In another step towards fulfilling its 2021-2022 Regulatory Agenda, the National Data Protection Authority (ANPD) has opened a period between March 18, 2022 and March 28, 2022 for the registration of experts interested in discussing the role of the Data Protection Officer (DPO), in the context of the Brazilian General Data Protection Law (LGPD – Law No. 13709/2018).
Under the terms of the LGPD, Article 41, the DPO is the main communication channel between the controller, the data subjects, and ANPD. Therefore, the DPO is the agent responsible for accepting complaints and communications from data subjects and the Authority, and then taking the appropriate measures, in addition to the duty of guiding the entity’s employees and contractors, regarding the practices of the personal data protection. In other words, they are responsible for ensuring that an entity, whether public or private, is complying with the LGPD.
The article also foresees the possibility, for ANPD, to establish complementary rules on the definition and duties of the DPO, as well as cases of waiver regarding the obligation of a DPO’s indication. In light of this, the current consultation, together with technical studies developed by ANPD, will contribute to the elaboration of a Regulatory Impact Analysis (RIA) and of a draft bill about the DPO, which will also be submitted for open public consultation and hearings in the future.
There is currently a Guideline for Definitions of Data Controllers and Officers, published by ANPD in May 2021, which provides guidance (that is, without any normative force) on best practices regarding the indication of a DPO. Moreover, ANPD has already stipulated a first hypothesis for waiving this duty in the recent Resolution CD-ANPD 2/2022, which authorized agents with low processing rates not to name a DPO (see art. 11 of the Resolution).
However, several questions concerning the nomination and performance of the DPO are still pending. For example, is it necessary for a processing agent to hire an exclusive collaborator to perform the role of the DPO, or is it possible for the same person to perform multiple functions? Would that situation raise any conflict of interest? In other words, who cannot be nominated as the DPO? Is it possible to outsource all or part of the DPO duties? Is the DPO liable for damages to the processing agent? Could the waiver of the duty to name a DPO be extended to other cases? How can we ensure efficiency in the nomination and performance of the DPO in both the private and public sectors?
In view of those points, ANPD intends to discuss the following topics with a selected group of 20 specialists:[1]
- Characteristics and attributions of the DPO: criteria for individuals to be designated as data protection officers or excluded from having this function, considering their employment status and ideal position in the organizational structure of a company. This will include discussions about the possibility of functions overlapping, conflicts of interest, and what other activities could be performed by the DPO, in addition to his or her own duties, as described in the LGPD.
- Efficient ways of naming the DPO: considering demand for DPO’s activities will increase in the coming years due to the digital economy growth, the issues to be discussed here will aim to: (i) verify whether entities of different sizes and that handle different volumes would demand different attributions from the DPO; (ii) evaluate the possibility of indicating more than one DPO or a substitute for the same officer; (iii) discuss the need to name a DPO in Brazil in the case of handling agents with headquarters abroad; and (iv) consider the possibility of nominating a single DPO for different companies of the same economic group.
- Outsourcing and liability: in this session, experts will discuss the possibility of outsourcing the DPO role or his/her duties (partially or totally) and in what way this could be done. In addition, it will be discussed the possibility of regulating the hypotheses in which the DPO can be held liable for damages to the treatment agent, besides the legal consequences of the DPO not fulfilling his/her duties.
- The need to publicize the DPO’s personal data, and DPO’s nomination waiver hypotheses: in what terms should DPO’s information be released, in order to comply with the legal provisions without neglecting the principle of necessity; and whether the DPO’s nomination waiver foreseen for agents with low processing rates could be extended to other hypotheses.
- DPO in the public sector: finally, in this last session, experts will discuss the indication of the DPO within the Public Administration and if there should be differentiated duties.
Meetings with the selected applicants will take place on April 5th and 7th, 2022. More information about registration for interested parties is available at this link.
[1] The evaluation of the applicants will consider: their academic background, complementary education, and professional or academic experience in the area, while also observing the criteria of diversity of representation of the sectors, genders, and region of the country.
