The Data Protection Officer (DPO) is a role established by both Brazilian legislation (General Data Protection Law – “LGPD”) and European legislation (General Data Protection Regulation – “GDPR”). Both laws have their own requirements for the appointment of their DPOs, whether for data controllers or processors. The Data Protection Officer serves as a channel of communication between the data subjects and the public authority responsible for enforcing data protection regulations within the jurisdiction.
Although both legislations mandate the presence of a DPO, there are key differences that companies must be aware of to mitigate risks, avoid legal and administrative penalties, and prevent damage to their reputation. To clarify these distinctions, we have prepared a comparative table regarding the LGPD and the GDPR.
Below, we highlight the main features of these two legislations:
Below, we provide further clarification on the differences between the Data Protection Officer under the GDPR and the LGPD.
OBLIGATION TO APPOINT A DPO
Unlike the GDPR [3], which establishes specific criteria for the designation of a DPO, the LGPD adopts a more general approach, determining that the data controller must appoint a person in charge of personal data protection. This implies that, generally, any public or private organization must appoint a DPO. However, there is an exception established in Resolution CD/ANPD No. 2/2022, which exempts small processing agents [4] from appointing a DPO, while maintaining other obligations defined by the LGPD [5]. Additionally, §3 of Article 41 provides the possibility of additional exemptions, allowing the National Data Protection Authority (“ANPD”) to establish cases where the appointment of a DPO may not be necessary, considering the nature, size, and volume of data processing by the entity.
QUALIFICATIONS AND SKILLS
The role of the DPO under Brazilian legislation is more flexible with fewer stringent requirements compared to Europe, particularly regarding the qualifications of the professional occupying this position. According to Article 7 of Resolution CD/ANPD No. 18/2024, it is the responsibility of the data processing agent to define the qualifications of the DPO based on their knowledge of personal data protection legislation, as well as the context, volume, and risk of the processing operations conducted. This Resolution also establishes that the DPO must be capable of effectively communicating with data subjects and with the ANPD. In Europe, Article 37 of the GDPR imposes more specific requirements, such as the need for specialized knowledge in law and data protection practices, the requirement that qualifications match the complexity and risk of processing activities, the ability to develop and maintain data protection programs, as well as familiarity with technical and organizational measures.
OUTSOURCING THE DPO ROLE
Resolution CD/ANPD No. 18/2024, which regulates the DPO role in Article 12, provides that the DPO may be an individual, either affiliated or not with the organizational structure of the processing agent, or a legal entity [6]. All these options are also permitted under the GDPR [7].
DISCLOSURE OF THE DPO’S CONTACT INFORMATION
The contact details of the DPO must be published on the company’s website under both legislations, ensuring transparency and accessibility for data subjects and authorities. Article 9 of Resolution CD/ANPD No. 18/2024 also allows for disclosure through other communication means if the data controller does not have its own website. The GDPR also requires that the DPO’s contact details be communicated to the authorities.
CONFLICTS OF INTEREST CONSIDERATIONS
Both the General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD) address conflicts of interest influencing the performance of the DPO’s duties. The GDPR includes detailed safeguards to ensure the DPO’s independence, prohibiting them from performing functions that could create a conflict of interest, such as positions where they determine the purposes of personal data processing. Furthermore, the regulation states that the DPO should not be penalized or dismissed for performing their responsibilities [8]. In contrast, the LGPD establishes that the data controller must take steps to mitigate any conflict of interest, with the option to replace the DPO if necessary.
These aspects will be analyzed more thoroughly in a specific article exploring cases and legislation related to conflicts of interest in the context of data protection.
POSITION WITHIN THE ORGANIZATION
Regarding the accumulation of functions, Brazilian legislation does not explicitly prohibit an employee, director, or contractor from being designated as a DPO, provided that the independence of the role is maintained. Similarly, under the GDPR, the DPO may perform other roles within the organization as long as it does not lead to a conflict of interest. This means that, according to European Union legislation, the DPO cannot hold a position where they determine the purposes and means of personal data processing activities, such as a chief executive officer, chief operating officer, or head of human resources, for instance [9].
***
In conclusion, the role of the DPO is crucial for maintaining privacy standards, and a clear understanding of the regulations governing this role is essential for organizations operating in Brazil. Foreign companies entering the Brazilian market should seek local legal advice to ensure compliance with the LGPD, particularly regarding the designation and responsibilities of the DPO.
GTLawyers possess the necessary expertise to provide legal advice and guidance, whether by assisting the DPO in their daily activities or by offering DPO services to mitigate potential conflicts of interest. Our team ensures that companies not only fulfill their legal obligations but also implement effective data protection practices, thereby minimizing legal and reputational risks while maintaining the DPO’s independence and impartiality.
GT Lawyers
Anne Brunschwig
Jessica Ferreira
[1] The Article 29 Working Party (WP29) has issued widely recognized market guidelines on the qualifications of the DPO, indicating that this professional must be capable of creating, implementing, and maintaining a Data Protection Program. Moreover, the more complex or risky the data processing carried out by the data controller, the higher the knowledge and specialization requirements for the DPO will be. Finally, the DPO does not need to be a lawyer, but must be familiar with data protection legislation and technical and organizational measures.
[2] Article 38 of the General Data Protection Regulation (GDPR) stipulates that the DPO must be involved in matters related to the processing of personal data and must act autonomously, without receiving instructions from third parties, regardless of their hierarchical position. In this context, the company must provide the necessary resources for the exercise of their activities. It is also important to emphasize that the DPO cannot be dismissed or penalized for performing their duties. They must report to senior management, and data subjects can contact them directly to clarify their doubts and address pertinent issues. Additionally, the DPO must maintain confidentiality regarding their activities and can perform other functions within the company, provided that there is no conflict of interest.
[3] Under the GDPR, the designation of a DPO is mandatory in three specific cases described in Article 37: (i) when data processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) when the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale; or (iii) when the core activities involve large-scale processing of special categories of data, such as sensitive data or information relating to criminal convictions and offenses.
[4] Article 2, I, of the mentioned resolution defines these agents. Examples include micro-enterprises, small businesses, startups, private legal entities, including non-profit organizations. It is important to note that the agent cannot benefit from the differentiated legal treatment of the resolution if they fall under the scenarios provided in Article 3.
[5] The obligations of small processing agents have been maintained, but a certain flexibility has been introduced in specific areas, such as the doubled timeframe to respond to data subjects’ requests and to communicate with the National Data Protection Authority (ANPD), as well as the possibility of adopting simplified procedures.
[6] The original text of the LGPD stipulated that the DPO must be a natural person. However, Provisional Measure No. 869/2018 removed the term “natural person,” and Law No. 13.853/2019 introduced the possibility for companies to act as a DPO.
[7] In accordance with Article 37, §6 of the GDPR, “the DPO may be a staff member of the controller or processor, or perform the duties on the basis of a service contract”
[8] See Article 38 of the GDPR.
[9] More information is available at: www.ecb.europa.eu (accessed on: 30/10/2024).
