In brief
The Brazilian Data Protection Authority (ANPD) has published Resolution CD/ANPD No. 18, which creates additional rules for the appointment of the Person in Charge (similar, although not equivalent, to the Data Protection Officer under the GDPR) – (“Regulation“).
As background, according to Law No. 13.709/18 (Brazilian Data Protection Law (LGPD)), data controllers must appoint a Person in Charge. The “Person in Charge” has the primary role of serving as a communication liaison between the data controller, data subjects and ANPD, as well as providing training and guidance to the controller’s employees, and complying with any other instructions that controller may give.
Accordingly, the Regulation sets forth the procedures that must be followed for the appointment of the Person in Charge, including personal qualifications that the Person in Charge must meet.
Some of the Regulation’s key aspects are:
- The Person in Charge can be either an individual or legal entity.
- The appointment of the Person in Charge must be made by means of a formal act (written, dated and signed document). This document must be provided to the ANPD upon request.
- The processing agent must formally appoint a substitute to act in the place of the Person in Charge during any period of vacancy in the position.
- The appointment of a Person in Charge by data processors is optional, but will be deemed as a good practice/ mitigation measure for the applicability of potential fines.
- It is necessary to disclose, in a prominent and easily accessible place (e.g., the website or other communication channels often used to contact data subjects), the name of the individual or legal person appointed as the Person in Charge, as well as their contact information.
- The Person in Charge must be able to communicate clearly and precisely with data subjects and the ANPD, in Portuguese.
- The Person in Charge’s professional qualifications should be determined by the processing agent, in light of the context, volume, and risk of the processing activities performed by the processing agent.
- The Person in Charge can have an additional role within the company or organization, as long as such additional role does not create a conflict of interest in the performance of their duties as the Person in Charge.
The Regulation is binding and effective from 17 July 2024.
Our Data Protection and Cybersecurity team is closely monitoring legal updates on the subject and is available to answer any questions related to the Regulation.
* * * * *
Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.