ANPD issues Regulation on the Data Protection Officer’s (DPO) role in processing personal data
On July 17, 2024, the National Data Protection Authority issued Regulation CD/ANPD No. 18/2024, which approved the rules on the Data Protection Officer’s (DPO) role in processing personal data.
The Regulation consolidates essential clarifications on the hypotheses and procedures for appointing the DPO and its attributions. Below, we highlight some of the relevant provisions.
Who should appoint a DPO?
Regulation CD/ANPD No. 2 of January 27, 2022, had already indicated that the appointment of a DPO for small processing agents is not mandatory. Regulation No. 18 further specifies that the appointment is also optional for those who act solely as processors. In both cases, appointing the DPO is considered a good governance practice.
The appointment is mandatory for all other processing agents — i.e., controllers who are not classified a small processing agents. Hence, Resolution 18 is important.
Requirements for the appointment
Private entities: The DPO’s appointment must be made by a formal act, equivalent to a written document, dated and signed, outlining the procedures to be followed and the activities to be carried out.
Legal entity governed by public law: The DPO’s appointment must be published in the Official Gazette.
In the event of absence, impediment, or vacancy, a formally appointed substitute must assume the DPO’s position.
Disclosure of the DPO’s identity and contact channels
The Regulation defines that the DPO’s identity and contact channels must be disclosed: (i.) on the agent’s website, in a prominent and easily accessible location, or (ii.) through other available communication channels, preferably those used to contact data subjects. The second option applies only when the agent does not have a website.
When disclosing “identity,” the Regulation has determined the following as minimum data: the full name, if the agent is a natural person; or the business name or title of the establishment and the full name of the natural person in charge, if it is a legal entity.
DPO’s main traits
The Regulation defines, among other traits, that the DPO:
(i.) may be a natural person, either a member of the processing agent’s organizational staff or external to it, or a legal entity;
(ii.) must be able to communicate clearly and precisely in Portuguese;
(iii.) does not need to be registered with any organization or possess any specific professional certification or training to perform their duties; and
(iv.) may hold multiple roles and perform their duties for more than one processing agent, provided they can fulfill their responsibilities without any conflict of interest. conflict of interest.
DPO’s liability before the ANPD
In addition to detailing the DPO’s main activities and duties, the Regulation exempts the DPO from liability before the ANPD for the compliance of the processing of personal data carried out by the controller. In other words, the liability rests with the controller.
The full text of ANPD Regulation No. 18 is available at this link.
The Data Protection & Cybersecurity team at Souto Correa is available to provide further information and clarifications on the matter.