Temos o prazer de anunciar que Tamy Tanzilli representará nosso escritório em uma importante palestra no dia 10 de junho, organizada pela C Law Experience em São Paulo. O tema central será “Liderança que gera Negócios: o papel estratégico dos sócios na construção de novas oportunidades”, um debate fundamental para o cenário jurídico atual.
Tamy Tanzilli se juntará a um painel de especialistas para discutir como a liderança proativa e uma visão estratégica podem impulsionar o crescimento do escritório e a identificação de novas avenidas de negócios.
On June 10, GT Lawyers will host a webinar presented by Anne-Caterine Brunschwig, Partner, and Jessica Ferreira, Associate Lawyer in the Data Protection & Compliance team. The session will examine the legal framework applicable to international data transfers under Brazilian law, as regulated by ANPD Resolution No. 19/2024, as well as the compliance obligations that organizations must fulfill to ensure the lawful cross-border processing of personal data.
Key topics include:
✅ The legal definition of international data transfers under the LGPD
✅ The scenarios in which such transfers are permitted
✅ The main legal bases and mechanisms that authorize cross-border data flows
📅 Date: June 10, 2025
🕐 Time: 1:00 PM (BRT)
PGDAU Notice nº 11/2025 sets advantageous conditions for settling debts with the Federal Union
The Procuradoria Geral da Fazenda Nacional (“PGFN”) has published PGDAU Notice nº 11/2025, effective from May 30, 2025, introducing new transaction modalities for regularizing debts registered within the Federal Union's active debt list, whether tax-related or not. These modalities offer benefits such as interest, fine, and legal fee reductions, easier upfront payments, and extended deadlines for installments.
This measure aims to encourage defaulters to regularize their fiscal standing, taking into account their payment capacity and the classification of their debts. Applications must be submitted exclusively via the REGULARIZE platform (www.regularize.pgfn.gov.br) between June 2 and September 30, 2025, from 8:00 a.m. to 7:00 p.m. (Brasília time).
Eligible debts and transaction modalities
Tax and non-tax debts registered in the Union's active debt system are eligible for inclusion, provided the consolidated amount does not exceed R$45 million per taxpayer. The registration date of the debt determines the applicable transaction modality.
Debts registered by 03/04/2025 may qualify for the following modalities:
- Payment capacity transactions;
- Transactions for uncollectible debts;
- Transactions for debts guaranteed by insurance or a guarantee letter.
Debts registered by 06/02/2024 are exclusively eligible for:
- Small-value transactions (up to 60 minimum wages per registration).
The proposals are divided into four main modalities: 1) Payment capacity transactions, 2) Transactions for uncollectible debts, 3) Small-value debt transactions, 4) Transactions for debts guaranteed by insurance or a guarantee letter, as specified in the notice.
| Debts already subject to payment arrangements (installments, previous transactions, guarantees, or legally suspended by court rulings) may be included, provided there is a formal renunciation, as per the deadlines and conditions outlined in the notice. Taxpayers who have had previous transactions rescinded within the past two years, even for different debts, are not eligible for this initiative. |
Additional rules and restrictions
Adherence must cover all eligible debts under the contributor's name; partial adherence is not allowed.
For debts under judicial litigation, proof of renunciation of legal actions must be provided within 60 days after adherence.
Failure to pay three installments, whether consecutive or not, will result in automatic termination of the agreement.
The minimum installment amount is R$100, except for individual micro-entrepreneurs (MEI), where it is R$25.
Installments will be adjusted according to the monthly accumulated SELIC rate, with an additional 1% applied during the payment month. The contributor must maintain fiscal compliance with Receita Federal and FGTS throughout the agreement's duration.
Judicial deposits tied to the included debts will be automatically converted into final payments, with discounts applied only to the remaining balance.
Recommendation
The transaction opportunity provided under PGDAU Notice nº 11/2025 represents a strategic option for federal debt regularization, especially for taxpayers with long-standing liabilities, limited payment capacity, or low-value debts. Given the specificities of each modality and their applicable rules, performing an individualized analysis is crucial before adhering.
Our firm is available to provide comprehensive support, including eligibility verification, detailed simulations of payments and discounts, formal adherence procedures, renunciation of legal actions, and full compliance monitoring until the agreement is successfully concluded.
We remain available for any additional clarifications.
GT Lawyers – Tax Team
Evento presencial na CCIFB no 29/05/2025
Execução das garantias após o Marco das Garantias na Área de Real Estate
No dia 29 de maio, às 8h30, a Câmara de Comércio França-Brasil está organizando um encontro para debater as mudanças estruturais que visam proporcionar maior segurança jurídica, celeridade processual e efetividade na recuperação de créditos garantidos por bens imóveis.
O encontro será moderado por nossa sócia, Carolina Moresco, e nossa advogada Fernanda Malta e a palestra será ministrada por Fábio Rocha Pinto e Silva, sócio do Pinheiro Neto Advogados, e Patrícia André de Camargo Ferraz, Registradora de Imóveis, Títulos e Documentos e Civil de Pessoas Jurídicas de Diadema.
Participe e entenda como essas práticas podem transformar o futuro do seu escritório!
Prezados clientes e parceiros,
É com grande respeito, admiração e um sentimento de profunda gratidão que compartilhamos um importante capítulo na história do GTLawyers: a aposentadoria de nosso querido sócio Thomas Fowler, que acontecerá ao final do mês de maio de 2025.
Após quatro anos de planejamento conjunto, conduzidos com transparência, responsabilidade e diálogo aberto, Thomas encerrará sua brilhante trajetória profissional conosco, passando a desfrutar de uma nova fase dedicada à família, aos amigos e à merecida tranquilidade em Serra Negra – sempre com a certeza de que continuará próximo de todos nós, agora em sua nova posição como Consultor do escritório.
A história do Thomas é marcada por conquistas e contribuições excepcionais. Com uma sólida carreira em grandes empresas nacionais e multinacionais — como Toyota do Brasil, Vale e Anglo American — Thomas trouxe ao GTLawyers uma bagagem ímpar de conhecimento, vivência prática e visão estratégica. Em 2014, ingressou em nosso time a princípio com o desafio de colaborar em projetos específicos, mas seu talento rapidamente se destacou, consolidando sua presença de forma permanente, até tornar-se sócio e referência incontornável da nossa área de consultoria trabalhista.
Ao longo desses anos, Thomas foi muito mais do que um sócio: sua postura ética, sensibilidade humana e rigor técnico moldaram a cultura do nosso escritório e inspiraram gerações de profissionais. Seu olhar atento aos detalhes, sua capacidade de lidar com questões complexas e sua dedicação constante à qualidade tornaram-se marcas registradas do GTLawyers, reconhecidas por toda a nossa equipe, mercado e, principalmente, pelos nossos clientes.
Além do valioso conhecimento jurídico, Thomas nos brindou com amizade, lealdade e integridade, qualidades que transcendem o ambiente profissional e fortalecem os laços que unem o GTLawyers.
Com a mesma seriedade e zelo que pautaram o planejamento da sua aposentadoria, garantimos que o processo de transição foi conduzido de forma estruturada e minuciosa. Assim, a continuidade dos trabalhos e do atendimento aos nossos clientes seguirá com a excelência de sempre, sob o comando do sócio Diogo Tabosa e seu competente time, que compartilham dos mesmos valores e padrões de qualidade consolidados pelo Thomas ao longo de sua trajetória.
Receba o nosso mais sincero agradecimento por tudo o que construiu e compartilhou conosco.
Por fim, reiteramos a todos os nossos clientes e parceiros que nosso compromisso com a excelência, transparência e dedicação permanece inabalável.
Com apreço e gratidão,
GTLawyers team
Dear all,
As part of the approval of the accounts for the year 2024, we would like to draw your attention to the fact that Brazilian law stipulates that this procedure must be carried out within 4 months from the closing of the accounts. Brazilian companies closing their financial year on December 31 of each year, the approval of the annual accounts should therefore in this case be carried out before April 30 of the following year.
We are at your disposal to assist you in this procedure and provide you with any additional information.
Best regards,
GTLawyers team
Le Responsable de la protection des données, également connu sous le nom de Data Protection Officer (DPO), est une fonction établie à la fois par la législation brésilienne (Loi Générale sur la Protection des Données – “LGPD”) et par la législation européenne (Règlement Général sur la Protection des Données – “RGPD”). Les deux lois ont leurs propres exigences pour la nomination de leurs DPOs, que ce soit pour les responsables du traitement ou les sous-traitants des données. Le Responsable de la protection des données agit comme un canal de communication entre les personnes concernées par les données et l’autorité publique chargée d’appliquer les réglementations de protection des données au sein de la juridiction
Bien que les deux législations exigent la présence d’un DPO, il existe des différences clés dont les sociétés doivent être conscientes afin d’atténuer les risques, éviter les sanctions légales et administratives et prévenir les dommages à leur réputation. Afin de clarifier ces distinctions, nous avons préparé un tableau comparatif au regard de la LGPD et du RGPD.
Ci-dessous, nous mettons en évidence les principales caractéristiques de ces deux législations :
| GDPR | LGPD | |
| Obligation de nommer un DPO | Obligatoire dans des cas spécifiques, par exemple, les organismes publics ou les entités impliquées dans la surveillance systématique et à grande échelle de données ou dans le traitement de données sensibles (Art. 37). | Généralement exigé pour toutes les entités, avec des exceptions[GR1] pour les agents de petite taille s’il existe un canal de communication disponible (Résolution CD/ANPD nº 2/2022). |
| Qualifications et Compétences | Requiert des qualifications professionnelles, notamment en droit et en pratiques de protection des données (Art. 37) [1]. | Les qualifications sont déterminées par l’expertise pertinente au contexte, au volume et aux risques associés au traitement des données (Résolution CD/ANPD nº 18/2024). |
| Responsabilités | Responsabilités importantes, y compris le soutien aux évaluations d’impact, la coopération réglementaire et le contact avec le titulaire des données (Art. 39).” | Les responsabilités comprennent la gestion des réclamations et des communications avec les personnes concernées par les données, l’ANPD, et le conseil à l’entreprise, aux tiers et aux employés sur les pratiques de protection des données. |
| Externalisation | Autorisée (Art. 39). | Autorisée (Art. 5). |
| Divulgation | Les coordonnées doivent être publiées sur le site Web de l’entreprise et fournies aux autorités de contrôle. | Les coordonnées doivent être publiées sur le site Web de l’entreprise. |
| Conflit d’intérêts | Mesures de sauvegarde pour garantir l’indépendance et prévenir les conflits d’intérêts (Art. 38(3) et 38(6)). | Exige des mesures pour atténuer les conflits d’intérêts (Résolution CD/ANPD n° 18/2024). |
| Position au sein de l’organisation | Fonctionne de manière indépendante, avec les ressources nécessaires et un accès direct à la haute direction [2]. | Exigences similaires en matière d’autonomie et d’accès, bien qu’il n’y ait pas de protection explicite contre un licenciement (Résolution CD/ANPD n° 18/2024, Art. 10 et 15). |
Ci-dessous, nous fournissons des clarifications additionnelles sur les différences entre le Responsable de la Protection des Données selon le RGPD et selon la LGPD.
OBLIGATION DE DÉSIGNER UN RESPONSABLE DE LA PROTECTION DES DONNÉES
Contrairement au RGPD [3], qui établit des critères spécifiques pour la désignation d’un DPO, la LGPD adopte une approche plus générale, déterminant que le responsable du traitement doit désigner un responsable de la protection des données personnelles. Cela implique qu’en règle générale, toute organisation publique ou privée doit désigner un DPO. Cependant, il existe une exception établie dans la Résolution CD/ANPD n° 2/2022, qui exempte les agents de traitement de petite taille [4] de la désignation d’un responsable, tout en maintenant les autres obligations définies par la LGPD [5]. De plus, le §3 de l’article 41 prévoit la possibilité d’autres exemptions, permettant à l’Autorité Nationale de Protection des Données (“ANPD”) d’établir des cas où la désignation d’un responsable peut ne pas être nécessaire, compte tenu de la nature, de la taille et du volume du traitement des données par l’entité.
QUALIFICATIONS ET COMPÉTENCES
Le rôle du DPO, selon la législation brésilienne, est plus flexible et possède des exigences moins rigoureuses en comparaison avec l’Europe, spécialement en ce qui concerne les qualifications du professionnel qui occupe cette fonction. Conformément à l’article 7 de la Résolution CD/ANPD n° 18/2024, il incombe à l’agent de traitement des données de définir les qualifications du Responsable de la Protection des Données sur la base de ses connaissances de la législation de protection des données personnelles, ainsi que du contexte, du volume et du risque des opérations de traitement réalisées. Cette Résolution établit également que le DPO devra être capable de communiquer de manière efficace avec les titulaires de données et avec l’ANPD. En Europe, l’article 37 du RGPD impose des exigences plus spécifiques, telles que la nécessité de connaissances spécialisées en droit et la pratiques de protection des données, l’exigence que les qualifications soient à la hauteur de la complexité et du risque des activités de traitement, la capacité de développer et de maintenir des programmes de protection de données, ainsi qu’une familiarité avec les mesures techniques et organisationnelles.
EXTERNALISATION DU RÔLE DU RESPONSABLE DE LA PROTECTION DES DONNÉES
La Résolution CD/ANPD n° 18/2024, qui réglemente la fonction du DPO à l’article 12, prévoit que ce professionnel peut être une personne physique, liée ou non à la structure organisationnelle de l’agent de traitement, ou encore une personne juridique [6]. Toutes ces options sont également autorisées par le RGPD [7].
DIVULGATION DES INFORMATIONS DE CONTACT DU RESPONSABLE DE LA PROTECTION DES DONNÉES
Les informations de contact du DPO doivent être publiées sur le site web de l’entreprise dans les deux législations, garantissant la transparence et l’accessibilité pour les titulaires de données et les autorités. L’article 9 de la Résolution CD/ANPD nº 18/2024 permet également que la divulgation ait lieu par d’autres moyens de communication, si le responsable du traitement des données ne possède pas de site web propre. Le RGPD établit également que les coordonnées du DPO doivent être communiquées aux autorités.
CONSIDÉRATIONS SUR LES CONFLITS D’INTÉRÊTS
Tant le Règlement Général sur la Protection des Données (RGPD) que la Loi Générale sur la Protection des Données (LGPD) abordent le thème des conflits d’intérêts dans l’exercice des fonctions du DPO. Le RGPD adopte des sauvegardes détaillées pour garantir l’indépendance du Responsable de la Protection des Données, interdisant qu’il assume des fonctions qui pourraient générer un conflit d’intérêts, comme, par exemple, des postes où il détermine les objectifs du traitement des données personnelles. De plus, le règlement exige que le Responsable de la Protection des Données ne soit pas puni ou licencié pour avoir exercé ses responsabilités [8]. La LGPD, quant à elle, établit que le responsable du traitement doit adopter des mesures pour atténuer tout conflit d’intérêt, avec la possibilité de remplacer le DPO, si nécessaire.
Ces aspects seront analysés plus en profondeur dans un article spécifique qui explorera des cas et la législation liées aux conflits d’intérêts dans le contexte de la protection des données.
POSITION AU SEIN DE L’ORGANISATION
En ce qui concerne l’accumulation de fonctions, la législation brésilienne n’interdit pas expressément qu’un employé, un administrateur ou un sous-traitant soit désigné comme DPO, à condition que l’indépendance de la fonction soit préservée. De même, conformément au RGPD, le DPO peut exercer d’autres fonctions au sein de l’organisation, à condition que cela n’entraîne pas de conflit d’intérêt. Cela signifie que, selon la législation de l’Union Européenne, le DPO ne peut occuper un poste dans lequel il détermine les finalités et les moyens des activités de traitement de données personnelles, comme un directeur exécutif, un directeur des opérations ou un chef des Ressources Humaines, par exemple [9].
Le rôle du DPO est fondamental pour le maintien des normes de confidentialité, et une compréhension claire des réglementations qui régissent cette fonction est essentielle pour les organisations opérant au Brésil. Les entreprises étrangères qui entrent sur le marché brésilien doivent solliciter des conseils juridiques locaux pour garantir la conformité avec la LGPD, en particulier en ce qui concerne la désignation et les responsabilités du DPO.
GTLawyers a toute l’expertise nécessaire pour fournir des conseils et orientation juridique, soit en assistant le DPO dans ses activités quotidiennes, soit en offrant des services de DPO pour atténuer les conflits d’intérêts potentiels. Notre équipe s’assure que les entreprises non seulement remplissent leurs obligations légales, mais mettent également en œuvre des pratiques efficaces de protection des données, minimisant ainsi les risques juridiques et réputationnels, tout en préservant l’indépendance et l’impartialité du DPO.
Anne Brunschwig
Jessica Ferreira
[1] Le Groupe de travail Article 29 (WP29) a publié des directives largement reconnues par le marché sur les qualifications du DPO, indiquant que ce professionnel doit savoir créer, mettre en œuvre et maintenir un Programme de Protection des Données. De plus, plus le traitement de données effectué par le responsable du traitement est complexe ou risqué, plus les exigences en matière de connaissances et de spécialisations pour le DPO seront élevées. Enfin, le DPO n’a pas besoin d’être avocat, mais doit être familiarisé avec la législation et les mesures techniques et organisationnelles de protection des données.
[2] L’article 38 du Règlement Général sur la Protection des Données (RGPD) stipule que le DPO doit être impliqué dans les questions liées au traitement des données personnelles et, en outre, doit agir de manière autonome, sans recevoir d’instructions de tiers, quelle que soit sa position hiérarchique. Dans ce contexte, l’entreprise doit fournir les ressources nécessaires à l’exercice de ses activités. Il est également important de souligner que le DPO ne peut pas être licencié ou puni pour l’exercice de ses fonctions. Il doit rendre compte à la haute direction, et les personnes concernées peuvent le contacter directement pour clarifier leurs doutes et traiter des questions pertinentes. De plus, le DPO doit garder le secret sur ses activités et peut exercer d’autres fonctions au sein de l’entreprise, à condition qu’il n’y ait pas de conflit d’intérêt.
[3] Aux termes du RGPD, la désignation d’un DPO est obligatoire dans trois cas spécifiques décrits à l’article 37 : (i) lorsque le traitement des données est effectué par une autorité ou un organisme public, à l’exception des tribunaux agissant dans leur fonction juridictionnelle ; (ii) lorsque les activités principales du responsable du traitement ou du sous-traitant impliquent le suivi régulier et systématique des personnes concernées à grande échelle ; ou (iii) lorsque les activités principales impliquent le traitement à grande échelle de catégories particulières de données, telles que les données sensibles ou les informations relatives aux condamnations pénales et aux infractions.
[4] L’article 2, I, de la résolution mentionnée définit ces agents. Parmi les exemples, citons les microentreprises, les petites entreprises, les startups, les personnes morales de droit privé, y compris les organisations à but non lucratif. Il convient de noter que l’agent ne peut pas bénéficier du traitement juridique différencié de la résolution s’il relève des scénarios prévus à l’article 3.
[5] Les obligations des agents de traitement de petite taille ont été maintenues, mais une certaine flexibilité a été introduite dans des domaines spécifiques, tels que le délai doublé pour répondre aux demandes des titulaires et pour communiquer avec l’Autorité Nationale de Protection des Données (ANPD), ainsi que la possibilité d’adopter des procédures simplifiées.
[6] Le texte original de la LGPD stipulait que le DPO devait être une personne physique. Toutefois, la mesure provisoire n° 869/2018 a supprimé le terme “personne physique”, et la loi n° 13.853/2019 a introduit la possibilité pour les entreprises d’agir en tant que DPO.
[7] Conformément à l’article 37, §6 du RGPD, le DPO peut être un membre du personnel du responsable du traitement ou du sous-traitant, ou exercer les fonctions sur la base d’un contrat de service”.
[8] Voir article 38 du RGPD.
[9] Plus d’informations sur : site www.ecb.europa.eu. https://www.edpb.europa.eu/sme-data-protection-guide/data-protection-officer_en Consulté le : 30/10/2024.
The Data Protection Officer (DPO) is a role established by both Brazilian legislation (General Data Protection Law – “LGPD”) and European legislation (General Data Protection Regulation – “GDPR”). Both laws have their own requirements for the appointment of their DPOs, whether for data controllers or processors. The Data Protection Officer serves as a channel of communication between the data subjects and the public authority responsible for enforcing data protection regulations within the jurisdiction.
Although both legislations mandate the presence of a DPO, there are key differences that companies must be aware of to mitigate risks, avoid legal and administrative penalties, and prevent damage to their reputation. To clarify these distinctions, we have prepared a comparative table regarding the LGPD and the GDPR.
Below, we highlight the main features of these two legislations:
Below, we provide further clarification on the differences between the Data Protection Officer under the GDPR and the LGPD.
OBLIGATION TO APPOINT A DPO
Unlike the GDPR [3], which establishes specific criteria for the designation of a DPO, the LGPD adopts a more general approach, determining that the data controller must appoint a person in charge of personal data protection. This implies that, generally, any public or private organization must appoint a DPO. However, there is an exception established in Resolution CD/ANPD No. 2/2022, which exempts small processing agents [4] from appointing a DPO, while maintaining other obligations defined by the LGPD [5]. Additionally, §3 of Article 41 provides the possibility of additional exemptions, allowing the National Data Protection Authority (“ANPD”) to establish cases where the appointment of a DPO may not be necessary, considering the nature, size, and volume of data processing by the entity.
QUALIFICATIONS AND SKILLS
The role of the DPO under Brazilian legislation is more flexible with fewer stringent requirements compared to Europe, particularly regarding the qualifications of the professional occupying this position. According to Article 7 of Resolution CD/ANPD No. 18/2024, it is the responsibility of the data processing agent to define the qualifications of the DPO based on their knowledge of personal data protection legislation, as well as the context, volume, and risk of the processing operations conducted. This Resolution also establishes that the DPO must be capable of effectively communicating with data subjects and with the ANPD. In Europe, Article 37 of the GDPR imposes more specific requirements, such as the need for specialized knowledge in law and data protection practices, the requirement that qualifications match the complexity and risk of processing activities, the ability to develop and maintain data protection programs, as well as familiarity with technical and organizational measures.
OUTSOURCING THE DPO ROLE
Resolution CD/ANPD No. 18/2024, which regulates the DPO role in Article 12, provides that the DPO may be an individual, either affiliated or not with the organizational structure of the processing agent, or a legal entity [6]. All these options are also permitted under the GDPR [7].
DISCLOSURE OF THE DPO’S CONTACT INFORMATION
The contact details of the DPO must be published on the company’s website under both legislations, ensuring transparency and accessibility for data subjects and authorities. Article 9 of Resolution CD/ANPD No. 18/2024 also allows for disclosure through other communication means if the data controller does not have its own website. The GDPR also requires that the DPO’s contact details be communicated to the authorities.
CONFLICTS OF INTEREST CONSIDERATIONS
Both the General Data Protection Regulation (GDPR) and the Brazilian General Data Protection Law (LGPD) address conflicts of interest influencing the performance of the DPO’s duties. The GDPR includes detailed safeguards to ensure the DPO’s independence, prohibiting them from performing functions that could create a conflict of interest, such as positions where they determine the purposes of personal data processing. Furthermore, the regulation states that the DPO should not be penalized or dismissed for performing their responsibilities [8]. In contrast, the LGPD establishes that the data controller must take steps to mitigate any conflict of interest, with the option to replace the DPO if necessary.
These aspects will be analyzed more thoroughly in a specific article exploring cases and legislation related to conflicts of interest in the context of data protection.
POSITION WITHIN THE ORGANIZATION
Regarding the accumulation of functions, Brazilian legislation does not explicitly prohibit an employee, director, or contractor from being designated as a DPO, provided that the independence of the role is maintained. Similarly, under the GDPR, the DPO may perform other roles within the organization as long as it does not lead to a conflict of interest. This means that, according to European Union legislation, the DPO cannot hold a position where they determine the purposes and means of personal data processing activities, such as a chief executive officer, chief operating officer, or head of human resources, for instance [9].
***
In conclusion, the role of the DPO is crucial for maintaining privacy standards, and a clear understanding of the regulations governing this role is essential for organizations operating in Brazil. Foreign companies entering the Brazilian market should seek local legal advice to ensure compliance with the LGPD, particularly regarding the designation and responsibilities of the DPO.
GTLawyers possess the necessary expertise to provide legal advice and guidance, whether by assisting the DPO in their daily activities or by offering DPO services to mitigate potential conflicts of interest. Our team ensures that companies not only fulfill their legal obligations but also implement effective data protection practices, thereby minimizing legal and reputational risks while maintaining the DPO’s independence and impartiality.
GT Lawyers
Anne Brunschwig
Jessica Ferreira
[1] The Article 29 Working Party (WP29) has issued widely recognized market guidelines on the qualifications of the DPO, indicating that this professional must be capable of creating, implementing, and maintaining a Data Protection Program. Moreover, the more complex or risky the data processing carried out by the data controller, the higher the knowledge and specialization requirements for the DPO will be. Finally, the DPO does not need to be a lawyer, but must be familiar with data protection legislation and technical and organizational measures.
[2] Article 38 of the General Data Protection Regulation (GDPR) stipulates that the DPO must be involved in matters related to the processing of personal data and must act autonomously, without receiving instructions from third parties, regardless of their hierarchical position. In this context, the company must provide the necessary resources for the exercise of their activities. It is also important to emphasize that the DPO cannot be dismissed or penalized for performing their duties. They must report to senior management, and data subjects can contact them directly to clarify their doubts and address pertinent issues. Additionally, the DPO must maintain confidentiality regarding their activities and can perform other functions within the company, provided that there is no conflict of interest.
[3] Under the GDPR, the designation of a DPO is mandatory in three specific cases described in Article 37: (i) when data processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (ii) when the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale; or (iii) when the core activities involve large-scale processing of special categories of data, such as sensitive data or information relating to criminal convictions and offenses.
[4] Article 2, I, of the mentioned resolution defines these agents. Examples include micro-enterprises, small businesses, startups, private legal entities, including non-profit organizations. It is important to note that the agent cannot benefit from the differentiated legal treatment of the resolution if they fall under the scenarios provided in Article 3.
[5] The obligations of small processing agents have been maintained, but a certain flexibility has been introduced in specific areas, such as the doubled timeframe to respond to data subjects’ requests and to communicate with the National Data Protection Authority (ANPD), as well as the possibility of adopting simplified procedures.
[6] The original text of the LGPD stipulated that the DPO must be a natural person. However, Provisional Measure No. 869/2018 removed the term “natural person,” and Law No. 13.853/2019 introduced the possibility for companies to act as a DPO.
[7] In accordance with Article 37, §6 of the GDPR, “the DPO may be a staff member of the controller or processor, or perform the duties on the basis of a service contract”
[8] See Article 38 of the GDPR.
[9] More information is available at: www.ecb.europa.eu (accessed on: 30/10/2024).
The Data Protection Officer (DPO), as established by European legislation (General Data Protection Regulation - "GDPR") and Brazilian legislation (General Data Protection Law - "LGPD"), plays a critical role in ensuring data protection compliance. These laws define specific requirements for DPO appointments, applicable to both data controllers and processors. The DPO acts as a communication channel between data subjects and the public authority responsible for enforcing data protection regulations. Data Protection Officer (“DPO”) pela legislação europeia (Regulamento Geral sobre a Proteção de Dados – “RGPD”), é uma função estabelecida tanto pela legislação brasileira (Lei Geral de Proteção de Dados – “LGPD”) quanto no RGPD. Ambas as leis têm suas próprias exigências para a nomeação de seus DPOs, seja para os controladores de dados ou os processadores. O DPO atua como um canal de comunicação entre os titulares dos dados e a autoridade pública responsável por aplicar as regulamentações de proteção de dados dentro da jurisdição.
Although both legislations require the presence of a DPO, there are key differences that companies must understand to mitigate risks, avoid legal and administrative sanctions, and safeguard their reputations. To clarify these distinctions, we have prepared a comparative table of the LGPD and GDPR requirements. Para esclarecer essas distinções, preparamos um quadro comparativo referente à LGPD e ao RGPD.
Here are the key characteristics of both legislations:
| GDPR | LGPD | |
| Mandatory DPO Appointment | Mandatory for specific cases: for public organizations or entities engaged in large-scale, systematic monitoring or sensitive data processing (Art. 37). | Generally required for all entities, except for small organizations if a communication channel is in place (Resolution CD/ANPD nº 2/2022). |
| Qualifications and Skills | Professional qualifications required, particularly in law and data protection practices (Art. 37). | Qualifications are determined based on expertise relevant to the context, volume, and risks of data processing operations (Resolution CD/ANPD nº 18/2024). |
| Responsibilities | Includes support for impact assessments, cooperation with regulators, and communication with data subjects (Art. 39). | Includes managing complaints, liaising with data subjects and the ANPD, and advising the company, third parties, and employees on best practices in data protection. |
| Outsourcing | Allowed (Art. 39). | Allowed (Art. 5). |
| Publication of Contact Details | Contact details must be published on the company website and shared with the supervisory authority. | Contact details must be published on the company’s website. |
| Conflict of Interest | Safeguards are implemented to ensure independence and avoid conflicts of interest (Art. 38(3) and 38(6)). | Measures are required to mitigate conflicts of interest (Resolution CD/ANPD nº 18/2024). |
| Position in the Organization | The DPO must operate independently, with access to resources and direct reporting to senior management (Art. 38). | Similar requirements for autonomy and access apply, but there is no explicit protection against dismissal (Resolution CD/ANPD nº 18/2024, Art. 10 and 15). |
Key differences between the DPO role in the GDPR and LGPD
Obligation to appoint a DPO
Unlike the GDPR, which establishes specific criteria for the appointment of a DPO, the LGPD takes a more general approach, requiring that the data controller designates a data protection officer. This means that, in general, any public or private organization must designate a DPO. However, an exception is provided in Resolution CD/ANPD nº 2/2022, which exempts small organizations from naming a DPO, as long as they comply with other LGPD obligations. Additionally, paragraph 3 of Article 41 allows the Brazilian National Data Protection Authority (ANPD) to determine cases where appointing a DPO is unnecessary, based on the nature, size, and volume of data processing activities.
Qualifications and skills
The role of the DPO under the LGPD is more flexible, with less stringent requirements compared to the GDPR, especially in terms of necessary qualifications. According to Article 7 of Resolution CD/ANPD nº 18/2024, it is the responsibility of the data controller to define the DPO’s qualifications, considering their knowledge in data protection legislation and the context, volume, and risks of data processing activities. The resolution also states that the DPO must be able to communicate effectively with data subjects and the ANPD. In contrast, the GDPR (Article 37) imposes stricter requirements, such as extensive knowledge of data protection laws and practices, qualifications proportional to the complexities and risks of the data processing activities, and expertise in technical and organizational measures.
Outsourcing the DPO function
Article 12 of Resolution CD/ANPD nº 18/2024, which regulates the DPO role, allows outsourcing of the position to an individual or entity, regardless of whether they are formally part of the organization's structure. The GDPR also provides similar outsourcing options.
Disclosure of DPO contact information
Under both legislations, the DPO’s contact details must be published on the organization's website to ensure transparency and accessibility for data subjects and supervisory authorities. According to Article 9 of Resolution CD/ANPD nº 18/2024, the contact details may also be shared through other communication channels if the organization does not have a website. Similarly, the GDPR requires that DPO contact details be shared with relevant authorities.
Conflict of interest
Both the GDPR and LGPD address the issue of conflicts of interest in relation to the DPO’s duties. The GDPR enforces detailed safeguards to preserve the DPO’s independence, prohibiting them from holding positions that may cause conflicts of interest, such as roles that define the aims of data processing. Additionally, the GDPR prevents DPOs from being penalized or dismissed for performing their responsibilities. The LGPD, on the other hand, requires the data controller to implement measures to mitigate conflicts of interest, with the possibility of replacing the DPO when necessary.
These aspects will be analyzed in greater depth in a specific article that will explore cases and legislation related to conflicts of interest in the context of data protection.
Position within the organization
Regarding overlapping roles, the LGPD does not explicitly prohibit a staff member, administrator, or external contractor from acting as a DPO, provided that the function’s independence is preserved. Similarly, under the GDPR, the DPO may perform other roles within the organization, as long as conflicts of interest are avoided. This means that, under European rules, the DPO cannot hold a position that determines the purposes or means of data processing, such as Chief Executive Officer, Chief Operations Officer, or Head of Human Resources.
The DPO role is fundamental in ensuring compliance with privacy regulations. A clear understanding of the applicable laws governing this role is essential for organizations operating in Brazil. Foreign companies entering the Brazilian market should seek local legal counsel to ensure compliance with the LGPD, particularly regarding the appointment and responsibilities of the DPO.
GTLawyers brings extensive expertise to assist businesses in this area. We offer advisory services to support DPOs in their daily responsibilities or act as external DPOs to reduce potential conflicts of interest. Our team ensures that companies not only meet their legal obligations but also implement effective data protection practices, minimizing legal and reputational risks while maintaining the DPO’s independence and impartiality.
Anne Brunschwig – abrunschwig@gtlawyers.com.br
Jessica Ferreira – jferreira@gtlawyers.com.br
Conforme veiculado pelos principais órgãos de imprensa, o Governo Federal apresentou ao Congresso Nacional o projeto de lei 1.085 (PL 1.087/2025) objetivando a reforma do imposto de renda devido pelas pessoas físicas (“IRPF”). Apresentamos abaixo um breve resumo e considerações acerca desse novo projeto:
Reduções do IRPF
O projeto concede uma redução de 100% do IRPF de contribuintes cujos rendimentos tributáveis não excedam R$ 5 mil/mês, e reduções menores e escalonadas para quem recebe entre R$ 5 mil e R$ 7 mil/mês.
Contrariando o histórico da tributação com base na tabela progressiva (tributação por faixa), essa redução se aplica exclusivamente para os contribuintes com essa faixa de renda (benefício pessoal), e não para contribuintes com renda superior. Ou seja, o contribuinte que receber R$ 8 mil/mês, por exemplo, continuará pagando IRPF com base nas alíquotas da tabela progressiva vigente, sem direito aos redutores do IRPF sobre a faixa de renda de até R$ 7 mil/mês.
Entendemos que essa distinção é bastante questionável, uma vez que restringe o benefício do redutor a contribuintes, e não à faixas de renda, tratando de forma desigual contribuintes em situações econômicas muito similares (eg. contribuinte com renda mensal de R$ 5 mil versus renda mensal de R$ 7 mil) e ignorando que a capacidade contributiva dessa faixa de renda é a mesma, independentemente do contribuinte.
IRPF mínimo para altas rendas
O projeto pretende instituir um piso mínimo de IRPF para contribuintes classificados em altas faixas de renda, conforme as seguintes medidas:
- IRPF mínimo: instituição do IRPF mínimo para contribuintes com renda anual superior a R$ 600 mil. Nesse cálculo deverão ser excluídos os ganhos de capital, doações e heranças. O IRPF mínimo será progressivo (0-10%) para rendas acima de R$ 600 mil e inferiores a R$ 1,2 milhão. Acima desse limite, o IRPF mínimo será de 10%.
- Do IRPF mínimo, poderão ser deduzidos: (i) o IRPF apurado sob o regime regular, devido na Declaração de Ajuste Anual; (ii) o IR retido sob a sistemática de tributação exclusiva na fonte; (iii) o IR devido sobre investimentos no exterior; (iv) IR definitivo, pago sobre rendimentos que compõe sua base de cálculo (ganhos líquidos, por exemplo) e (v) redutor sobre dividendos (comentado a seguir). Se a soma dos itens (i) a (iv) exceder o valor do IRPF mínimo, este será igual a zero.
- Lucros e dividendos: tributação pelo IRPF, à alíquota de 10%, sobre lucros e dividendos pagos por sociedades no Brasil a uma mesma pessoa física, desde que o montante mensal exceda R$ 50 mil/mês;
- Dividendos e IRPF mínimo: caso a soma da alíquota efetiva de tributação dos lucros da pessoa jurídica (IRPJ e CSLL) com a alíquota efetiva do IRPF mínimo ultrapasse as alíquotas nominais de IRPJ/CSLL, haverá a concessão de um redutor de IRPF mínimo sobre os lucros e dividendos distribuídos. O racional do redutor é que a tributação global sobre os lucros/dividendos sujeitos ao IRPF mínimo não exceda as alíquotas nominais do IRPJ/CSLL (34%, 40% ou 45%, a depender da atividade desenvolvida pela empresa). O redutor deverá ser considerado com base na alíquota efetiva de IRPJ/CSLL recolhida pela pessoa jurídica, considerando o total desses tributos e o lucro líquido da sociedade.
- Exterior: Alíquota de 10% de IRFonte sobre lucros e dividendos pagos ao exterior;
- Também neste caso, se a soma da alíquota efetiva de tributação dos lucros da pessoa jurídica (IRPJ e CSLL) com o IRFonte exceder as alíquotas nominais de IRPJ/CSLL (34%, 40% ou 45%), haverá a concessão de um crédito ao não residente, que poderá ser pleiteado em até 360 dias contados do encerramento de cada exercício
Ficamos à disposição para esclarecimentos adicionais sobre a matéria.
Artigo preparado por Estevão Gross, sócio de GTLawyers. Para mais informações favor contatar o telefone 11.3504.7618 ou o e-mail egross@gtlawyers.com.br.
