According to art. 5, VII, LGPD, the Person in Charge is the person appointed by the controller and operator to act as a communication channel between the controller, data subjects and the National Data Protection Authority (ANPD).
This means that it centralizes the discussion on compliance with the new law and coordinates the implementation of improvements, as well as follows the evolution of the theme with the institution, the market and society, having a relevant role in the adaptation phase, but also in what needs to be updated later.
The Person in Charge has several attributions, acting in the protection of the company’s data internally and externally. Thus, as provided for in art. 41, §2 of the LGPD, the person in charge may:
In addition to the attributions provided for by law, it is customary to demand from a person in charge: the management of governance strategies in data protection, assistance in contractual management; elaboration and updating of internal policies and rules, representation of the company before the ANPD, conducting training on information security and data protection, preparing activity flows and impact reports, conducting internal audits, in addition to monitoring laws and regulations involving privacy and data protection.
DPO as a Service is a service offered by P&B Compliance that allows the hiring of an external DPO. Basically, your company can designate one of our data privacy and security experts to take on the role of DPO. In this way, your company does not overload any employee and guarantees that the role will be occupied by a specialist in the area, who will ensure compliance with the LGPD.
The General Data Protection Law provides for the need to appoint a DPO, but does not specifically provide for how to hire him, giving companies the possibility to appoint a professional from their team or even hire a legal entity especially for this purpose. occupation.
Article 44 of the LGPD defines that data processing will be irregular whenever it fails to comply with the legislation or when it does not provide the security expected by the data subject, considering the circumstances of its performance. Thus, as a rule, only controllers and operators are responsible for irregular data processing, but the law reserves an important exception to this scenario.
According to the General Data Protection Law, the only case that is not necessary to talk about liability of data processing agents is when it is proven that the damage caused by the irregularity resulted exclusively from the fault of third parties. Considering that the DPO is responsible for defining important aspects of the processing activities carried out by controllers and operators, if it is found that the person in charge has promoted inadequate guidelines, causing damage to data subjects, it may be penalized by the National Data Protection Authority.