Draft order sets out further data protection rules for Brazilian organisations
All organisations in the country must appoint DPOs, with the exception of small businesses that have an annual income of BRL4.8 million or less. The order sets out the requirements for larger organisations in complying with the mandatory appointment.
A DPO may be a natural or legal person or a group of people such as a “privacy committee”. Such persons can serve as DPOs? to different data controllers, as long as there is no conflict of interest.
The order provides that DPOs should be knowledgeable about privacy and data protection, understand the LGPD and are able to fulfil all the tasks set out in the law.
These tasks include those originally set out in the LGPD: dealing with complaints and requests from data subjects, receiving communications and instructions from the ANPD and advising organisations on the handling of personal data.
The order also includes additional tasks for DPOs. Among these are maintaining records of processing activities, carrying out data protection impact assessments, identifying and assessing risks related to personal data processing activity and determining the security controls to be implemented by the organisation. They will also be responsible for the creation and implementation of best practice and governance rules for organisations. DPOs are subject to professional confidentiality with respect to the personal data they access and are in charge of international personal data transfer.
“Data processors may also appoint a DPO, although this is not required by the draft regulation,” notes law firm Mayer Brown. “Nonetheless, having a DPO will be a valuable privacy governance practice, and will be taken into account by the ANPD while assessing severity of violations and applying sanctions.”
The draft order is open to consultation until December 7, 2023.
The content displayed here is subject to our disclaimer. Read more