At the end of 2024, the ANPD (National Data Protection Authority) began monitoring large companies, such as Dell, Bluefit Academia, Latam, Serasa, Uber, Telefônica, and Telegram, among others, for allegedly not having a data protection officer or an efficient communication channel, in violation of the General Data Protection Law (LGPD).
As provided in Article 41 of the LGPD, it is the obligation of every Data Controller to appoint a data protection officer responsible for handling requests from data subjects and the ANPD itself. The officer will be responsible for accepting complaints and communications from data subjects, providing clarifications and taking action, receiving communications from the national authority and taking action, guiding the entity’s employees and contractors regarding practices to be adopted concerning personal data protection, and performing other duties determined by the controller or established in complementary regulations. Although not required, it is recommended to have a formal instrument appointing the Data Protection Officer, assigning their functions and responsibilities in compliance with the LGPD.
We see, then, that the Data Protection Officer serves as a mechanism to assist companies in having an effective communication channel, enabling easy access for data subjects to exercise their rights. Effective communication ensures compliance with the legal principles underlying the LGPD, especially transparency and free access. Merely appointing an officer is not enough if access and communication with data subjects are ineffective or difficult. Even in the case of startups, small and medium-sized companies, where the figure of the Data Protection Officer is waived according to ANPD Resolution No. 02 of 2022, it remains the obligation of the Data Controller to provide a communication channel for data subjects, ensuring that other obligations and legal principles of the LGPD are met.
The ANPD’s action is part of its mapping cycle and aligns with the Agency’s priority themes for 2024 and 2025, ensuring the rights of data subjects.
Although specific companies have been mentioned, the monitoring emphasizes the importance of complying with the General Data Protection Law (LGPD) by all organizations. Additionally, it encourages data subjects to file complaints when their information is not adequately protected.
For companies that have not yet complied, the message is to do so urgently. For those that have been monitored, it is necessary to present a regularization schedule.
Failure to present planning and structuring and non-compliance with data protection regulations can result in administrative sanctions (ranging from hefty fines to suspension and termination of data processing activities) for companies, as well as fostering distrust among customers and investors, compromising the organization’s reputation. Manucci Advogados is available to clarify for those who wish to implement or review their LGPD projects, verifying and ensuring the regularity of their procedures with the regulations and guidelines of the ANPD.
