ANPD Publishes Guidance on the Definition of Data Processing Agents and the DPO
The ANPD (Brazil's National Data Protection Authority), the federal body responsible for issuing guidance, regulating and enforcing compliance with the LGPD (Brazil's general data protection law), published on May 28 its Guidance on the Definition of Data Processing Agents and the Data Protection Officer, aimed at clarifying who may act as Controller, Processor and DPO, and the responsibilities of each.
The ANPD (Brazil's National Data Protection Authority), the federal body responsible for issuing guidance, regulating and enforcing compliance with the LGPD (Brazil's general data protection law), published on May 28 its Guidance on the Definition of Data Processing Agents and the Data Protection Officer, aimed at clarifying who may act as Controller, Processor and DPO, and the responsibilities of each.
Although the guidance is non-binding, the document is highly relevant in light of the difficulty the market has faced in defining the roles and responsibilities of commercial partners as regards the processing of personal data.
Below we highlight some of the key topics addressed.
The first point worth noting is the clarification that the data processing agents (Controller and Processor) must be defined by reference to their institutional character — meaning that shareholders, directors and subordinated individuals such as employees will not be regarded as Processors of a company. Likewise, public servants will not be considered Processors of government bodies, since they act under the directive power of the processing agent, who is the party answerable to data subjects and the ANPD for the acts or omissions of its representatives.
Another important point is the guidance that the processing agent must be identified for each individual processing operation, such that the same organisation may act as Controller in one operation and as Processor in another, depending on the role it plays.
By way of example, an advertising agency engaged to run a campaign acts as Processor of personal data, given that the essential decisions about the processing — its purpose, target audience, campaign duration, and any final decision — rest with the contracting company, while the agency confines itself to defining non-essential elements such as the channels, tools and creative assets of the campaign. However, when processing personal data to promote its own services, the same agency acts as Controller.
The allocation of roles must consider the factual context and relevant circumstances of each case. The guidance lists, among the criteria for identifying the Controller, the definition of the purpose of the processing, the nature of the personal data being processed, and the duration of the processing — including the retention period — noting that further elements may be essential depending on the context and specifics of the case.
The guidance also confirms the existence of joint controllership and the sub-processor figure within the Brazilian data protection regime.
Joint controllership exists where two or more Controllers jointly, commonly or convergently determine the purposes and essential elements of the personal data processing, by means of an agreement setting out the parties' respective responsibilities for LGPD compliance, with joint and several liability towards data subjects and the ANPD.
A sub-processor, in turn, is a party engaged by a Processor to assist with the processing of personal data on behalf of the Controller. The sub-processor has a direct relationship with the Processor — not with the Controller. As to liability, the sub-processor may be treated as a Processor in respect of the activities for which it has been engaged, thereby extending the chain of joint and several liability under the LGPD.
Still on the sub-processor, the guidance recommends, as best practice, that the Processor obtain formal authorisation from the Controller before sub-contracting, whether generic or specific — and this authorisation may be set out in the contract between Controller and Processor itself.
This step is designed to prevent any reading that, in engaging a sub-processor, the Processor has carried out the processing in breach of the Controller's instructions.
The guidance also offers some considerations on the DPO. First, given that the LGPD does not specify the circumstances under which a DPO must be appointed, the general rule is that every organisation should designate someone to perform that role.
The guidance further reinforces that the DPO may be either an internal employee or an external agent, whether an individual or a legal entity, and recommends that the DPO be formally appointed — for instance, by a services agreement or an administrative act.
As to the DPO's professional qualifications, the guidance indicates these should be assessed by the Controller, taking into account knowledge of data protection and information security at a level appropriate to the needs of the organisation's operations.
Finally, the guidance does not replace future regulation on the topics covered and is open to comments and contributions from civil society, which may be sent to the ANPD by email at normatizacao@anpd.gov.br.
MARCO OROSZ
marco.orosz@fius.com.br
ISADORA COIMBRA DINIZ
isadora.diniz@fius.com.br
TIAGO MARTINS CRESPO
tiago.crespo@fius.com.br