The ANPD issues its Rules of Procedure – effective immediately

March 10, 2021

The ANPD issues its Rules of Procedure – effective immediately

On March 8, 2021, the National Data Protection Authority (ANPD) issued its new Rules of Procedure. What follows are some of its most significant provisions:

  • The rules confirm the ANPD’S structure as outlined in Brazilian Data Protection Law (Law # 13,709 of 2018 or LGPD):

(i) a Board of Directors (Conselho Diretor or BoD) and its supporting departments (specifically a General Secretariat, General Coordination of Administration, General Coordination of Institutional and International Relations), to be formed by five (5) Directors.

(ii) an Advisory Board (Conselho Nacional de Proteção de Dados Pessoais e da Privacidade), which can also rely on the BoD’s supporting departments.

(iii) Sectional Bodies: An Internal Affairs Office (Corregedoria); an Ombudsman (Ouvidoria); and Legal Counsel.

(iv) Specialized Bodies: General Coordination of Standardization, General Coordination of Inspection, and General Coordination of Research and Technology.

  • The rules specify the format of the Directors’ decisions, which should include a decision report and a vote (with a summary and clear grounds, which can be based on precedents). Abstentions are not allowed, except in case of a justified absence, impediments, or suspicion of impartiality.
  • The rules establish that the General Coordination of Institutional and International Relations will set forth mechanisms for adequate international data transfers, binding corporate rules; standard data protection clauses; and liaising with international Data Protection Authorities.
  • The Ombudsman is in charge of drafting the Annual Report, which will include an assessment of possible flaws in the framework and suggestions for improvement.
  • The General Coordination of Standardization is in charge of suggesting guidelines for the National Policy of Personal Data Protection and Privacy; submitting to the BoD suggestions for interpreting the LGPD, its sanctions, and providing guidance in case of legal omissions; and drawing up the Regulatory Impact Assessment prior to the issuance of ANPD’s Rules.
  • The General Coordination of Inspection will apply the LGPD’s sanctions; receive and prosecute any notices of security incident reports; issue orders to the controller any measures necessary to safeguard the data subject’s rights; and will request controllers and processors submit Data Protection Impact Assessment Reports.

Our team closely monitors any changes relating to the LGPD and is happy to assist clients on this matter. For more information regarding the new rules, please e-mail us at