In Brazil, the role of the Data Protection Officer (DPO) is defined under the General Data Protection Law (Lei Geral de Proteção de Dados – LGPD). The DPO is referred to as the “Encarregado de Proteção de Dados” or simply “Encarregado.” Below are the key requirements and responsibilities for a Brazilian DPO:
1. Appointment and Qualifications:
- Mandatory Appointment: Every organization that processes personal data in Brazil, regardless of size or sector, is required to appoint a DPO.
- Qualification: The LGPD does not specify formal qualifications for the DPO. However, the DPO should possess a solid understanding of data protection laws, privacy principles, and the organization’s processing activities.
2. Key Responsibilities:
- Communication Channel: Act as a point of contact between the organization, data subjects, and the National Data Protection Authority (ANPD).
- Guidance and Advice: Provide guidance to the organization on compliance with LGPD, including advising on Data Protection Impact Assessments (DPIAs) and other compliance measures.
- Monitoring Compliance: Monitor internal compliance with the LGPD and the organization’s data protection policies.
- Training and Awareness: Lead or coordinate training programs for employees on data protection practices and legal obligations.
- Handling Requests: Manage requests from data subjects regarding their rights under the LGPD, such as access, correction, deletion, and data portability.
- Incident Management: Support the organization in responding to data breaches and reporting them to the ANPD as required by the LGPD.
3. Organizational Structure:
- Independence: The DPO should be independent and have the autonomy to perform their duties without interference from the organization’s management.
- Resource Availability: The DPO must have access to necessary resources, including time, tools, and personnel, to carry out their responsibilities effectively.
4. Public Disclosure:
- Identity Disclosure: The organization must publicly disclose the identity and contact information of the DPO, typically on the company’s website or privacy notice, to facilitate communication with data subjects and the ANPD.
5. Location:
- Not Restricted by Location: The DPO does not need to be physically located in Brazil, but they must be accessible to both the organization and the ANPD for effective communication and compliance.
6. Liability:
- No Personal Liability: The DPO is not personally liable for non-compliance by the organization. The organization itself holds liability for LGPD violations.
7. Outsourcing:
- Outsourcing Option: Organizations may outsource the DPO role to a third party, such as a law firm or consultancy, provided that the external DPO meets the requirements of the role.
8. ANPD Guidance:
- Awaiting Further Regulation: The ANPD has the authority to issue further regulations regarding the DPO role, which may specify additional requirements or provide clarifications.
In summary, while the LGPD outlines the DPO’s role and responsibilities, it allows flexibility regarding the qualifications and structure of the DPO, focusing more on ensuring that the organization is compliant with data protection laws and capable of responding to data subjects’ rights and ANPD requests.
