The National Data Protection Authority (“ANPD”) published Resolution CD/ANPD No. 18/2024 on July 17, 2024, which approves the Regulation on the role of the Data Protection Officer.

The Resolution addresses issues regarding the appointment, responsibilities, and activities of the Data Protection Officer, as well as the duties of data controllers.

Among the points covered in the Regulation, we highlight the following requirements that data controllers must adhere to:

• The appointment of the Data Protection Officer must be made through a formal act (written, dated, and signed document) specifying their roles and responsibilities. This document must be presented to the ANPD upon request.
• A substitute Data Protection Officer must also be appointed.
• Data controllers must, among other duties, ensure technical autonomy for the Data Protection Officer and provide them with direct access to top-level executives within the company.
• The Data Protection Officer can be either an individual (employed or not by the data controller) or a legal entity.
• The Data Protection Officer does not bear personal responsibility for compliance with the LGPD (General Data Protection Law), with the data controller being solely responsible for ensuring this compliance.
• The Data Protection Officer must communicate with data subjects and the ANPD in Portuguese.
• The data controller cannot appoint a Data Protection Officer who may have a conflict of interest in performing their duties, which could even result in sanctions against the data controller.