical, and administrative resources;
2. Requesting the assistance and guidance of the Data Protection Officer when performing activities and making strategic decisions related to personal data processing;
3. Ensuring the Data Protection Officer has the technical autonomy to perform their duties without undue interference, especially regarding guidance on data protection practices;
4. Ensuring the holders have swift, effective and adequate means to communicate with the Data Protection Officer and to exercise their rights;
5. Ensuring the Data Protection Officer has direct access to the highest hierarchical levels within the organization, to those responsible for making strategic decisions affecting or involving personal data processing, and to other areas of the organization.
3. Identity and Contact Information of the Data Protection Officer
The data processing agent must disclose and keep updated the identity and contact information of the Data Protection Officer, which must be easily accessible, clearly visible, and prominently displayed on the data processing agent’s website. In the absence of a website, the data processing agent may disclose the identity and contact information of the Data Protection Officer through any other available communication channels, especially those usually used for contact with data subjects.
When the Data Protection Officer is a natural person, their full name must be disclosed. If the Data Protection Officer is a legal entity, (i) the corporate name or trade name and (ii) the full name of the responsible natural person must be disclosed.
Regarding personal information, at least the data necessary to facilitate communication with the Controller and to ensure the receipt of communications from the ANPD must be disclosed.
4. Activities and Duties of the Data Protection Officer
The activities of the Data Protection Officer are as follows:
Activities of the Data Protection Officer
1. Accepting complaints and communications from holders, providing clarifications and taking appropriate measures;
2. Receiving communications from the ANPD and taking the necessary measures;
3. Advising the staff and contractors of the data processing agent regarding data protection practices;
4. Performing other duties as determined by the data processing agent or established in supplementary regulations.
Upon receiving communications from the ANPD, the Data Protection Officer must take the necessary measures to respond to the request and to provide relevant information, including:
When Receiving Communications from the ANPD
1. Internally forwarding the request to the appropriate units;
2. Providing the necessary guidance and assistance to the data processing agent;
3. Explicitly designating the representative of the data processing agent before the ANPD for participation in administrative processes when this role is not performed by the Data Protection Officer themselves.
The following are also additional duties of the Data Protection Officer in assisting the personal data processing agent:
Duties of the Data Protection Officer
1. Recording and reporting security incidents;
2. Keeping records of personal data processing operations;
3. Compiling data protection impact assessments;
4. Implementing internal oversight and risk mitigation mechanisms related to personal data processing;
5. Implementing technical and administrative security measures to protect personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication, or any form of inappropriate or unlawful processing;
6. Establishing internal processes and policies to ensure compliance with Law #13,709, of August 14, 2018, and the ANPD regulations and guidelines;
7. Drafting contractual instruments governing issues related to personal data processing;
8. Handling international data transfers;
9. Implementing good practices and governance rules, and privacy governance programs, pursuant to the provisions of Article 50 of Law #13,709, dated August 14, 2018;
10. Designing products and services that are compatible with the principles set forth in the LGPD, including Privacy by Design and minimizing personal data to only what is strictly necessary for their purposes;
11. Other activities and strategic decisions related to personal data processing.
5. Conflict of Interests involving the Data Protection Officer
CD/ANPD's Resolution #18/2024 establishes that conflicts of interest occur:
1. Between the duties performed internally within a data processing agent or in the exercise of the Data Protection Officer’s activities for different data processing agents; or
2. When combining the activities of the Data Protection Officer with other roles involving strategic decision-making about personal data processing by the Controller, except for operations inherent to the duties of the Data Protection Officer.
The Data Protection Officer is required to conduct their duties with ethical integrity and maintain technical independence. They may accumulate functions and perform their activities for more than one data processing agent, provided that it is possible to fully meet their duties related to each data processing agent and as long as there is no conflict of interest. If a conflict of interests exists, it may lead to the imposition of sanctions on the data processing agent pursuant to the provisions of the Article 52 of Law #13,709, of August 14, 2018.
The Data Protection Officer must voluntarily declare any conflict of interest to the data processing agent. Likewise, the data processing agent must not allow the Data Protection Officer to perform duties that entail a conflict of interests. If a potential conflict is identified, the data processing agent must take the following actions as applicable:
Hypotheses Applicable to Conflict of Interest
1. Not appointing the person to perform the role of Data Protection Officer;
2. Implementing measures to mitigate the risk of conflict of interest; or
3. Replacing the designated person performing the role of Data Protection Officer.
6. Inclusion of the Data Protection Officer in the Brazilian Classification of Occupations (CBO)
It is important to note that the profession of Data Protection Officer was included in the Brazilian Classification of Occupations (CBO), established by Ordinance #397, on October 10, 2002. Although the CBO does not have the power to regulate a profession, as it catalogs both regulated professions and those freely exercised, it serves as a starting point to give visibility to this function.
