Data Protection Officer (DPO) in Brazil
The personal data controller is a person appointed by the company who basically will be responsible for the communication between the latter, the subject of the personal data and the ANPD (National Data Protection Authority), which oversees compliance with Law no. 13.709/2018, the General Law on Personal Data Protection (LGPD).
Article 41 of the LGPD obliges all companies to appoint a personal data controller, also known as a Data Protection Officer (DPO) by European law.
For the time being, there are no exceptions to the rule referred to in the previous paragraph, although the matter is already the subject of public consultation, for the exemption of small data processors, such as micro-enterprises, small businesses, startups and non-profit legal entities, natural persons and unincorporated entities. If these small processors do not appoint a controller, an obligation at least to provide a channel for communication with the data subject is also under consideration.
Note that this exemption applies only to the data controller. The LGPD will not cease to apply to small data processors.
The ANPD has not completed this public consultation and therefore its opinion has not yet been released.
What does a DPO do? According to the paragraphs of article 41, the DPO is responsible for: 1) accepting complaints and communications from data subjects, providing explanations and taking appropriate action; 2) receiving communications from the national authority and taking appropriate action; 3) advising the entity's employees and collaborators on the practices to be followed with regard to the protection of personal data; and 4) performing the other duties determined by the controller or established in supplementary regulations.
Is it possible to outsource the control of personal data in Brazil? The LGPD does not prohibit outsourcing of the data control. Therefore, it is not obligatory that the controller be an employee of the company.
Accordingly, since it is possible to hire an external DPO, the employees can focus on the company's core business, without being overburdened or even distorting their employment contracts, which could give rise to legal consequences, such as the payment of additional compensation for deviation from their original function or dual activity.
Logically, hiring a DPO, as a regular employee of the company, is justified when the company's size and volume of data processing is so significant as to warrant this person’s dedication exclusively to this function.
The Brazilian Bar Association, in response to Consultation no. E-5.537/2021, has authorized lawyers to exercise officially the activities of DPO.
Penalties for non-compliance with the LGPD, which includes absence of a controller, have been in force since the beginning of August 2021, including fines of up to R$50 million, in addition to compensation for property, moral, individual or collective damage.
The Stüssi-Neves Advogados team is at your disposal for any additional explanation regarding this matter.
Fernando Seiji Mihara and Maria Lúcia Menezes Gadotti
Associate lawyer and Partner in Labour Law Area – São Paulo
fernando.mihara@stussinevessp.com.br and marialucia.gadotti@stussinevessp.com.br
0+