On July 16, 2024, Brazil’s National Data Protection Authority (ANPD) published Resolution 18/2024. This resolution outlines the requirements for appointing Data Protection Officers (DPOs) in companies, detailing their roles and responsibilities. It is crucial for companies and DPOs to follow these guidelines to ensure compliance with Brazil’s General Data Protection Act (LGPD).
The resolution emphasizes that a DPO can be an individual or a legal entity, and their contact information must be publicly available. While not all companies are required to appoint a DPO, doing so is considered a good governance practice, particularly for larger organizations. Companies must also ensure that the DPO has the necessary resources, technical autonomy, and direct access to senior management.
DPOs are responsible for interacting with data subjects and the ANPD, addressing complaints, and providing guidance on data protection. Additionally, they must oversee internal compliance with data protection regulations, maintain records, and implement security measures to safeguard personal data.
To avoid conflicts of interest, DPOs must remain independent in their role and can serve multiple organizations, provided they can fulfill their duties without compromising objectivity. The resolution encourages companies to carefully consider the professional qualifications and technical expertise of their DPOs to align with their data protection needs.
Reference: