

Brazil’s Data Protection Authority issues resolution on the role of data protection officers
New supplementary rules established in regard to DPO appointments, definitions, duties and actions
Subjects
Brazil’s National Data Protection Authority (ANPD) has published Resolution No. 18/2024, which approves regulations covering the actions of data protection officers (DPOs).
Processing agents must appoint DPOs via a formal act that sets out the type of actions and the activities the DPO will carry out.
DPO characteristics and activities
According to the resolution, a DPO may be a natural person either inside or outside the processing agent’s organization, or a legal entity. DPOs must be able to communicate in Portuguese clearly and precisely with data subjects and the ANPD.
Furthermore, the role of DPO does not require prior registration with any entity, nor any certifications or specific professional training – it is up to the processing agent to establish the professional qualifications necessary to carry out these duties. Knowledge of personal data protection legislation and the context, volume and risk involved with the agent’s processing operations should be considered.
According to the resolution’s wording, the DPO’s activities consist of:
- Accepting data subjects’ complaints and communications, providing clarification and taking appropriate measures when necessary;
- Receiving communications from the ANPD and adopting relevant measures;
- Guiding the processing agent’s employees and contractors regarding practices that must be carried out in relation to the protection of personal data; and
- Performing other duties determined by the processing agent or established in supplementary rules.
The DPO must take any necessary measures to comply with requests the ANPD makes in its communications, and must also to provide any relevant information.
However, the activities and duties included in the new resolution do not make the DPO responsible (vis-à-vis the ANPD) for ensuring personal data processing carried out by the data controller complies with Brazilian data protection regulations.
DPO identity and contact information
The resolution establishes that processing agents must publicly disclose their DPO’s identity and contact information in a prominent and easily accessible location on the processing agent’s website. This information must be kept up to date.
The minimum required identity information for the DPO includes:
- The DPO’s full name (if a natural person); or
- The business name or title of the establishment, as well as the full name of the natural person responsible (if a legal entity).
If the processing agent does not have a website, it may disclose the DPO’s identity and contact information via any other available means of communication – especially those usually used to contact data subjects.
Processing agents’ duties
The resolution provides that processing agents must:
- Provide the necessary means for the DPO to carry out their duties, including human, technical and administrative resources;
- Request the DPO’s assistance and guidance when carrying out activities and making strategic decisions regarding personal data processing;
- Guarantee the DPO has the technical independence needed for carrying out their activities. They must be free from undue interference, especially when providing guidance on practices that need to be taken in relation to personal data protection;
- Ensure data subjects have quick, effective, and appropriate means to contact the DPO and exercise their rights; and
- Guarantee that the DPO has direct access to people at the highest hierarchical level within the organization, those responsible for making strategic decisions that affect or involve personal data processing, as well as other areas of the organization.
Conflicts of Interest
Conflicts of interest can occur:
- Between the duties a DPO carries out within a given processing agent or in the activities a DPO conducts in relation to multiple processing agents;
- If a DPO is also in charge of making strategic decisions about the data controller’s personal data processing operations (except for those inherent to the DPO’s duties).
The resolution permits a single DPO to accumulate functions and act on behalf of more than one processing agent, provided they are able to comprehensively fulfill their duties in relation to each processing agent and provided there are no conflicts of interest.
Any potential conflicts of interest will be subject to verification on a case-by-case basis. If confirmed, they may result in penalties for the processing agent under the terms of Article 52 of Brazil’s General Data Protection Law (LGPD).
It is the DPO’s duty to declare any situation that may constitute a conflict of interest to the relevant processing agent. They are also responsible for ensuring the information provided is accurate and true.
Resolution No. 18/2024 takes effect immediately.
For more information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.