News

Newsletter

31 de May de 2021

Brazilian Data Protection Authority publishes guidelines for controllers, processors and DPOs

Last Friday (May 28), the Brazilian Data Protection Authority (ANPD) published the “Guidelines for Definitions of Data Processing Agents and Data Protection Officer”, establishing non-binding guidelines for processing agents, clarifying the roles of controllers, processors and DPOs, as well as legal definitions and liability issues.
In general, the ANPD has rightly based several of its instructions on guidelines already established by the European Data Protection Board, which is not surprising, since the Brazilian law was heavily inspired by the GDPR.
Notwithstanding the distinctive concept between controller and processor already established by the Brazilian Data Protection Regulation ("LGPD"), namely the controller’s decision-making power, the Guide elucidates that it is not necessary for all decisions to be made by the controller, but only that he keeps his influence and control over the main decisions, i.e., those related to the essential elements for the fulfillment of the process’ purpose.
The Guide also addresses the concept of joint controllership of personal data, which did not come openly defined in the LGPD. Inspired by the GDPR, there will be joint controllership when two or more entities have a common, convergent or complementary intention about the purposes and means of processing and make decisions together. Even if the same personal data set is process, there will be no joint controllership if the processing objectives are different.
As for the processors’ role, the Guide reiterates the law by stating that they may act strictly within the limits of the purposes determined by the controller, and also highlights the importance of contracts governing the relationship between controller and processor.
Another explored aspect was the concept of sub-processors, being defined by the entity hired by the processor to assist it in performing the processing of personal data on behalf of the controller. It is recommended to obtain prior authorization from the controller for the operator to hire a third party, since the operator's relationship with the controller is based on trust, and also because its activities (in this case, hiring a sub-operator) must comply with the controller's instructions.
Finally, the Guide addresses the role of the DPO, who is responsible for ensuring an organization's compliance to the LGPD. Considering that the ANPD is still in public consultation about the appointment exemptions for certain categories of controllers, it has not addressed this issue in the Guide. On the other hand, the authority clarified the legitimacy of some practices already adopted by Brazilian companies in their compliance projects: the possibility of appointing an employee or agent from outside the organization, the importance of support and integration with other areas of the company, and the appointment formalization by internal act.
In addition, the ANPD recommends that independence is given to the DPO and that the individual’s qualifications will depend on the needs and circumstances of the organization itself.
The Guide’s publication demonstrates the active role of the ANPD. In addition to such document, last week the ANPD also opened registrations for experts to participate in its technical meetings on the preparation of impact assessment reports, and submitted for public consultation the draft resolution that provides for the inspection and enforcement of sanctions by the ANPD.
Our Digital Team is monitoring the adoption of new measures and publishing of documents by the ANPD. If you need to obtain further information about this subject, we are available at digital@kasznarleonardos.com
 
Back

Last related news

9 de July de 2025

Tracking and Telemetry in the Fight Against Software Piracy: An Analysis Under the LGPD and GDPR

The use of telemetry and tracking technologies by software developers to detect and combat the unauthorized use of their products has become Tracking and Telemetry in the Fight Against Software Piracy: An Analysis Under the LGPD and GDPR

  • Kasznar Leonardos
  • Ler notícia

    1 de July de 2025

    New PPH Cycle Opens for Third Quarter of 2025 – Telecommunication Applications Excluded

    In accordance with Ordinance 03/2025, published by the BPTO on March 25, 2025, a new limit of 800 Patent Prosecution Highway (PPH) New PPH Cycle Opens for Third Quarter of 2025 – Telecommunication Applications Excluded

    Ler notícia

    1 de July de 2025

    Brazil’s Supreme Court Partially Strikes Down Internet Law Provision, Imposes Stricter Duty of Care on Online Platforms

    On Thursday, June 26, the Brazilian Supreme Federal Court (STF) issued a landmark ruling, partially invalidating Article 19 of the Brazilian Internet Brazil’s Supreme Court Partially Strikes Down Internet Law Provision, Imposes Stricter Duty of Care on Online Platforms

    Ler notícia
    plugins premium WordPress