Last review date: 3 January 2025
There is the concept of a "person in charge," which is equivalent to a DPO under the GDPR (although not identical).
Last review date: 3 January 2025
☒ the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
☒ the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale
☒ the core activities of the controller or the processor consist of processing on a large scale of special categories of data
☒ the organization employs more than a certain number of individuals in the jurisdiction
☒ other
Per Article 41 of the LGPD, all data controllers must appoint a person in charge. However, in January 2022, the ANPD issued Resolution CD/ANPD No. 02, which removed the requirement to appoint a person in charge for micro and small companies, start-ups, self-employed, and non-profit associations. While not mandatory, an appointment of a person in charge will be considered good practice.
In 2024, the ANPD published the Regulation on the Appointment of the Person in Charge, detailing the responsibilities of the person in charge. Such regulation establishes complementary rules on the appointment, definition and duties of the person in charge. It provides more details about the: (i) formal requirements on the appointment of the person in charge; (ii) personal attributes that the person in charge should meet; (iii) type of information about the person in charge's identity that must be publicly disclosed; (iv) the responsibilities and activities that the person in charge should perform; (v) cases where there may be a conflict of interest in the appointment of the person in charge.
Last review date: 3 January 2025
Yes
If yes, what are these requirements?
☒ other
The law requires that the identity and contact information of the person in charge be publicly disclosed, clearly and objectively, preferably on the company's website. In addition, the ANPD recommends that this information be also shared with the company’s employees.
Additionally, the Regulation on the Appointment of the Person in Charge stipulates that the appointment of the person in charge must take into account their professional qualities, particularly their knowledge of privacy and data protection matters. It further establishes that the person in charge can hold an additional role within the company or organization, provided it does not create a conflict of interest in the performance of their duties as the person in charge. Moreover, the person in charge must be able to communicate clearly and precisely with data subjects and the ANPD, in Portuguese.