Brazil
to hold multiple roles or serve multiple organizations, provided that impartiality is not compromised. In such cases, the DPO must disclose the situation to the processing agent, who is then responsible for taking appropriate measures, which may include implementing safeguards, appointing another person, or declining the designation. Non- compliance with these obligations may trigger sanctions by the ANPD. Additionally, according to ANPD’s Resolution n. 2/243, small processing agents are exempt from appointing a DPO. These agents include micro- enterprises, small businesses, startups, and legal entities governed by private law, such as non-profit organizations, as defined by current legislation. This category also extends to natural persons and depersonalized private entities involved in personal data processing and undertaking the typical responsibilities of a controller. However, if a small processing agent decides not to appoint a DPO, they must establish an alternative communication channel with the data subjects to comply with the resolution. 4.2 Role and responsibilities of key stakeholders [1] CD/ANPD RESOLUTION No. 2, OF JANUARY 27, 2022. Available at: https://www.in.gov.br/en/web/dou/-/resolucao- cd/anpd-n-2-de-27-de-janeiro-de-2022- 376562019#wrapper
Complementing the provisions of the LGPD, the ANPD issued Resolution No. 18/24, which provides detailed rules on the appointment, duties, and responsibilities of the DPO, as well as the obligations of data processing agents to ensure the proper performance of this role. The regulation requires that the DPO be formally appointed by the data processing agent through a written, dated, and signed document that clearly sets out the scope of activities. It also mandates the disclosure of the DPO’s identity and contact details in a clear and easily accessible manner. Where a legal entity is appointed, the corporate name or trade name must be published, along with the full name of the individual responsible. Processing agents are further required to provide the DPO with adequate resources, guarantee technical independence, establish effective communication channels with data subjects, and ensure direct access to decision-makers. They must also seek the DPO’s input on strategic decisions involving personal data. While these measures reinforce the centrality of the DPO in compliance programs, the regulation clarifies that responsibility for compliance ultimately lies with the processing agents. Importantly, the regulation reiterates that no formal certification, training, or registration is required to serve as a DPO. However, the DPO must be able to communicate clearly in Portuguese. In addition, the regulation addresses potential conflicts of interest, allowing the DPO
https://klalaw.com.br/en/home/
Made with FlippingBook - PDF hosting