On Thursday 19 December 2024, the National Data Protection Authority (ANPD) published the Guidance for DPOs.
It is worth remembering that the General Data Protection Law (LGPD) in its article 5, item VIII, conceptualised the DPO as ‘a person appointed by the controller and processor to act as a communication channel between the controller, the data subjects and the National Data Protection Authority (ANPD)’.
The Guide reinforces the guidance on processing agents, such as responsibilities and conflicts of interest with the appointment of the DPO and his/her substitute, as well as providing a model formal act for the appointment of both natural and legal persons. It was also clarified that the DPO cannot be an organisational unit without legal personality.
In order to help society interpret the existing regulations on the DPO, the guide begins by clarifying who can appoint the DPO and how, for both the public and private sectors. Appointments in the private sector must be made by a formal act - ‘a written document, dated and signed, which clearly and unequivocally demonstrates the intention of the processing agent to appoint a natural or legal person as DPO’ - either by a contract, a term or an amendment to a pre-existing contract. When appointing in the public sector, considering the constitutional principle of publicity, the appointment must be made by administrative act and must be published in the Official Gazette. The Guide also emphasised that the formal act of appointment does not need to be available on the processing agents website.
Another relevant point is the requirement to disclose the identity (full name or business name) and contact details of the DPO, both on websites and on physical media such as leaflets and signs, in accordance with Resolution CD/ANPD No. 18 of 16 July 2024. The name and contact details of the substitute must also be made available to the data subjects. Therefore, simply indicating the e-mail address of the DPO/Substitute is not enough. It is also worth mentioning that there is a requirement for fluency in Portuguese and for communications to be timely and effective.
In addition, the Guide once again emphasised that not all Small Agents are exempt from appointing a DPO, the exceptions being: companies that carry out high-risk processing; that have gross revenue of more than R$4.5 million a year; with gross revenue of more than R$16 million, in the case of Startups, or more than R$1,333,334.00 multiplied by the number of months of activity in the previous calendar year, when less than 12 months, regardless of the corporate form; and economic groups with global revenue above the limits indicated. However, the appointment of the DPO by small agents, even when exempt from the practice, is considered good governance practice, which can be very important for the effective handling of personal data and corporate reputation.
It is also understood that there is no specific profile for the position of DPO, and LGPD does not provide rigid definitions on the subject, although multidisciplinary skills and knowledge can be valuable for exercising the function.
With regard to conflict of interest, perhaps one of the most controversial points on the subject, the Guide defines it as ‘a situation that may compromise, influence or affect, in an improper manner, objectivity and technical judgement in the performance of the duties of the DPO. In this context, considering that the duties must be carried out autonomously, the DPO should not hold cumulative positions that could generate such conflicts, such as leadership, management or directorship. Although the accumulation of functions is not prohibited, as is working in other organisations, people involved in strategic decisions, especially those related to data processing, should not be appointed to the position of DPO. However, if there is a conflict of interest, it is up to the Data Controller not to proceed with the appointment, to apply measures to remove the risk and to replace the DPO.