The Brazilian National Data Protection Authority (ANPD) published Resolution CD/ANPD No. 18 on 17 July 2024, establishing comprehensive guidelines for Data Protection Officers (DPOs).
Key Provisions:
-
- Appointment: The regulation mandates a formal appointment process for DPOs, requiring a clear, documented act by data controllers or processors. Small-scale organisations are exempt but must provide a communication channel for data subjects.
-
- Roles and Responsibilities: DPOs must interact with data subjects and the ANPD, provide internal guidance on data protection practices, and ensure compliance with data protection laws. Their specific duties include:
-
- Accepting and addressing complaints and inquiries from data subjects.
-
- Receiving and acting upon communications from the ANPD.
-
- Advising employees and contractors on data protection practices.
-
- Managing data breach incidents and guiding the organization on data protection practices.
-
- Assisting in creating and implementing internal data protection policies, conducting impact assessments, and establishing data security measures.
-
- Roles and Responsibilities: DPOs must interact with data subjects and the ANPD, provide internal guidance on data protection practices, and ensure compliance with data protection laws. Their specific duties include:
-
- Public Disclosure: Data controllers must publicly disclose the DPO’s identity and contact information on their websites or other accessible means. This information must be kept up-to-date and prominently displayed. Note – under GDPR only contact details and not identity need to be disclosed.
-
- Support and Resources: Data controllers are required to provide necessary resources, including human, technical, and administrative support, to enable DPOs to fulfill their duties. They must guarantee the DPO’s autonomy and ensure they can perform tasks without undue interference.
-
- Transparency and Communication: Controllers must ensure the DPO has access to senior management and is involved in strategic decisions involving data protection. They must maintain open lines of communication with data subjects and the ANPD, ensuring the DPO’s contact information is easily accessible.
-
- Conflict of Interest: DPOs must avoid conflicts of interest and disclose any potential conflicts to their employers. They can serve multiple organizations if they can fulfill their responsibilities without conflicts. DPOs must act ethically, with integrity and technical autonomy, avoiding situations that could compromise their objectivity. Controllers must ensure the DPO does not engage in activities that create a conflict of interest and must implement measures to address any potential conflicts.
-
- Compliance and Accountability: Data controllers are responsible for the compliance of data processing activities with the LGPD. They must oversee and support the DPO in maintaining records of data processing activities, ensuring data processing agreements meet legal standards, and implementing data protection policies and procedures.
Implementation
The resolution took effect on the date of its publication. Data controllers and processors must review and update their practices to align with these new requirements.
You can find the regulation here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy, digital and AI education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
