Brazil: ANPD releases information on

brief

The Brazilian Data Protection Agency (ANPD) issued Resolution No. 18 CD/ANPD, which establishes additional rules for the appointment of a responsible person (similar to, but not equivalent to, a data protection officer under the GDPR) – (“Regulation“).

As a background, according to Law 13.709/18 (Brazilian Data Protection Law (LGPD)), data controllers must appoint a Responsible Person. The main duties of the “Responsible Person” are to act as a liaison between the data controller, the data subjects and the ANPD, as well as to provide training and guidance to the controller’s employees and comply with any other instructions that may be given by the controller.

The Regulation therefore sets out the procedure that must be followed for the appointment of a responsible person, including the personal qualifications that the responsible person must meet.

Some key aspects of the regulation include:

• The person in charge can be an individual or a legal person.
• The appointment of the responsible person must be made by means of an official document (written, dated and signed document). This document must be provided upon request by the ANPD.
• The handling agent must formally appoint a replacement to act in the person’s place during the period when the person in charge’s position is vacant.
• The appointment of a responsible person by a data processor is optional but will be considered good practice/mitigation for potential fines to apply.
• The name of the person or legal person appointed as the responsible person and his/her contact information need to be disclosed in a prominent and easily accessible place (e.g. on a website or other communication channels regularly used to contact the data subject).
• The responsible person must be able to communicate clearly and accurately in Portuguese with the data subject and the ANPD.
• The professional qualifications of the responsible person should be determined by the processing agent based on the content, volume and risks of the processing activities they perform.
• The responsible person may hold other positions within the company or organization as long as such other positions do not create a conflict of interest in the performance of the duties of the responsible person.

The regulation is binding and will come into force on July 17, 2024.

Our Data Protection and Cybersecurity teams are closely following legal updates on this topic and are on hand to answer any questions related to the regulation.

* * * * *

Trench Rossi Watanabe has signed a strategic cooperation agreement for foreign legal consulting with Baker & McKenzie.