Since the publication of the General Data Protection Law in 2018, there was much expectation regarding the regulation of the performance of the Data Controller (the famous “DPO”). The standard was finally published in July 2024 by the National Data Protection Authority (CD/ANPD Resolution no. 18, of July 16, 2024), bringing very important points about the designation of the person in charge, their duties and legal duties, and on conflicts of interest.
Initially, we should remember that the appointment of a DPO only is not mandatory for micro-enterprises, small businesses and startups nd the so-called “agents of small processing”. However, if the company develops high-risk activities for personal data (with the intensive use of data, data processing that may affect fundamental rights, or through emerging or innovative technologies (in the case of Artificial Intelligence, for example), it should appoint DPO even if it is considered a small agent & this can only be discovered by means of a assessment carried out by a specialized legal consultancy.
For companies required to appoint a Charge, there are several precautions that will need to be observed in order to comply with the new rules issued by the ANPD. The first of these concerns the very way the DPO is appointed. In the new system, it is mandatory that the appointment is performed through a written document, dated and signed 1 document that must be presented to the ANPD if there is a request in this sense. These formalities must also be observed in the indication of the substitute who will act in the absences of the DPO (such as holidays or absences for health reasons). The ANPD regime is recommended that this formal“ato is, for example, an employee may act upon the provision of services, through the CLPO, but may also be an employment may be an employment may be made by the contract, through the contract, through the contract, or an adjudgement of the contract, which is also be made by the contract, or an employee, or an adjudication of the contract, which is an employment, or an adjudication of the contract, which is an employment, which is an adjudication of the contract, or employment of the contract, which is an adjudication of the contract, which is an employment, which is an adjudication of the contract, or employment, or employment, or employment, which is an employment, or employment, which is an adjudication
In addition, the company should establish the professional qualifications necessary for the performance of the duties of the INCARN officer, which is also recommended to be done by means of a formal act (such as an internal policy), thus ensuring that a person with adequate knowledge of personal data protection and information security is appointed.
A very important point of the new regulation, in fact, is what authorizes the DPO to be both an individual (may be part of the company's staff, or external to it) and a legal entity, ending a doubt regarding the performance of companies specialized in DPO as a Service.
Regardless of the legal nature of the DPO, the rule requires that your identity and contact information be disclosed appropriately (preferably on the company website), with the indication of the full name (if individual) or business name and name of the responsible natural person (in the case of a legal entity); in addition to minimum contact information (such as email and telephone), which allow the receipt of communications from holders or the ANPD.
Regarding the activities of the DPO, the standard brings a series of new assignments, notably to provide assistance and guidance to the company leadership on:
I. record and report security incidents;
II. record of personal data processing operations;
III - Impact report on the protection of personal data;
IV. internal mechanisms for supervision and mitigation of risks related to the processing of personal data;
V. technical and administrative security measures, capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of improper or unlawful treatment;
VI 13,709, of August 14, 2018, and the regulations and guidelines of the ANPD;
VII contractual instruments governing matters related to the processing of personal data;
VIII International data transfers;
IX 'rules of good practices and governance and governance program in privacy, pursuant to article 50 of Law no. 13,709, of August 14, 2018;
X. products and services that adopt design standards consistent with the principles set forth in the LGPD, including privacy by default and limiting the collection of personal data to the minimum necessary for the achievement of its purposes; and
XI. other activities and strategic decision-making related to the processing of personal data.
It is verified that there was a great expansion in the responsibilities of the DPO, so that the choice must necessarily fall on a trained professional, no longer being possible the common practice of appointing an internal employee “by simple formality”. Thus, it becomes even more interesting that companies evaluate the hiring of an external DPO, especially when there is no employee in their own staff with the qualification or availability to perform the tasks of the In-charge.
Availability, moreover, is another important factor to be analyzed when appointing the DPO. The new rules require that the person in charge should avoid any conflicts of interest, which may arise when he performs other functions internally in the company, or when he accumulates functions of the person in charge with those related to strategic decisions within the organization.
Therefore, it is always recommended that the DPO can dedicate itself exclusively to activities related to the protection of personal data (especially when there is a large volume of personal data processed by the company), in order to reduce the risk of conflicts of interest to the maximum (which may lead to fines or other penalties being imposed on the company, if detected by the ANPD.
Finally, it is always important to note that, even if there is the appointment of a DPO, the company is responsible for the treatment and protection of personal data, that is: in case of failures in the performance of the DPO, it is the organization ¡n and not the person named ̄ who will be liable for fines or indemnities arising from the misuse of personal data. Thus, the choice of the Responsible must be carried out with great care, and preferably with the legal support necessary to ensure that it happens in accordance with the LGPD and the rules of the ANPD.
