June 1, 2021
On May 28, 2021, the Brazilian National Data Protection Authority (ANPD) released its guidance on Controllers, Processors, and DPOs. The guidance clarifies several points considered vague of the Brazilian Data Protection Act (LGPD) regarding the duties and attributions of the controller, processor, and the DPO, as detailed below.
The guidance clarifies that the controller and the processor should be defined based on their institutional character. Therefore, subordinate individuals, such as employees, public servants, or work teams of an organization, will not be considered controllers (autonomous or joint) or processors since they act under the directive power of the controller/processor.
The guidance remembers that the controller/processor shall be defined for each personal data processing operation. Likewise, according to its performance in different processing operations, the same organization can be considered controller and processor.
The guidance reinforces the definitions set forth by the LGPD, highlighting that the controller acts on behalf of its own purposes and has decision-making power over the processing. In contrast, the processor shall perform according to the controllers' interests, following its instructions.
The document warns that the definition of controller and processor roles should always be carried out according to the factual context and the relevant circumstances of the case. Thus, for example, the role of the controller may be stipulated in legal and regulatory instruments or a contract signed between the parties, but such legal provisions should not be distanced from the factual reality.
Finally, taking into consideration that the attribution of responsibilities concerning the compensation of damages arising from unlawful acts will be different according to the qualification of the processing agent, the guidance warns that it is of paramount importance to set objective parameters for the allocation of responsibility between the parties through a contract.
The guidance mentions that the LGPD has not determined under what circumstances an organization should appoint a DPO. Therefore it should be assumed that every organization should indicate a person to assume that role as a rule. However, the guidance warns that future ANPD regulations may bring scenarios exempting the need to appoint a DPO.
The guidance also reinforces that the LGPD does not distinguish whether the DPO should be a natural person or a legal entity, an employee of the organization, or an external agent.
The guidance recently released aims to bring more certainty to the data subjects and controllers, processors, and DPOs regarding the definition of their roles and duties by answering some of the main doubts presented to the ANPD. The guidance, however, warns that it does not replace future regulations on the subject.
Our team is closely monitoring any measures regarding the LGPD and assisting clients on compliance projects. For more information regarding this matter, e-mail us at firstname.lastname@example.org.