Brazil | DPO Requirements – What foreign companies must do to stay compliant

Since Brazil’s General Data Protection Law (LGPD) came into force in 2020, the country has taken steady steps to solidify its data protection framework. The Brazilian National Data Protection Authority (ANPD) has become an increasingly active regulator, issuing guidelines that clarify key roles and responsibilities under the LGPD.

One of the most recent and significant developments is ANPD Resolution No. 18, which defines the scope, duties, and governance expectations for Data Protection Officers (DPOs) in Brazil. While the DPO role was already part of the LGPD, this resolution sharpens the regulatory focus and introduces new formalities and responsibilities—especially relevant for multinational companies operating in Brazil.

Here’s what foreign businesses and their counsel need to know—and do—to remain in compliance:

DPO Appointment Must Be Formal and Documented

The DPO must be formally appointed by the data controller through a written, dated, and signed document. This document must outline the DPO’s activities and duties, and must be readily available to the ANPD upon request. This is not a formality to overlook: an undocumented DPO designation could lead to enforcement risks.

Backup Required: Designate a Substitute DPO

While small data controllers are often exempt from appointing a DPO, the Resolution requires that they still establish a reliable communication channel for data subjects—ensuring the exercise of data protection rights. This applies even to subsidiaries or low-volume processors.

Disclose DPO Identity Publicly

Companies must publish the DPO’s name and contact details prominently on their website. For corporate DPOs, the name of the legal entity and the responsible individual must be disclosed. This is a public-facing requirement—easily verifiable by the ANPD or data subjects.

Controllers Must Empower the DPO

Brazilian law now places affirmative obligations on data controllers to provide the DPO with adequate resources and autonomy. This includes access to senior leadership and freedom from interference, especially in decision-making related to data protection.

Identity and contact information

The data controller must publicly disclose, in a prominent and easily accessible location on their website, the DPO’s identity and contact details. At a minimum, this should include (i) full name, for individuals; or the business name/title of the entity + full name of the responsible person, for legal entities; and (iii) information on communication means enabling the exercise of data subject rights and receiving communications from the ANPD.

Key DPO Responsibilities

• Responding to data subject complaints
• Interfacing with the ANPD
• Advising on incident response, data mapping, DPIAs, and internal policies
• Promoting internal awareness and training
• Ensuring risk mitigation strategies are in place

These obligations are not merely symbolic—they may require dedicated local support and a carefully structured compliance program.

No Strict Liability, But Conflict of Interest Rules Apply

DPOs are not personally liable for the controller’s actions. However, conflicts of interest must be proactively managed. A DPO cannot simultaneously hold a role involving strategic decisions about the processing of personal data—unless directly related to their duties.

Multinational organizations must take care when appointing global or regional DPOs with overlapping roles to avoid compliance pitfalls.

Failure to Comply Can Trigger Enforcement

If conflicts are not disclosed, or DPOs are inadequately appointed, the ANPD may apply sanctions. Controllers must document their decision-making, implement conflict-mitigation measures, or appoint alternative professionals when needed.

Final Thoughts: Legal Risk or Strategic Advantage?

With Resolution No. 18, Brazil aligns more closely with global data protection regimes, but with its own unique requirements. For foreign companies, the message is clear: the DPO role in Brazil is a regulatory obligation—not just a best practice.

Properly structuring this role offers not only legal certainty, but also the opportunity to demonstrate accountability and build trust with Brazilian consumers and regulators alike.

For international counsel, this is a strategic area where legal guidance is not just helpful—it’s essential.