Last November 07, the Brazilian Data Protection Authority (ANPD) started a public consultation on the regulation of the draft resolution regarding the Data Protection Officer (DPO), which will be open until December 7, 2023, for contributions aimed at supporting the Authority (ANPD) in drafting regulations regarding the role of the Data Protection Officer (DPO).
The role of the Data Protection Officer (DPO) is outlined in article 41 of the General Data Protection Act (LGPD), being the person responsible for mediating dialogue between companies, data subjects and the Authority (ANPD).
According to the General Data Protection Act (LGPD), the activities of the Data Protection Officer (DPO) consist of: (i) accepting complaints and communications from data subjects, providing clarifications and adopting measures; (ii) receiving communications from the Authority (ANPD) and adopting measures; (iii) guiding the company's employees and contractors regarding practices to be taken related to the protection of personal data; and (iv) performing other duties determined by the controller or established in complementary rules. Additionally, the draft resolution establishes complementary duties for the Data Protection Officer (DPO), with the adoption of best practices for the protection of personal data.
The proposed regulation aims to establish complementary rules on the appointment, definition, duties, and performance of the Data Protection Officer (DPO), the details of which are highlighted below.
Appointment:
When it comes to appointment, the controller must appoint a Data Protection Officer (DPO) by means of a formal act, which must be published in an official communication. In the case of small businesses, which are exempt from appointing a Data Protection Officer (DPO), a communication channel must be provided with the data subject and the Authority (ANPD).
Also, depending on the context, volume and types of processed data, the controller may appoint more than one person as Data Protection Officer (DPO). As for data operators, the appointment of a Data Protection Officer (DPO) is optional and will be considered a good governance practice policy.
Additionally, the identity and contact information of the Data Protection Officer (DPO) in charge must be kept up to date and published on the company's website.
After appointment, the Data Protection Officer (DPO) shall receive (i) the necessary means to carry out the duties, including human, technical and administrative resources; (ii) technical autonomy and access to the organization's senior management, for the best performance of their activities; and (iii) a humanized means of assistance with the Authority (ANPD).
Data Protection Officer (DPO)
According to the regulation draft, the Data Protection Officer (DPO) can be either part of the data processor's organizational framework or external to it. If the data processor decides to use an external Data Protection Officer (DPO), a service contract must be executed between the parties. A substitute can be appointed in the event of absences, impediments, or vacancies of the Data Protection Officer (DPO).
With regard to the skills and capabilities to perform his/her activities, there is no obligation for registration with any entity nor the requirement for any certification or specific professional training. Also, the Data Protection Officer (DPO) must be able to communicate with data subjects and the Authority (ANPD) clearly, accurately, and always in Portuguese. In relation with the communication with the Authority (ANPD), it is expressly prohibited for such communication to be implemented exclusively through automated processes.
If the Data Protection Officer (DPO) is part of the organization, such person may accumulate functions. If the Data Protection Officer (DPO) is an external service provider, such person may carry out activities for more than one data processor. In both cases, as long as it is possible to fully comply with the duties related to each data processor and there is no conflict of interests.
Lastly, there are some rules regarding Conflicts of Interest establishing that the Data Protection Officer (DPO) must declare to the data processor any situation that may constitute a conflict of interest, and once the possibility of a conflict of interest has been established, the controller must replace the Data Protection Officer (DPO).
Considering the relevance of the Data Protection Officer (DPO) for the performance of data protection included in the LGPD, it is important to be aware of the updates and changes that the draft resolution regarding the Data Protection Officer (DPO) regulation will have before its implementation by the Authority (ANPD).
Source: