New ANPD resolution sets out rules for DPO work

DPO

In July 2024, the National Data Protection Authority (ANPD) approved Resolution CD/ANPD No. 18, a significant milestone in the regulation of data protection in Brazil. This crucial regulation came to detail the role of the Data Protection Officer (DPO), complementing the General Data Protection Law (LGPD).

The main points include:

Appointment of the DPO

The new resolution establishes that the appointment of the DPO must be formalized by means of a written document, dated and signed by the processing agent, thus guaranteeing a formality that reinforces the seriousness of the role.

However, small companies are exempt from appointing a DPO, but must nevertheless offer an efficient channel of communication with data subjects, ensuring that their rights are not neglected.

Public disclosure

The identity and contact information of the controller must be publicly disclosed and kept up to date in a clear and objective manner on the website of the processing agent or by other available means of communication.

Duties and autonomy

The responsibilities of handling agents are also broadly outlined. They must provide the necessary resources for the controller to carry out their duties effectively, including a fast and efficient communication channel for data subjects.

In addition, it is crucial that the officer has technical autonomy and access to strategic decisions and high-level members within the organization.

Preventing conflicts of interest

Another aspect addressed by the resolution is the prevention of conflicts of interest. The DPO must maintain an ethical and upright stance, avoiding situations that could compromise their technical autonomy.

If there is a potential conflict, measures must be taken to mitigate the risks or, if necessary, replace the person appointed. The formalization of a substitute is recommended in cases of absence or conflict of interest.

Resolution CD/ANPD 18 provides a detailed framework for the role of the personal data controller, as well as addressing previous gaps in legislation, especially the exemption for small processing agents, emphasizing the importance of robust data protection governance practices.

Companies and public bodies now have a clear guide to prepare officers to carry out their duties effectively and in compliance with the LGPD, representing a significant advance in data protection in Brazil.

Companies must adapt to this resolution to ensure compliance with the LGPD and avoid potential legal problems.

If you have any questions on the subject, our corporate team is available to answer them.

Share on social media