What are the main doubts of companies about the person in charge of data provided for in the General Data Protection Law?

Inspired by the European Personal Data Protection Legislation (“General Data Protection Regulation – GDPR”), the LGPD requires companies and self-employed professionals to review their operations and procedures involving the use of personal data of their employees, customers, suppliers and business partners.

The LGPD brought the figure of the data protection officer, which is equivalent to the DPO (data protection officer) at GDPR. In this article, the main doubts that companies are having at this point of the law will be addressed.

1- What are the duties of the data manager/DPO?

Under the terms of the LGPD (art. 41, §2), the duties of the person in charge are as follows: (i) accept complaints and communications from the holders and provide the respective clarifications; (ii) receive communications from the national authority and take necessary measures; (iii) guide the organization’s employees and contractors about the practices to be taken in relation to the protection of personal data and (iv) perform other duties determined by the controller or established in complementary rules.

The Law also reserves the possibility for the National Data Protection Authority (ANPD) to establish new attributions to the person in charge and also the possibility of waiver of the mandatory indication, depending on the nature, size of the entity or the volume of processing operations of data.

However, while ANPD does not issue any regulation in this regard, all companies needed to indicate the contact of their person in charge in a clear and objective manner, preferably on their website.

2- Should the person in charge be an employee of the company or can it be outsourced?

Under the terms of the law, the company may opt for any of these modalities, provided that the chosen option is able to meet the duties provided for in art. 41, §2 of the above mentioned LGPD.

The advantages of the supervisor being an employee of the company are greater knowledge of internal procedures and greater commitment to the organization.

On the other hand, this option ends up representing a high cost for the company and therefore ends up being more suitable for medium and large companies.

If you are an employee who accumulates functions (not exclusively in charge/DPO), it is important that he does not occupy a position that leads him to determine the objectives and means of processing personal data, as the supervisor’s autonomy and impartiality must be guaranteed.

Thus, the person in charge cannot be responsible for functions that may result in the allocation of data protection in a secondary role in view of the organization’s commercial interests.

Therefore, so that there are no conflicts of interest, an employee who already exists in the company may be appointed as supervisor, provided that their professional duties are compatible with the legal duties of the supervisor.

In turn, the outsourced manager can represent a lower cost for the company, being more suitable for small and medium-sized companies.

To perform their role, prior knowledge of the organization’s routines is necessary and, as they are not part of the company’s internal team, they end up having greater autonomy in performing their role.

Whether internal or outsourced, so that the person in charge can fulfill their duties, their involvement with all issues related to data protection in the company is strictly required, that they report directly to the highest level of the organization’s management and that it is ensured acting independently, autonomously and with adequate resources (sufficient time, finances, infrastructure and, where appropriate, staff, etc.).

3- What are the necessary qualifications to occupy the position of Data Officer/DPO?

The LGPD makes no mention of this. GDPR says that the DPO must have experience and specialized knowledge in data protection legislation, but it does not list the credentials/certifications it is expected to have.

The only exception is that it must be proportional to the type of data processing for which it will be responsible.

4- What is the responsibility of the data manager?

The incumbent is not personally responsible for the company’s compliance. However, it plays a crucial role in helping the controller and data operator to properly comply with the terms of the LGPD within the organization. For this reason, companies must be careful in the appointment of their respective data manager.

By Juliana Gonçales – partner at Silveira Advogados and specialist in tax law and data protection.