The National Data Protection Authority (ANPD) approved and published, on Tuesday (07/16), the Regulation on the role of the Data Protection Officer - CD_ANPD Resolution No. 18, of July 16, 2024, published on the Brazilian Official Gazette (DOU) of July 17, 2024 - a role created by the General Data Protection Law (LGPD) with the purpose of acting as a communication channel between the controller, data subjects, and the ANPD.
The ANPD determined that the indication of the Data Protection Officer must be made by a formal act of the processing agent, stating the forms of action and the activities to be performed, understanding as formal the written, dated, and signed document that, in a clear and unequivocal manner, demonstrates the intention of the processing agent to designate a natural or legal person as the data protection officer. This document may be requested by the ANPD, in accordance with the Regulation. The document reinforced that, for processors, the indication is optional, but will be considered as a good governance practice for those who do so.
Furthermore, the ANPD reinforced the exemption from the need for small processing agents to appoint a Data Protection Officer, although it is necessary to provide a communication channel with the data subject.
The Regulation left it up to the processing agent to establish the professional qualifications necessary to perform the duties of the position and emphasized the need to disclose the Data Protection Officer’s name and contact details for communications with data subjects, preferably on the agent’s website or any other means of communication usually used to contact data subjects, for those who do not have a website. With regard to legal entities governed by public law, it was determined that the nomination should preferably be of public servants or employees with an unblemished reputation, and it must be published on the Official Gazette.
The Regulation also determines the characteristics of the Data Protection Officer, their activities and duties, in addition to highlighting that the Data Protection Officer is not held responsible before the ANPD for the compliance of the processing of personal data carried out by the controller.
Furthermore, the ANPD added the definition of conflict of interest, which was defined as “a situation that may compromise, influence or improperly affect the objectivity and technical judgment in the performance of the data protection officer’s duties”.
Regarding conflict of interests, the Regulation indicates the cases in which it may be configured and states that, if present, it may give reason to the application of a sanction to the processing agent. The Data Protection Officer must declare to the agent any situation that may constitute a conflict so that legal measures can be taken, as determined by article 21 of the Resolution.
The Technology, Media, and Telecommunications team of Azevedo Sette Advogados remains available for any clarifications.