Published in the Official Gazette on March 9th, 2021, Ordinance No. 01 stipulates the Brazilian National Data Protection Authority’s (ANPD) internal procedure rules, defining its competencies of the organizational units, the procedures, and the decision-making instruments of the body.
As per Law No. 13,709/2018 (the Brazilian General Data Protection Law – LGPD) itself, the organizational structure of the ANPD is composed by the Board of Directors and its advisory body, the National Council for Data Protection and Privacy. The Ordinance details the existence of internal bodies for coordination, ombudsman, and legal counsel. It also creates the function of “Project Manager”, who will report directly to each of the five directors members of the Board of Directors, which is the ANPD’s highest directive body.
The Ordinance also determines that the decisions of the Board of Directors must be made in Deliberative Meetings or Deliberative Rounds, by simple majority, with an absolute majority of its members present. As provided by the internal regiment, the Board of Directors will hold at least one Deliberative Meeting a month, either in person or by videoconference, to analyze the processes underway at the ANPD. The meetings will be public, except when wide publicity may violate a secrecy protected by law or someone's privacy, in which case disclosure will be restricted to the parties and their attorneys.
Among the Board's competencies, the following stand out:
(i) the edition of regulations and procedures, including addressing data protection impact assessment reports;
(ii) the setting up of minimum technical standards to be applied in anonymization processes and as security measures;
(iii) the definition of standard contractual clauses’ content, as well as the verification of specific contractual clauses for international transfers, global corporate standards, certificates and codes of conduct;
(iv) the deliberation regarding requirements on levels of protection of personal data from other countries; and
(v) the review of sanctions applied by the General Inspection Office.
As for the deadlines, the regulation provides for that requests for examination for thirty (30) days, extendable for another thirty (30) to each board member. The Deliberative Round should take place from seven (7) to thirty (30) days.
The ANPD will also have a General Secretariat, a General Administration Coordination and a General Institutional and International Relations Coordination. In addition, the functions of the Internal General’s Office, the Ombudsman's Office and the Legal Office, the General Coordination of Standardization and the General Coordination of Technology and Research have been created and set up.
Among other departments, the General Inspection Coordination was also created, whose competencies are
(i) to make first instance decisions in the ANPD's administrative sanctioning proceedings;
(ii) request data processing agents to submit Personal Data Protection Impact Assessment reports;
(iii) receive notifications of security incidents;
(iv) perform audits, or determine their performance, within the scope of its inspection activities; and
(v) communicate to the competent authorities any criminal infractions of which might come to its knowledge.
Regarding the review of the ANPD's decisions, the highest instance of appeal in matters within the Authority's jurisdiction is the Board of Directors. The ANPD's decisions issued when the Board of Directors functions as a single instance may be subject to a request for reconsideration, duly justified.
Finally, the regulation defines administrative procedures, such as the body's decision-making framework, as well as procedures relating to public hearings and consultations, the issuance of normative acts, legal interpretations, and the establishment of understandings on matters related to the protection of personal data.
Should you be interested in further details about the ANPD’s functions and procedures, please do not hesitate to contact our Digital Law team at firstname.lastname@example.org