Brazilian Data Protection Authority publishes guidelines for controllers, processors and DPOs

Last Friday (May 28), the Brazilian Data Protection Authority (ANPD) published the “Guidelines for Definitions of Data Processing Agents and Data Protection Officer”, establishing non-binding guidelines for processing agents, clarifying the roles of controllers, processors and DPOs, as well as legal definitions and liability issues.

In general, the ANPD has rightly based several of its instructions on guidelines already established by the European Data Protection Board, which is not surprising, since the Brazilian law was heavily inspired by the GDPR.

Notwithstanding the distinctive concept between controller and processor already established by the Brazilian Data Protection Regulation ("LGPD"), namely the controller’s decision-making power, the Guide elucidates that it is not necessary for all decisions to be made by the controller, but only that he keeps his influence and control over the main decisions, i.e., those related to the essential elements for the fulfillment of the process’ purpose.

The Guide also addresses the concept of joint controllership of personal data, which did not come openly defined in the LGPD. Inspired by the GDPR, there will be joint controllership when two or more entities have a common, convergent or complementary intention about the purposes and means of processing and make decisions together. Even if the same personal data set is process, there will be no joint controllership if the processing objectives are different.

As for the processors’ role, the Guide reiterates the law by stating that they may act strictly within the limits of the purposes determined by the controller, and also highlights the importance of contracts governing the relationship between controller and processor.

Another explored aspect was the concept of sub-processors, being defined by the entity hired by the processor to assist it in performing the processing of personal data on behalf of the controller. It is recommended to obtain prior authorization from the controller for the operator to hire a third party, since the operator's relationship with the controller is based on trust, and also because its activities (in this case, hiring a sub-operator) must comply with the controller's instructions.

Finally, the Guide addresses the role of the DPO, who is responsible for ensuring an organization's compliance to the LGPD. Considering that the ANPD is still in public consultation about the appointment exemptions for certain categories of controllers, it has not addressed this issue in the Guide. On the other hand, the authority clarified the legitimacy of some practices already adopted by Brazilian companies in their compliance projects: the possibility of appointing an employee or agent from outside the organization, the importance of support and integration with other areas of the company, and the appointment formalization by internal act.

In addition, the ANPD recommends that independence is given to the DPO and that the individual’s qualifications will depend on the needs and circumstances of the organization itself.

The Guide’s publication demonstrates the active role of the ANPD. In addition to such document, last week the ANPD also opened registrations for experts to participate in its technical meetings on the preparation of impact assessment reports, and submitted for public consultation the draft resolution that provides for the inspection and enforcement of sanctions by the ANPD.

Our Digital Team is monitoring the adoption of new measures and publishing of documents by the ANPD. If you need to obtain further information about this subject, we are available at digital@kasznarleonardos.com.