What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Under Brazil’s General Data Privacy Law (LGPD), data controllers (i.e. employers) are responsible for appointing an officer to be in charge of processing employees’ personal information. Depending on the nature and size of the employer, as well the volume of data that is being processed, the data protection authority may not require a DPO for certain employers, such as small businesses and startups.
The DPO will be responsible for communicating with employees (and other data subjects) on questions and complaints relating to their personal data. In addition, the DPO is responsible for adopting data protection measures, receiving communications from the national authority, and managing data protection practices for the organization (including preparing employees and contractors). The DPO’s identity and contact information should be publicly available, ideally on the company website.
More rules and responsibilities will likely be outlined in the future. For example, it is not currently clear whether the DPO must be an individual or, if a company/service provider could fulfill the role. It is also unclear whether the DPO is required to be located in Brazil.