Since the publication of the General Data Protection Law in 2018, there has been much anticipation regarding the regulation of the Data Protection Officer's (the famous "DPO") role. The standard was finally published in July 2024 by the National Data Protection Authority – ANPD (Resolution CD/ANPD No. 18, of July 16, 2024), bringing very important points about the designation of the data protection officer, their duties and legal responsibilities, and conflicts of interest.
Initially, we must remember that the appointment of a DPO is not mandatory for micro-enterprises, small businesses andstartups- the so-called "small-scale processing agents". However, if the company engages in high-risk activities concerning personal data (with intensive data use, data processing that may affect fundamental rights, or through emerging or innovative technologies – such as Artificial Intelligence, for example), it must appoint a DPO even if it is considered a small-scale entity – and this can only be determined through anassessment carried out by a specialized legal consultancy.
For companies required to appoint a Data Protection Officer, there are several precautions that must be observed in order to comply with the new rules issued by the ANPD. The first of these concerns relates to the very way in which the DPO is appointed. Under the new system, it is mandatory that the appointment be made through a written, dated, and signed document – a document that must be presented to the ANPD if requested. These formalities must also be observed in the indication of the substitute who will act in the DPO's absences (such as vacations or health-related leaves). The ANPD's recommendation is that this "formal act" be, for example, a service provision contract (if the DPO is external to the organization), but it can also be done through an addendum to the employment contract if the Data Protection Officer is an employee working under the CLT regime.
Furthermore, the company must “establish the professional qualifications necessary to perform the duties of the person in charge”, which is also recommended to be done through a formal act (such as an internal policy), thus ensuring that a person with adequate knowledge of personal data protection and information security is appointed.
A very important point of the new regulation, in fact, is that it authorizes the DPO to be either a natural person (who may be part of the company's staff, or external to it) or a legal entity, ending a doubt regarding the performance of companies specialized inDPO as a Service.
Regardless of the legal nature of the DPO, the rule requires that its identity and contact information be disclosed appropriately (preferably on the company's website), indicating the full name (if an individual) or company name and name of the responsible individual (in the case of a legal entity); in addition to minimum contact information (such as email and telephone), which allows the receipt of communications from data subjects or the ANPD.
Regarding the DPO's activities, the standard brings a series of new attributions, notably to provide assistance and guidance to the company's leadership on:
I – recording and reporting of security incidents;
II – record of personal data processing operations;
III – report on the impact on the protection of personal data;
IV – internal mechanisms for supervising and mitigating risks relating to the processing of personal data;
V – technical and administrative security measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or any form of inadequate or unlawful processing;
VI – internal processes and policies that ensure compliance with Law No. 13,709, of August 14, 2018, and ANPD regulations and guidelines;
VII – contractual instruments that regulate issues related to the processing of personal data;
VIII – international data transfers;
IX – rules of good practices and governance and privacy governance program, pursuant to art. 50 of Law No. 13,709, of August 14, 2018;
X – products and services that adopt design standards compatible with the principles set forth in the LGPD, including privacy by default and limiting the collection of personal data to the minimum necessary to achieve their purposes; and
XI – other activities and strategic decision-making regarding the processing of personal data.
It is observed that there has been a significant expansion in the responsibilities of the DPO, so the choice must necessarily fall on a qualified professional, and it is no longer acceptable to practice the common practice of appointing an internal employee "for mere formality." Thus, it becomes even more interesting for companies to consider hiring an external DPO, especially when there is no employee within their own staff with the qualifications or availability to perform the duties of the Data Protection Officer.
Availability, by the way, is another important factor to consider when appointing the DPO. The new rules require the Responsible Person to avoid any conflicts of interest that may arise when performing other roles within the company or when combining the role of Responsible Person with those related to strategic decisions within the organization.
Therefore, it is always recommended that the DPO be able to dedicate himself exclusively to activities related to the protection of personal data (especially when there is a large volume of personal data processed by the company), in order to minimize the risk of conflicts of interest – which may lead to the application of fines or other penalties to the company, if detected by the ANPD.
Finally, it is always important to emphasize that, even if a DPO is appointed, the company is responsible for the processing and protection of personal data, that is: in case of failures in the DPO's actions, it is the organization – and not the appointed person – that will be liable for fines or damages resulting from the misuse of personal data. Thus, the appointment of the Responsible Person should be made with great care, preferably with the necessary legal support to ensure it complies with the LGPD and the ANPD regulations.
