Updated Brazilian Guidance for Personal Data Processing Agents and Data Protection Officers.
The latest version of the guidance, published by the Brazilian Data Protection Authority (ANPD) on April 26, 2022, included slight but significant revisions and clarifications.
In short, the ANPD stated that the latest guideline is required in order to:
Let’s break some of this down into more details. For starters, there has been some change in wording:
In the exercise of their duties, the Data Protection Officer CAN play an important role in promoting and disseminating a culture of personal data protection in the organization
The Data Protection Officer was previously defined by the ANPD as “the individual responsible for ensuring the compliance of an organization, public or private, with the LGPD.”
The idea that the Data Protection Officer is personally accountable for the organization’s compliance with the LGPD has been eliminated from the updated version of the guideline. As a result, the processing agent has civil and administrative responsibility for the acquisition and processing of personal data, rather than the Data Protection Officer personally.
SMALL BUSINESS: DATA PROTECTION OFFICER AGENTS FOR DATA PROCESSING
While this was already expected based on the wording of the first version. In the new guidelines resolution no. 02/2022 authorizes the Regulation for the Applicability of the LGPD for small company data processing agencies, exempting them from having to nominate a Data Protection Officer.
BEFORE THE ANPD: IDENTITY OF AND CONTACT INFORMATION FOR THE DATA PROTECTION OFFICER
Due to the lack of legislative or regulatory restrictions, the revised version of the guideline does not require the organization to notify or register with the ANPD the identity of and contact information for the Data Protection Officer, as it did in the prior edition. The advice, however, underlines that this is the current circumstance, which might alter with future ANPD laws.
