Brazil: LGPD – first guide for processing agents and DPOS


published on 22 June 2021 | reading time approx. 2 minutes


In 2020, the Brazilian Data Protection Law came into effect. The law brought basic concepts that still need clarification. According to what we have historically observed in Europe, the Brazilian National Data Protection Authority (ANPD) has published a “Guidance for Definitions of the Controller and the Data Protection Officer (DPO)”.


The document aims to promote knowledge of data protection standards, public policies, and data protection practices in Brazil, as well as to establish non-binding guidelines for the Data Processors and explain who may exercise the role of the controller, the operator, and the DPO in charge. It also provides legal definitions, the respective liability regimes, specific cases, and frequently asked questions on the subject.

The Data Processors, known as the controller and the operator of personal data, may be natural or legal persons and are subject to the rules of the LGPD and the supervision of the ANPD. It is important to note that the Guideline points out that the Data Processors are defined for each personal data processing operation, so the same organization may be a controller and an operator depending on its performance in the various processes.

The controller makes the main decisions concerning the processing of personal data and defines the purpose of this processing, while the operator performs the processing of personal data on behalf of the controller and according to a previously defined purpose, thus, having the main difference between both figures: the power of decision.

The Officer in Charge, also known in the GDPR as the Data Protection Officer (DPO), is the individual who is responsible for ensuring compliance in an organization, whether public or private, to be appointed by the data controller. Note that the DPO may be an external agent, hired as a “service provider”, who aims for good practice. The purpose of the DPO is to ensure that all processing of personal data is done following the relevant protection laws and has adequate resources to carry out its activities with freedom. For this reason, he is the channel of communication between the controller, the data subjects and the ANPD, therefore, an essential component for the successful internal and external performance of a company. According to §2 of Article 41 of the LGPD, the DPO has the following duties: accept complaints and communications from data subjects, provide clarifications and take action; receive communications from the national authority and take action; guide employees and contractors of the entity regarding practices to be taken about the protection of personal data, and perform other duties determined by the controller or established in complementary rules. 

 From the newsletter


Contact Person Picture

Philipp Klose-Morero

Managing Partner South America

+55 11 5094 6060

Send inquiry

 How we can help

 Read more

Deutschland Weltweit Search Menu