The Data Protection Officer (DPO), as established by European legislation (General Data Protection Regulation - "GDPR") and Brazilian legislation (General Data Protection Law - "LGPD"), plays a critical role in ensuring data protection compliance. These laws define specific requirements for DPO appointments, applicable to both data controllers and processors. The DPO acts as a communication channel between data subjects and the public authority responsible for enforcing data protection regulations. Data Protection Officer (“DPO”) pela legislação europeia (Regulamento Geral sobre a Proteção de Dados – “RGPD”), é uma função estabelecida tanto pela legislação brasileira (Lei Geral de Proteção de Dados – “LGPD”) quanto no RGPD. Ambas as leis têm suas próprias exigências para a nomeação de seus DPOs, seja para os controladores de dados ou os processadores. O DPO atua como um canal de comunicação entre os titulares dos dados e a autoridade pública responsável por aplicar as regulamentações de proteção de dados dentro da jurisdição.
Although both legislations require the presence of a DPO, there are key differences that companies must understand to mitigate risks, avoid legal and administrative sanctions, and safeguard their reputations. To clarify these distinctions, we have prepared a comparative table of the LGPD and GDPR requirements. Para esclarecer essas distinções, preparamos um quadro comparativo referente à LGPD e ao RGPD.
Here are the key characteristics of both legislations:
| GDPR | LGPD | |
| Mandatory DPO Appointment | Mandatory for specific cases: for public organizations or entities engaged in large-scale, systematic monitoring or sensitive data processing (Art. 37). | Generally required for all entities, except for small organizations if a communication channel is in place (Resolution CD/ANPD nº 2/2022). |
| Qualifications and Skills | Professional qualifications required, particularly in law and data protection practices (Art. 37). | Qualifications are determined based on expertise relevant to the context, volume, and risks of data processing operations (Resolution CD/ANPD nº 18/2024). |
| Responsibilities | Includes support for impact assessments, cooperation with regulators, and communication with data subjects (Art. 39). | Includes managing complaints, liaising with data subjects and the ANPD, and advising the company, third parties, and employees on best practices in data protection. |
| Outsourcing | Allowed (Art. 39). | Allowed (Art. 5). |
| Publication of Contact Details | Contact details must be published on the company website and shared with the supervisory authority. | Contact details must be published on the company’s website. |
| Conflict of Interest | Safeguards are implemented to ensure independence and avoid conflicts of interest (Art. 38(3) and 38(6)). | Measures are required to mitigate conflicts of interest (Resolution CD/ANPD nº 18/2024). |
| Position in the Organization | The DPO must operate independently, with access to resources and direct reporting to senior management (Art. 38). | Similar requirements for autonomy and access apply, but there is no explicit protection against dismissal (Resolution CD/ANPD nº 18/2024, Art. 10 and 15). |
Key differences between the DPO role in the GDPR and LGPD
Obligation to appoint a DPO
Unlike the GDPR, which establishes specific criteria for the appointment of a DPO, the LGPD takes a more general approach, requiring that the data controller designates a data protection officer. This means that, in general, any public or private organization must designate a DPO. However, an exception is provided in Resolution CD/ANPD nº 2/2022, which exempts small organizations from naming a DPO, as long as they comply with other LGPD obligations. Additionally, paragraph 3 of Article 41 allows the Brazilian National Data Protection Authority (ANPD) to determine cases where appointing a DPO is unnecessary, based on the nature, size, and volume of data processing activities.
Qualifications and skills
The role of the DPO under the LGPD is more flexible, with less stringent requirements compared to the GDPR, especially in terms of necessary qualifications. According to Article 7 of Resolution CD/ANPD nº 18/2024, it is the responsibility of the data controller to define the DPO’s qualifications, considering their knowledge in data protection legislation and the context, volume, and risks of data processing activities. The resolution also states that the DPO must be able to communicate effectively with data subjects and the ANPD. In contrast, the GDPR (Article 37) imposes stricter requirements, such as extensive knowledge of data protection laws and practices, qualifications proportional to the complexities and risks of the data processing activities, and expertise in technical and organizational measures.
Outsourcing the DPO function
Article 12 of Resolution CD/ANPD nº 18/2024, which regulates the DPO role, allows outsourcing of the position to an individual or entity, regardless of whether they are formally part of the organization's structure. The GDPR also provides similar outsourcing options.
Disclosure of DPO contact information
Under both legislations, the DPO’s contact details must be published on the organization's website to ensure transparency and accessibility for data subjects and supervisory authorities. According to Article 9 of Resolution CD/ANPD nº 18/2024, the contact details may also be shared through other communication channels if the organization does not have a website. Similarly, the GDPR requires that DPO contact details be shared with relevant authorities.
Conflict of interest
Both the GDPR and LGPD address the issue of conflicts of interest in relation to the DPO’s duties. The GDPR enforces detailed safeguards to preserve the DPO’s independence, prohibiting them from holding positions that may cause conflicts of interest, such as roles that define the aims of data processing. Additionally, the GDPR prevents DPOs from being penalized or dismissed for performing their responsibilities. The LGPD, on the other hand, requires the data controller to implement measures to mitigate conflicts of interest, with the possibility of replacing the DPO when necessary.
These aspects will be analyzed in greater depth in a specific article that will explore cases and legislation related to conflicts of interest in the context of data protection.
Position within the organization
Regarding overlapping roles, the LGPD does not explicitly prohibit a staff member, administrator, or external contractor from acting as a DPO, provided that the function’s independence is preserved. Similarly, under the GDPR, the DPO may perform other roles within the organization, as long as conflicts of interest are avoided. This means that, under European rules, the DPO cannot hold a position that determines the purposes or means of data processing, such as Chief Executive Officer, Chief Operations Officer, or Head of Human Resources.
The DPO role is fundamental in ensuring compliance with privacy regulations. A clear understanding of the applicable laws governing this role is essential for organizations operating in Brazil. Foreign companies entering the Brazilian market should seek local legal counsel to ensure compliance with the LGPD, particularly regarding the appointment and responsibilities of the DPO.
GTLawyers brings extensive expertise to assist businesses in this area. We offer advisory services to support DPOs in their daily responsibilities or act as external DPOs to reduce potential conflicts of interest. Our team ensures that companies not only meet their legal obligations but also implement effective data protection practices, minimizing legal and reputational risks while maintaining the DPO’s independence and impartiality.
Anne Brunschwig – abrunschwig@gtlawyers.com.br
Jessica Ferreira – jferreira@gtlawyers.com.br
