Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Brazil: Updated guidance on DPOs

Almost one year after the publication of the Brazilian data protection authority's ('ANPD') first guidelines ('the Guidelines'), which address the definitions of processing agents and general requirements for data protection officers ('DPOs'), the regulator has issued an updated version with a few modifications1, mostly aimed at clarifying the role of the latter. Marcus Fontes, Bernardo José Oliveira Araujo, Daniella Fernandes Ferrari, Beatriz Gomes Sampaio, and Ana Paula Ferreira de Santana, from Fontes Tarso Ribeiro Advogados, discuss the updated version of the Guidelines and further expected developments regarding DPOs in Brazil.

Grafissimo / Signature collection /

With respect to processing agents, the Guidelines in their updated state present only minor adaptations, keeping the content essentially the same as the previous version2. Nevertheless, a relevant update regards the inclusion of a flowchart for defining processing agents. This flowchart functions primarily as a visual tool for distinguishing sole controllers from joint controllership, representing an excellent initiative from the ANPD and a welcome contribution to the Brazilian data protection ecosystem.

The most important modifications introduced in the updates to the Guidelines is to the chapter dedicated to DPOs, addressing conceptual issues raised by the previous version of the Guidelines. In addition, the latest version of the Guidelines confirms that there is no regulatory requirement for the registration of DPOs for the time being, also referring to other regulations issued by the ANPD that allow for an exemption for appointing DPOs for small businesses and startups.

Key takeaways

The previous definition for DPOs as the person responsible for ensuring data protection compliance set forth by the first version of the Guidelines was deemed as highly controversial, since the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') provides for no such responsibility. In the updated version of the Guidelines, this specific language has been removed and replaced with a description of the DPO's general tasks as follows:

'In the exercise of his duties, the data protection officer may play an important role in fostering and disseminating the culture of data protection in the organisation, such as, when receiving requests from data subjects and the national government authority and adopting measures or, even, when guiding employees and contractors regarding the practices to be taken concerning the protection of personal data.'

The new wording chosen by the ANPD appears to be in alignment with the LGPD, since the DPO is not necessarily responsible for ensuring compliance, but rather for maintaining  communication between the controller, data subjects, and the ANPD.

Another important addition includes harmonisation with the ANPD's novel regulation concerning the LGPD's application to small Processing Agents, Resolution CD/ANPD No. 2 of 27 January 2022 ('the Resolution'). As allowed for by Article 41, paragraph 3 of the LGPD, the ANPD has allowed for the exemption of appointing DPOs for small businesses (as defined by the Resolution), as long as communication channels with data subjects are established, thus providing for greater flexibility in their data protection compliance efforts.

Furthermore, the updated Guidelines have maintained that there is no legal obligation to register DPOs before the regulator, given the current lack of regulation. Complementarily, language was added to highlight that this topic may be regulated by the ANPD in the future, hence reiterating the possibly transitory nature of this understanding.

Lastly, a minor inclusion worth mentioning is in regards to the DPO's professional qualifications. Language was added to specify that the DPO's knowledge on data protection and information security should be assessed in accordance with the processing operations of personal data that take place within the organisation/entity.

Expected developments for DPO regulation

Although the ANPD has stated that the updated Guidelines are the outcome of society's contributions and the general development of the theme, many aspects concerning DPOs are subject to pending discussion and regulation, as previously determined by the ANPD's regulatory agenda for 2021-2022.

In fact, in early April 2022, the regulator convened a series of technical meetings directed at discussing various aspects related to DPOs and the LGPD framework, in order to gather inputs for future regulatory efforts. The meetings were organised into five sessions, each specifically covering one of the following topics:

  • characteristics and attributions;
  • forms of activity; outsourcing and liability;
  • contact information, dismissal and flexibility of appointment; and
  • the public sector.

Despite participation being initially restricted to selected qualified guests, full coverage of the event has recently been made available by the ANPD through its official channel3.

Next expected developments include the drafting of new regulatory norms, which, as specialists recommend, should be submitted to public consultation according to best practices for transparency and democratic legitimacy. Not only would this increase openness to the process for stakeholders and society at large, but also help minimise typos and minor proofreading errors.

Finally, despite the additional security provided by the Guidelines in the recent update and the ANPD's ongoing regulatory agenda, uncertainty remains surrounding a few high-level questions concerning processing agents. Specifically, guidance on contractual agreements, including the outsourcing of operators that seem to act like internal employees and the question on how data processing instructions to operators should be documented, must still be resolved.

Marcus Fontes Attorney at Law
[email protected]
Bernardo José Oliveira Araujo Attorney at Law
[email protected]
Daniella Fernandes Ferrari Attorney at Law
[email protected]
Beatriz Gomes Sampaio Attorney at Law
[email protected]
Ana Paula Ferreira de Santana Attorney at Law
[email protected]
Fontes Tarso Ribeiro Advogados, Rio de Janeiro

1. For more information, please see: (Refers to Version 2.1 of the Guidelines, considering the publication of a revised updated version due to a formatting issue).
2. For more information please see: target="">
3. For more information, visit: target="">