At the end of December, the Brazilian Data Protection Authority (ANPD) published its guide on the Data Protection Officer (DPO). The document provides important guidance on the attributions of this role and clarifies the rules for the appointment of the DPO established in the DPO Regulation, published by ANPD in July 2024.
At companies and organizations, the DPO is the key point for data protection matters and the communication channel between data subjects, processing agents, and ANPD. The most common activities of this role include receiving and handling complaints and communications from data subjects and ANPD; providing guidance to employees and contractors on data protection practices adopted by the company, among other duties determined by the processing agent.
In this context, we present below some guidelines and clarifications outlined in ANPD’s guide:
Who must appoint a DPO?
All data controllers must appoint a DPO. In any case, ANPD recommends that all agents, whether controllers or processors, appoint a DPO as a measure of good governance practice.
In which cases are agents exempted from appointing a DPO?
The exemption from appointing DPO is restricted to small processing agents, that is, micro-enterprises, small businesses, startups, as well as individuals and depersonalized private entities. However, it is worth remembering that this hypothesis of exemption is not applicable when the agent: carries out high-risk processing activity; earn, in each calendar year, gross revenue greater than BRL 360,000.00 and equal to or less than BRL 4,800,000.00, or, in the case of startups, gross revenue of up to BRL 16,000,000.00 in the previous calendar year or BRL 1,333,334.00 multiplied by the number of months of activity in the previous calendar year, when less than 12 months; or belong to an economic group in fact or in law, whose global revenue exceeds such limits.
Who can appoint the DPO?
For private processing agents, the competent manager, according to the company's articles of organization or incorporation. At governmental agencies and entities, the highest authority of the institution or delegate, in accordance with applicable legislation.
Is a formal act necessary?
Yes, the DPO must be appointed by means of a written, dated and signed document, which clearly and expressly designates the DPO. Such document must be presented to ANPD upon request.
Should information about the DPO, such as full name or corporate name, be published?
Yes, it should, together with contact details and in easily accessible digital media, for example, websites and other means used to communicate with data subjects, without prejudice to, depending on the context of processing, physical media, such as signs, displays, brochures, etc.
Is the Portuguese language mandatory?
Yes, because the DPO must be able to clearly communicate with data subjects, data controllers, and ANPD.
Can conflict of interest rule out the appointment of the DPO?
Yes, the DPO must perform his duties autonomously and cannot perform activities that involve making strategic decisions about personal data processing, therefore they cannot occupy leadership, management or direction positions, or positions in human resources management, information technology, finance or health.
In December, ANPD launched an inspection process targeting 20 large companies that failed to designate a DPO contact or establish an adequate communication channel to address data subjects’ inquiries. Given this, it is essential that companies and organizations stay informed about the rules of appointment and the roles of the DPO. Awareness is crucial to avoid non-compliance with the legal and regulatory standards established by ANPD, preventing possible inspection processes and sanctions. The complete ANPD guide can be accessed here (Portuguese only).
