November 09. 2023
Brazilian Data Protection Authority Issues Draft Regulation on Data Protection Officers
Author:
The Brazilian Data Protection Authority (“ANPD”) published a draft order on the role of a Data Protection Officer (DPO). Appointing a DPO is mandatory for data controllers under the Brazilian General Data Protection Law (LGPD), with some exceptions for organizations considered as small business (see our Legal Update on this category of data controller). The draft is open to public consultation until 7 December 2023.
According to the draft, a DPO may be either a natural or a legal person, and must be appointed through a specific formal act (such as an agreement, minutes of a shareholder/board meeting, or a power of attorney)—it is likely, though not explicitly stated, that this appointment must be publicized. A DPO may be a group of people, such as a privacy committee. If the DPO is absent for any reason, a deputy must be formally designated to fill the role, in order to ensure there is no impact on the fulfilment of data subjects’ requests. A formal publication of this deputy’s appointment would likely also be required..
Pursuant the draft, legal or natural persons may serve as DPO to different controllers, as long as there is no conflict of interest between any of them.
The DPO’s full name and contact information must remain prominent and easily accessible on the controller’ website.
Notably, data processors may also appoint a DPO, although this is not required by the draft regulation. Nonetheless, having a DPO will be a valuable privacy governance practice, and will be taken into account by the ANPD while assessing severity of violations and applying sanctions.
Regarding professional qualities, the draft requires that DPOs be knowledgeable about privacy and data protection, as well as able to fulfill all tasks provided for in the LGPD. Also, the DPO must be able to communicate in Portuguese with the data subjects and the ANPD. No other requirements to serve as DPO were addressed in the draft regulation.
Controllers (or processors, if they have appointed a DPO) must secure technical autonomy to the DPO, who must access to the board. In addition, controllers must provide a way to allow the DPO to perform humanized assistance to data subjects and the ANPD – it is still uncertain, from the draft, exactly what “humanized assistance” with the ANPD would entail.
Regarding the DPO’s tasks, the draft regulation reinforces those already established in the LGPD:
(i) receive and fulfill complaints and requests from data subjects, (ii) receive and fulfill communications and orders from the ANPD, (iii) advise employees and vendors on how they should handle personal data, and (iv) any other activity established by the controller or processor.
Further, the draft included nine additional tasks to the DPOs: (i) prepare notifications related to information security incidents, (ii) maintain records of processing activities, (iii) carry out data protection impact assessments, (iv) identify and asses the risks related to any given personal data processing activity, (v) determine the security controls, both technical and organizational, to be implemented by the organization, (vi) implement LGPD and any guidance from the ANPD, and to adopt the best practices regarding protection of personal data, (vii) analyze contractual clauses with third parties related to protection of personal data, (viii) international transfers of personal data, and (ix) create and implement the best practices and governance rules, as well those related to the organization's privacy governance program.
The draft regulation also subjects the DPOs to professional confidentiality with respect to the personal data they access while performing their tasks.
According to the draft regulation, it is extremely important that there be no conflict of interest for DPOs while performing their tasks. Under the draft, a conflict occurs when the DPO is responsible for deciding on any material aspect (e.g., purpose, categories of personal data or data subjects, retention period) of any processing activity carried out by the corresponding organization. DPOs must let the organization know if any conflict of interest arises—indeed, DPOs must declare any conflict under penalty of law. Organizations will likely request such declarations from DPOs from now on.
According to the draft, a DPO may be either a natural or a legal person, and must be appointed through a specific formal act (such as an agreement, minutes of a shareholder/board meeting, or a power of attorney)—it is likely, though not explicitly stated, that this appointment must be publicized. A DPO may be a group of people, such as a privacy committee. If the DPO is absent for any reason, a deputy must be formally designated to fill the role, in order to ensure there is no impact on the fulfilment of data subjects’ requests. A formal publication of this deputy’s appointment would likely also be required..
Pursuant the draft, legal or natural persons may serve as DPO to different controllers, as long as there is no conflict of interest between any of them.
The DPO’s full name and contact information must remain prominent and easily accessible on the controller’ website.
Notably, data processors may also appoint a DPO, although this is not required by the draft regulation. Nonetheless, having a DPO will be a valuable privacy governance practice, and will be taken into account by the ANPD while assessing severity of violations and applying sanctions.
Regarding professional qualities, the draft requires that DPOs be knowledgeable about privacy and data protection, as well as able to fulfill all tasks provided for in the LGPD. Also, the DPO must be able to communicate in Portuguese with the data subjects and the ANPD. No other requirements to serve as DPO were addressed in the draft regulation.
Controllers (or processors, if they have appointed a DPO) must secure technical autonomy to the DPO, who must access to the board. In addition, controllers must provide a way to allow the DPO to perform humanized assistance to data subjects and the ANPD – it is still uncertain, from the draft, exactly what “humanized assistance” with the ANPD would entail.
Regarding the DPO’s tasks, the draft regulation reinforces those already established in the LGPD:
(i) receive and fulfill complaints and requests from data subjects, (ii) receive and fulfill communications and orders from the ANPD, (iii) advise employees and vendors on how they should handle personal data, and (iv) any other activity established by the controller or processor.
Further, the draft included nine additional tasks to the DPOs: (i) prepare notifications related to information security incidents, (ii) maintain records of processing activities, (iii) carry out data protection impact assessments, (iv) identify and asses the risks related to any given personal data processing activity, (v) determine the security controls, both technical and organizational, to be implemented by the organization, (vi) implement LGPD and any guidance from the ANPD, and to adopt the best practices regarding protection of personal data, (vii) analyze contractual clauses with third parties related to protection of personal data, (viii) international transfers of personal data, and (ix) create and implement the best practices and governance rules, as well those related to the organization's privacy governance program.
The draft regulation also subjects the DPOs to professional confidentiality with respect to the personal data they access while performing their tasks.
According to the draft regulation, it is extremely important that there be no conflict of interest for DPOs while performing their tasks. Under the draft, a conflict occurs when the DPO is responsible for deciding on any material aspect (e.g., purpose, categories of personal data or data subjects, retention period) of any processing activity carried out by the corresponding organization. DPOs must let the organization know if any conflict of interest arises—indeed, DPOs must declare any conflict under penalty of law. Organizations will likely request such declarations from DPOs from now on.