Iubenda logo
Start generating

Documentation

Table of Contents

Updated Brazilian Guidance

Updated Brazilian Guidance for Personal Data Processing Agents and Data Protection Officers. 

Updated Brazilian Guidance

The latest version of the guidance, published by the Brazilian Data Protection Authority (ANPD) on April 26, 2022, included slight but significant revisions and clarifications.

In short, the ANPD stated that the latest guideline is required in order to:

  • clarify some concepts under the LGPD and previous guidance;
  • include practical examples and explanations on who can perform the roles of the data controller, data processor, and DPO, as well as their responsibilities;
  • provide clarifications on the DPO’s attributions and discuss the lack of necessity to register the DPO’s identity before the ANPD;
  • give updates in response to Resolution CD/ANPD No. 2 of 27 January 2022 for a Regulation on the application of the LGPD to small processing agents; and
  • present notions found in more complicated chains, such as the sub-operator, to show how they might be applied.


Let’s break some of this down into more details. For starters, there has been some change in wording:

In the exercise of their duties, the Data Protection Officer CAN play an important role in promoting and disseminating a culture of personal data protection in the organization


The Data Protection Officer was previously defined by the ANPD as “the individual responsible for ensuring the compliance of an organization, public or private, with the LGPD.”

The idea that the Data Protection Officer is personally accountable for the organization’s compliance with the LGPD has been eliminated from the updated version of the guideline. As a result, the processing agent has civil and administrative responsibility for the acquisition and processing of personal data, rather than the Data Protection Officer personally.

SMALL BUSINESS: DATA PROTECTION OFFICER AGENTS FOR DATA PROCESSING

While this was already expected based on the wording of the first version. In the new guidelines resolution no. 02/2022 authorizes the Regulation for the Applicability of the LGPD for small company data processing agencies, exempting them from having to nominate a Data Protection Officer.

BEFORE THE ANPD: IDENTITY OF AND CONTACT INFORMATION FOR THE DATA PROTECTION OFFICER

Due to the lack of legislative or regulatory restrictions, the revised version of the guideline does not require the organization to notify or register with the ANPD the identity of and contact information for the Data Protection Officer, as it did in the prior edition. The advice, however, underlines that this is the current circumstance, which might alter with future ANPD laws.