Brazilian Data Protection Authority publishes guidelines for controllers, processors and DPOs

Last Friday (May 28), the Brazilian Data Protection Authority (ANPD) published the “Guidelines for Definitions of Data Processing Agents and Data Protection Officer”, establishing non-binding guidelines for processing agents, clarifying the roles of controllers, processors and DPOs, as well as legal definitions and liability issues.
In general, the ANPD has rightly based several of its instructions on guidelines already established by the European Data Protection Board, which is not surprising, since the Brazilian law was heavily inspired by the GDPR.
Notwithstanding the distinctive concept between controller and processor already established by the Brazilian Data Protection Regulation ("LGPD"), namely the controller’s decision-making power, the Guide elucidates that it is not necessary for all decisions to be made by the controller, but only that he keeps his influence and control over the main decisions, i.e., those related to the essential elements for the fulfillment of the process’ purpose.
The Guide also addresses the concept of joint controllership of personal data, which did not come openly defined in the LGPD. Inspired by the GDPR, there will be joint controllership when two or more entities have a common, convergent or complementary intention about the purposes and means of processing and make decisions together. Even if the same personal data set is process, there will be no joint controllership if the processing objectives are different.
As for the processors’ role, the Guide reiterates the law by stating that they may act strictly within the limits of the purposes determined by the controller, and also highlights the importance of contracts governing the relationship between controller and processor.
Another explored aspect was the concept of sub-processors, being defined by the entity hired by the processor to assist it in performing the processing of personal data on behalf of the controller. It is recommended to obtain prior authorization from the controller for the operator to hire a third party, since the operator's relationship with the controller is based on trust, and also because its activities (in this case, hiring a sub-operator) must comply with the controller's instructions.
Finally, the Guide addresses the role of the DPO, who is responsible for ensuring an organization's compliance to the LGPD. Considering that the ANPD is still in public consultation about the appointment exemptions for certain categories of controllers, it has not addressed this issue in the Guide. On the other hand, the authority clarified the legitimacy of some practices already adopted by Brazilian companies in their compliance projects: the possibility of appointing an employee or agent from outside the organization, the importance of support and integration with other areas of the company, and the appointment formalization by internal act.
In addition, the ANPD recommends that independence is given to the DPO and that the individual’s qualifications will depend on the needs and circumstances of the organization itself.
The Guide’s publication demonstrates the active role of the ANPD. In addition to such document, last week the ANPD also opened registrations for experts to participate in its technical meetings on the preparation of impact assessment reports, and submitted for public consultation the draft resolution that provides for the inspection and enforcement of sanctions by the ANPD.
Our Digital Team is monitoring the adoption of new measures and publishing of documents by the ANPD. If you need to obtain further information about this subject, we are available at

Last related news

August 16, 2022

Brazilian National Health Surveillance Agency (ANVISA) decides to ban Carbendazim

On August 8th, 2022, during the 12th Extraordinary Public Meeting of DICOL, ANVISA’s Collegiate Board of Directors announced the completion of the toxicological Brazilian National Health Surveillance Agency (ANVISA) decides to ban Carbendazim

Ler notícia

July 19, 2022

Carbendazim toxicological revaluation about to be completed by ANVISA

In December 2019, ANVISA started the process of toxicological revaluation of the Active Ingredient (AI) Carbendazim, as signs of toxicity were identified Carbendazim toxicological revaluation about to be completed by ANVISA

Ler notícia

July 6, 2022

Compulsory license: patent owners in Brazil are under no obligation to provide know-how and raw materials

Good news for patent owners in Brazil: the National Congress has upheld the President’s veto n° 48/2021, which prevented those who had their Compulsory license: patent owners in Brazil are under no obligation to provide know-how and raw materials

  • Kasznar Leonardos
  • Ler notícia