Since the publication of the General Data Protection Law, in 2018, there was a lot of expectation regarding the regulation of the role of the Data Protection Officer (the famous "DPO"). The regulation was finally published in July 2024 by the National Data Protection Authority – ANPD (Resolução CD/ANPD nº 18, July 16, 2024, bringing very important points about the designation of the person in charge, your duties and legal responsibilities, and about conflicts of interest
Initially, we must remember that the appointment of a DPO is only not mandatory for microenterprises, small businesses andstartups – the so-called "small-scale treatment agents". However, if the company engages in high-risk activities for personal data (with intensive use of data, data processing that may affect fundamental rights, or through emerging or innovative technologies – case of Artificial Intelligence, for example, must appoint a DPO even if considered a small-scale agent – and this can only be discovered through aassessment carried out by a specialized legal consultancy
For companies required to appoint a Data Protection Officer, there are several precautions that will need to be observed in order to comply with the new rules issued by the ANPD. The first of these precautions concerns the very way in which the DPO is appointed. By the new systematics, it is mandatory that the appointment be made through a written document, dated and signed – document that must be presented to the ANPD if requested in this regard. These formalities must also be observed in the appointment of the substitute who will act in the absence of the DPO (such as vacations or absences due to health issues). The recommendation from the ANPD is that this "formal act" be, for example, a service provision contract (if the DPO is external to the organization), but it can also be done through an amendment to the employment contract if the Supervisor is an employee working under the CLT regime
Furthermore, the company must "establish the necessary professional qualifications for the performance of the duties of the person in charge", which is also recommended to be done through a formal act (such as an internal policy), thus ensuring that a person with adequate knowledge of personal data protection and information security is appointed
A very important point of the new regulation, by the way, it is what authorizes the DPO to be both an individual (being able to be part of the company's staff, or external to it) as a legal entity, closing a question regarding the performance of specialized companies inDPO as a Service.
Regardless of the legal nature of the DPO, the rule requires that your identity and contact information be properly disclosed (preferably on the company's website), with the indication of the full name (if an individual) or business name and the name of the responsible individual (in the case of a legal entity); in addition to minimal contact information (such as email and phone), that allow the receipt of communications from data subjects or the ANPD
Regarding the activities of the DPO, the standard brings a series of new responsibilities, notably to provide assistance and guidance to the company's leadership on
I – security incident registration and communication
II – record of personal data processing operations
III – impact report on personal data protection
IV – internal mechanisms for supervision and risk mitigation related to the processing of personal data
In – safety measures, technical and administrative, suitable to protect personal data from unauthorized access and from accidental or unlawful destruction situations, loss, change, communication or any form of inappropriate or unlawful treatment
WE – processes and internal policies that ensure compliance with Law No. 13.709, August 14, 2018, and the regulations and guidelines of the ANPD
VII – contractual instruments that regulate issues related to the processing of personal data
VIII – international data transfers
IX – rules of good practices and governance and privacy governance program, in the terms of the article. 50 of Law No. 13.709, August 14, 2018
X – products and services that adopt design standards compatible with the principles set forth in the LGPD, including privacy by default and limiting the collection of personal data to the minimum necessary to achieve its purposes; and
XI – other activities and strategic decision-making regarding the processing of personal data
It is noted that there has been a significant expansion in the responsibilities of the DPO, so the choice must necessarily fall on a qualified professional, no longer being possible the common practice of naming an internal collaborator "for mere formality". Thus, it becomes even more interesting for companies to consider hiring an external DPO, especially when there is no employee in its own staff with the qualification or availability to perform the tasks of the Supervisor
The availability, by the way, it is another important factor to be analyzed when appointing the DPO. The new rules require that the Officer must avoid any conflicts of interest, that may arise when performing other functions internally within the company, or when it accumulates functions of Supervisor with those related to strategic decisions within the organization
That's why, it is always advisable that the DPO can dedicate themselves exclusively to activities related to personal data protection (especially when there is a large volume of personal data processed by the company), in order to minimize the risk of conflicts of interest – what may lead to the application of fines or other penalties to the company, if detected by the ANPD
Finally, it is always important to emphasize that, even if there is the appointment of a DPO, the company is responsible for the processing and protection of personal data, that is: in case of failures in the performance of the DPO, it is the organization – and not the named person – who will be liable for fines or compensation resulting from the misuse of personal data. Thus, the choice of the person in charge must be made with great care, and preferably with the necessary legal support to ensure that it occurs in compliance with the LGPD and the rules of the ANPD
