Brazil — DPO, ROPA & DPIAs

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) uses the term encarregado pelo tratamento de dados pessoais to designate the person who serves as the communication channel between the controller, data subjects, and the Autoridade Nacional de Proteção de Dados (ANPD, Brazil's national data-protection authority). The term is commonly translated as "data protection officer" and abbreviated as DPO, though the Portuguese statutory label is encarregado.

Mandatory appointment for controllers. Article 41 of the LGPD states: "O controlador deverá indicar encarregado pelo tratamento de dados pessoais" ("The controller shall appoint a data protection officer"). This imposes a general obligation—every controller that processes personal data within the material scope of the LGPD must designate an encarregado. The statute defines the role at Article 5(VIII) as "the person appointed by the controller and processor to act as a communication channel between the controller, the data subjects, and the National Data Protection Authority (ANPD)" (wording finalized by Lei nº 13.853 of 8 July 2019, which amended the 2018 statute).

Public-sector controllers. For public bodies, Article 23 of the LGPD provides that government agencies and public-law entities subject to the federal Access to Information Law (Lei nº 12.527 of 18 November 2011) must process personal data in furtherance of public functions and, in doing so, must comply with three requirements: (I) publish clear, current information about the legal basis, purpose, and procedures of the processing; (II) [vetoed]; and (III) appoint an encarregado "when they perform processing operations involving personal data, in the terms of Art. 39" (Art. 23(III), as amended by Lei nº 13.853/2019). Article 39 directs processors to follow controller instructions; the cross-reference confirms that public controllers must appoint a DPO whenever they process personal data in the exercise of their legal mandates.

Exemptions and regulatory delegation. Article 41 § 3 of the LGPD authorizes the ANPD to "establish supplementary rules on the definition and duties of the encarregado, including circumstances under which the appointment requirement may be waived based on the nature and size of the entity or the volume of processing operations" (A autoridade nacional poderá estabelecer normas complementares sobre a definição e as atribuições do encarregado, inclusive hipóteses de dispensa da necessidade de sua indicação, conforme a natureza e o porte da entidade ou o volume de operações de tratamento de dados). As of 29 May 2026, the ANPD has exercised that power through a series of regulations—most notably Resolution CD/ANPD nº 2 of 27 January 2022 (as amended April 2024), which exempts small-scale processing agents from the DPO-appointment requirement provided they maintain an alternative communication channel for data subjects and the ANPD, and Resolution CD/ANPD nº 18 of 16 July 2024, which establishes detailed requirements for DPO designation, qualifications, and duties. Controllers relying on an exemption bear the burden of demonstrating that they qualify under the applicable ANPD regulation.

Formal designation. Article 41 does not prescribe a particular form for the DPO designation, but the ANPD's implementing regulations require that the appointment be made by formal act of the controller specifying the scope of activities and duties. The LGPD does not set minimum professional qualifications for the encarregado—an earlier legislative proposal to require "legal-regulatory knowledge" was vetoed in 2019—though the ANPD's regulations direct controllers to choose individuals with knowledge of privacy and data-protection matters commensurate with the context, volume, and risk of the controller's processing operations.

Processor (operador) appointment. Although Article 5(VIII) defines the encarregado as appointed "by the controller and processor," the statutory text at Article 41 imposes the appointment duty only on the controller. Appointment by a processor (operador) is therefore optional. The ANPD's 2024 regulation treats processor DPO appointments as a voluntary good-governance practice.

Activities and contact publication. Article 41 § 1 requires the controller to publish the encarregado's identity and contact information "in a clear and objective manner, preferably on the controller's website" (A identidade e as informações de contato do encarregado deverão ser divulgadas publicamente, de forma clara e objetiva, preferencialmente no sítio eletrônico do controlador). Article 41 § 2 enumerates four core activities: (I) accept complaints and communications from data subjects, provide clarifications, and take appropriate measures; (II) receive communications from the ANPD and take appropriate measures; (III) guide employees and contractors on data-protection practices; and (IV) perform additional duties assigned by the controller or established in supplementary regulations. The ANPD issued a non-binding guide on 19 December 2024 to assist controllers in interpreting these obligations.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD) Source: Lei nº 13.853, de 8 de julho de 2019 (amending LGPD) Source: ANPD — DPO guidance (19 December 2024)

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) requires both controllers and processors to maintain a record of the personal-data processing operations they perform. This obligation is set out in Article 37, which states: "O controlador e o operador devem manter registro das operaes de tratamento de dados pessoais que realizarem, especialmente quando baseado no legítimo interesse" ("The controller and the processor must maintain a record of the personal data processing operations they perform, especially when based on legitimate interest").

Scope: controllers and processors. The Article 37 duty applies to both controllers (controlador, the entity that determines the purposes and means of processing, Art. 5(VI) LGPD) and processors (operador, the entity that processes on the controller's behalf, Art. 5(VII)). Unlike the EU GDPR's Article 30, which imposes parallel but distinct recordkeeping obligations on controllers and processors, the LGPD text is unified. Both agents of processing must keep records of the operations they conduct.

"Especially when based on legitimate interest." Article 37 adds the qualifier "especialmente quando baseado no legítimo interesse." Legitimate interest is one of ten lawful bases for processing under Article 7 of the LGPD (Art. 7(IX): processing "for legitimate interests of the controller or third party, except where the data subject's fundamental rights and freedoms requiring personal-data protection prevail"). The statutory phrase "especially" (especialmente) does not exempt controllers or processors that rely on other lawful bases—consent, contract, legal obligation, etc.—from maintaining processing records; rather, it signals that the ANPD treats legitimate-interest processing as carrying heightened documentation and transparency expectations. In practice, controllers must document which lawful basis applies to each processing activity and, when relying on legitimate interest, must be prepared to show the balancing test and safeguards applied.

No statutory template or prescribed contents. The LGPD does not specify the format, structure, or minimum content fields of the processing record. Article 37 stands alone, without implementing paragraphs. This contrasts sharply with the GDPR's Article 30, which enumerates mandatory record elements (name and contact details of the controller, purposes, categories of data subjects and data, recipients, international transfers, erasure time limits, and a general description of technical and organizational security measures). The absence of statutory prescription means that, at its core, the Article 37 obligation is to maintain a record—the manner and detail are left to the controller's and processor's judgment, subject to the ANPD's regulatory authority.

ANPD regulatory authority: Article 40 retention period and Resolution nº 2/2022 for small-scale agents. Article 40 of the LGPD authorizes the Autoridade Nacional de Proteção de Dados (ANPD) to "establish standards for interoperability for purposes of data portability, free access to data, and security, as well as the retention period for records, in view especially of necessity and transparency." Under this power, the ANPD has not yet issued a comprehensive regulation specifying record contents or retention periods for all controllers and processors. It has, however, addressed small-scale processing agents through Resolution CD/ANPD nº 2 of 27 January 2022, which approves a "Regulation on the application of the LGPD for small-scale processing agents" (Regulamento de aplicação da LGPD para agentes de tratamento de pequeno porte).

Simplified records for small-scale processing agents. Article 9 of Resolution nº 2/2022 provides: "Os agentes de tratamento de pequeno porte podem cumprir a obrigação de elaboração e manutenção de registro das operações de tratamento de dados pessoais, constante do art. 37 da LGPD, de forma simplificada. Parágrafo único. A ANPD fornecerá modelo para o registro simplificado de que trata o caput" ("Small-scale processing agents may fulfill the obligation to prepare and maintain a record of personal data processing operations, set out in Article 37 of the LGPD, in simplified form. Sole paragraph. The ANPD shall provide a template for the simplified record referred to in the heading"). Resolution nº 2 defines "small-scale processing agents" as micro- and small-sized companies (under Brazil's Complementary Law 123/2006), individual sole proprietorships organized as LLCs, and startups qualifying under Complementary Law 182/2021 (Art. 2). High-risk processing is excluded from the simplified regime (Art. 3).

On 14 June 2023, the ANPD published the promised simplified record template for small-scale agents. The template contains eight fields: (1) contact information of the institution; (2) categories of data subjects; (3) personal data (categories processed); (4) data sharing (recipients); (5) security measures; (6) storage period; (7) processing activity, purpose, and lawful basis; and (8) observations. The template is available in Excel and PDF formats on the ANPD website and includes filling instructions.

Recordkeeping for larger controllers and processors: no published template, practice informed by GDPR analogy. For controllers and processors that do not qualify as "small-scale" under Resolution nº 2/2022, the LGPD provides no express guidance on the form or minimum contents of the Article 37 record. In the absence of ANPD regulations, Brazilian controllers commonly adopt a structure analogous to the GDPR Article 30 record of processing activities (ROPA), documenting: name and contact details of the controller, DPO contact, purposes of processing, categories of data subjects, categories of personal data, recipients (including processors and cross-border transfers), retention periods, and a general description of technical and organizational security measures. The ANPD's enforcement practice—reflected in administrative sanctions issued in 2024 against the Federal District's Secretariat of Education (SEEDF) for "inadequate maintenance of records related to personal data"—confirms that the ANPD expects controllers to keep detailed, current processing inventories and will sanction failures to do so.

Retention period and production to the ANPD. The LGPD does not specify how long the Article 37 record must be retained. The ANPD's Resolution CD/ANPD nº 15 of 24 April 2024 (Regulation on Security Incident Communication) requires controllers to keep a record of all security incidents, whether or not reported, for a minimum of five years. While Resolution nº 15 addresses breach records specifically, the five-year floor is instructive for processing records more generally. The Article 37 record must be maintained and made available to the ANPD upon request; Article 55-J(IV) grants the ANPD the power to "request, at any time, from controllers and processors that perform processing operations, information on the scope and nature of the data processed and other details of the processing, and to issue a supplementary technical opinion to ensure compliance with this Law."

Enforcement. The ANPD has demonstrated willingness to sanction inadequate recordkeeping. In 2024, the ANPD imposed four warnings on the Federal District's Regional Department of Education (SEEDF) for "inadequate maintenance of records related to personal data" and failure to prepare a data protection impact assessment (DPIA) when requested by the ANPD. Controllers that fail to maintain an Article 37 processing record—or maintain one so incomplete that they cannot respond to ANPD inquiries—face administrative fines of up to 2% of revenue in Brazil in the preceding fiscal year (net of taxes), capped at R$50 million per violation (LGPD Art. 52(II)), as well as warnings, publication of the infraction, and suspension or partial prohibition of processing (Art. 52).

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Article 37 Source: Resolução CD/ANPD nº 2, de 27 de janeiro de 2022 Source: ANPD — Modelo de Registro Simplificado para ATPP (14 June 2023)

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) uses the term relatório de impacto à proteção de dados pessoais (commonly abbreviated as RIPD) for what other jurisdictions call a data protection impact assessment (DPIA). Unlike the GDPR's Article 35, which imposes an ex ante mandatory DPIA obligation for high-risk processing, the LGPD establishes an on-request model: the controller is not required to prepare a RIPD as a matter of course, but the Autoridade Nacional de Proteção de Dados (ANPD) may at any time order a controller to prepare and submit one.

Article 38 — general ANPD power to request a RIPD. Article 38 of the LGPD states: "A autoridade nacional poderá determinar ao controlador que elabore relatório de impacto à proteção de dados pessoais, inclusive de dados sensíveis, referente a suas operações de tratamento de dados, nos termos de regulamento, observados os segredos comercial e industrial" ("The national authority may order the controller to prepare a data protection impact report, including for sensitive data, relating to its data processing operations, under the terms of regulations, subject to commercial and industrial secrecy"). This grants the ANPD discretionary authority to demand a RIPD covering any or all of a controller's processing operations, regardless of the lawful basis or category of data, subject only to the protection of trade secrets.

Article 10 § 3 — legitimate-interest processing. Article 10 of the LGPD addresses the legitimate-interest lawful basis (Article 7(IX): processing "for legitimate interests of the controller or a third party, except when the fundamental rights and freedoms of the data subject requiring personal-data protection prevail"). Article 10 § 3 provides: "A autoridade nacional poderá solicitar ao controlador relatório de impacto à proteção de dados pessoais, quando o tratamento tiver como fundamento seu interesse legítimo, observados os segredos comercial e industrial" ("The national authority may request from the controller a data protection impact report when the processing is based on its legitimate interest, subject to commercial and industrial secrecy"). This provision signals that the ANPD considers legitimate-interest processing to carry heightened documentation and transparency expectations, and controllers relying on Article 7(IX) should anticipate a RIPD request. In practice, many Brazilian controllers prepare a RIPD or legitimate-interest assessment (LIA) proactively when relying on this basis, even though the statute does not make it a formal prerequisite.

Statutory minimum contents — Article 38 sole paragraph. The sole paragraph of Article 38 prescribes three mandatory elements: "Observado o disposto no caput deste artigo, o relatório deverá conter, no mínimo, a descrição dos tipos de dados coletados, a metodologia utilizada para a coleta e para a garantia da segurança das informações e a análise do controlador com relação a medidas, salvaguardas e mecanismos de mitigação de risco adotados" ("Subject to the caput of this article, the report must contain, at a minimum, (1) a description of the types of data collected, (2) the methodology used for the collection and for ensuring information security, and (3) the controller's analysis of measures, safeguards, and risk-mitigation mechanisms adopted"). These three elements—data types, collection/security methodology, and risk analysis—form the statutory floor. The LGPD does not enumerate processing categories, lawful bases, retention periods, transfer destinations, or other fields required by GDPR Article 30(1) for the record of processing activities; controllers typically include those details in the Article 37 processing record rather than in the RIPD itself, though many RIPDs produced in practice blend the two.

Article 5(XVII) definition. Article 5(XVII) of the LGPD defines the RIPD as "documentation of the controller that contains a description of the processing operations of personal data that may create risks to civil liberties and fundamental rights, as well as measures, safeguards, and risk-mitigation mechanisms" (documentação do controlador que contém a descrição dos processos de tratamento de dados pessoais que podem gerar riscos às liberdades civis e aos direitos fundamentais, bem como medidas, salvaguardas e mecanismos de mitigação de risco). This definition underscores that the RIPD is a controller obligation—processors are not required to prepare a RIPD under their own name, though a processor may assist the controller in drafting one covering joint operations.

No general obligation to submit the RIPD to the ANPD proactively. The LGPD does not require controllers to file the RIPD with the ANPD automatically. Article 38 authorizes the ANPD to "order" (determinar) or "request" (solicitar) the report, and the controller's obligation arises upon such a request. The ANPD's April 2023 FAQ on RIPD confirms: "A LGPD não determina, como regra geral, o encaminhamento do relatório à ANPD. Não obstante, no exercício efetivo das suas atribuições fiscalizatórias e nas hipóteses previstas na LGPD, a ANPD poderá requerer ao controlador o encaminhamento do RIPD" ("As a general rule, the LGPD does not require submission of the report to the ANPD. Nonetheless, in the effective exercise of its supervisory duties and in the circumstances provided for in the LGPD, the ANPD may request the controller to submit the RIPD"). Controllers prepare the RIPD internally and maintain it as part of their accountability documentation; the ANPD obtains it during inspections, investigations, or formal requests under Article 55-J(IV), which grants the ANPD power to "request, at any time, from controllers and processors that perform processing operations, information on the scope and nature of the data processed and other details of the processing, and to issue a supplementary technical opinion to ensure compliance with this Law."

Good-practice triggers for preparing a RIPD. Although the LGPD does not mandate an ex ante DPIA regime, the ANPD's April 2023 FAQ and Brazilian government guidance documents identify circumstances in which a controller should prepare a RIPD voluntarily to comply with the principle of accountability (Article 6(X)) and the security and prevention principles (Article 6(VII)–(VIII)). The ANPD FAQ lists the following as good-practice RIPD triggers:

• Legitimate-interest processing (Article 10 § 3 cross-reference).
• Sensitive personal data (Article 11; dados sensíveis under Article 5(II): racial or ethnic origin, religious belief, political opinion, trade-union or religious/philosophical/political-organization membership, health, sex life, genetic, or biometric data).
• Processing of children's or adolescents' personal data (Article 14, which requires parental consent when processing data of individuals under 18 years of age, except for a narrow list of statutory exceptions).
• Profiling and automated decision-making with legal or similarly significant effects (Article 20).
• Location tracking (Article 12 § 2).
• Large-scale processing (volume, sensitivity, or duration).
• New technologies or processing innovations that present novel risks.
• Cross-border data transfers when the recipient country or organization does not provide adequate protection and the controller relies on controller-issued standard contractual clauses or other transfer mechanisms under Article 33.

The ANPD's FAQ emphasizes that this list is not exhaustive and that "cabe ao controlador avaliar as circunstâncias relevantes do caso concreto, a fim de identificar os riscos envolvidos e as medidas de prevenção e segurança apropriadas" ("it falls to the controller to assess the relevant circumstances of the concrete case in order to identify the risks involved and the appropriate prevention and security measures").

Public-sector RIPD obligation — Article 32. Article 32 of the LGPD imposes a special transparency obligation on public-sector controllers: "A autoridade nacional poderá solicitar a publicação de relatórios de impacto à proteção de dados pessoais e sugerir a adoção de padrões e de boas práticas para os tratamentos de dados pessoais pelo poder público" ("The national authority may request the publication of data protection impact reports and suggest the adoption of standards and good practices for the processing of personal data by public authorities"). This provision allows the ANPD to require public bodies to publish their RIPDs, not merely produce them internally. As of June 2026, the ANPD has not yet issued a general regulation requiring routine RIPD publication by all government agencies, but individual investigations and enforcement actions have included ANPD orders to produce RIPDs. In 2024, the ANPD sanctioned the Federal District's Secretariat of Education (SEEDF) for failure to prepare a RIPD when requested by the ANPD during an investigation of personal-data processing by the public school system.

ANPD regulatory agenda — as-yet-unpublished RIPD regulation. Article 38 in fine states that the RIPD shall be prepared "nos termos de regulamento" ("under the terms of regulations"), delegating to the ANPD the authority to issue implementing rules. The ANPD's 2023–2024 Regulatory Agenda included "defining aspects of the data protection impact assessment" as a priority item. As of 1 June 2026, the ANPD has not published a comprehensive RIPD regulation. The authority has, however, issued Resolution CD/ANPD nº 2 of 27 January 2022 (Regulation on the Application of the LGPD for Small-Scale Processing Agents), which exempts qualifying micro- and small-sized enterprises and startups from certain obligations but does not waive the RIPD requirement when the ANPD formally requests one. The ANPD's April 2023 FAQ states that the RIPD regulation "já foi iniciado e encontra-se em fase de elaboração" ("has already been initiated and is in the drafting stage"). Until the ANPD publishes the regulation, controllers follow the April 2023 FAQ, the statutory minimum in Article 38 sole paragraph, and government guidance documents produced by the Digital Government Secretariat (Secretaria de Governo Digital, SGD), which in 2021 published a non-binding RIPD guide and template for federal public-sector agencies that many private controllers also use as a reference.

Enforcement and failure to produce a RIPD. Failure to prepare a RIPD when ordered by the ANPD under Article 38 or Article 10(3), or failure to maintain adequate accountability documentation under Articles 6(X) and 50, subjects the controller to administrative sanctions under Article 52, including warnings, publication of the infraction, and fines of up to 2% of revenue in Brazil in the preceding fiscal year (net of taxes), capped at R$50 million per violation. In the 2024 SEEDF enforcement action, the ANPD imposed a warning for "inadequate maintenance of records related to personal data" and failure to prepare a DPIA when requested, signaling that RIPD compliance is an active enforcement priority.

Commercial and industrial secrecy. Both Article 38 and Article 10(3) include the qualifier "observados os segredos comercial e industrial" ("subject to commercial and industrial secrecy"). When a controller submits a RIPD to the ANPD in response to a formal request, the controller may request confidential treatment under Article 5 § 2 of the ANPD's Regulation on Inspection and Administrative Sanction Procedures (Resolution CD/ANPD nº 1 of 28 October 2021, as amended) for information whose disclosure would violate trade secrets. The ANPD will evaluate the request and may redact or seal portions of the RIPD in its administrative file; however, the statutory obligation to produce the report itself is not waived by the invocation of secrecy.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 5(XVII), 10(3), 32, and 38 Source: ANPD — Relatório de Impacto à Proteção de Dados Pessoais (RIPD) — Perguntas e Respostas (April 2023) Source: ANPD — RIPD FAQ announcement (6 April 2023)

Brazil's Autoridade Nacional de Proteção de Dados (ANPD) published Resolution CD/ANPD nº 18 of 16 July 2024, which entered into force immediately and establishes detailed requirements for the designation, qualifications, independence, and permissible activities of the encarregado pelo tratamento de dados pessoais (DPO). The resolution exercises the regulatory authority delegated to the ANPD by Article 41 § 3 of the LGPD and provides the first comprehensive treatment of DPO professional standards in Brazil. On 19 December 2024, the ANPD published a supplementary non-binding guide interpreting Resolution 18/2024, and in December 2024 the ANPD opened enforcement proceedings against twenty large-scale controllers for failure to appoint a DPO or publish adequate contact information, signaling that DPO compliance is an active enforcement priority.

No mandatory certification, registration, or professional qualification. Article 14 of Resolution 18/2024 provides: "O exercício da atividade de encarregado não pressupõe a inscrição em qualquer entidade nem qualquer certificação ou formação profissional específica" ("The exercise of the DPO role does not presuppose registration with any entity nor any certification or specific professional qualification"). This rejects earlier proposals—considered and vetoed during the 2019 LGPD amendment process—to require that the DPO hold a legal or regulatory credential. The ANPD's December 2024 guide reiterates that certifications such as IAPP CIPP/E, EXIN DPO, or Brazilian CDPO credentials are not required, though the guide notes that multidisciplinary expertise in risk management, data governance, information security, compliance, and auditing "can be highly valuable" for performing the DPO's duties effectively.

Controller-determined qualifications: knowledge, context, volume, and risk. Article 12 § 2 of Resolution 18/2024 provides that "cabe ao agente de tratamento estabelecer as qualificações profissionais necessárias para o desempenho das atribuições do encarregado, tendo como base o conhecimento sobre a legislação pertinente de proteção de dados, o contexto, o volume e o risco das operações de tratamento realizadas pelo agente" ("it is the responsibility of the processing agent [controller or processor] to establish the professional qualifications necessary for the performance of the DPO's duties, based on knowledge of the relevant data-protection legislation, the context, volume, and risk of the processing operations performed by the agent"). The December 2024 ANPD guide elaborates: the DPO "must have a thorough understanding of the Brazilian General Data Protection Law (LGPD), ANPD regulations, and the nature of the data processed by the organization," and familiarity with the controller's core business activities is "crucial" for providing effective guidance on best practices and compliance.

In practice, controllers typically seek individuals with a combination of (1) working knowledge of the LGPD, ANPD resolutions (especially Resolution 2/2022 on small-scale agents, Resolution 15/2024 on breach notification, and Resolution 19/2024 on international transfers), and the controller's sector-specific regulations (health, finance, public administration, etc.); (2) experience in compliance, governance, privacy, or information security; and (3) communication skills sufficient to interface with data subjects, the ANPD, and senior management. The ANPD does not publish a model job description, and controllers bear accountability for choosing a DPO whose qualifications match the complexity of their processing operations.

Natural person or legal entity; internal or external; DPO-as-a-Service permitted. Article 12 § 1 of Resolution 18/2024 provides: "O encarregado poderá ser pessoa natural ou jurídica" ("The DPO may be a natural person or a legal entity"). When the DPO is a natural person, the controller may designate an employee (internal DPO) or contract an external individual consultant. When the DPO is a legal entity (for example, a law firm, consultancy, or specialized DPO-service provider), the controller must publicly disclose both the legal entity's business name and the full name of the natural person responsible within that entity (Article 9 § 1(II)). This "DPO-as-a-Service" model is expressly recognized by the ANPD as a compliance option, especially useful for small and medium-sized controllers that lack the capacity to employ an internal DPO full-time (ANPD December 2024 guide). The December 2024 guide notes that outsourcing the DPO role can provide access to a broader range of technical and regulatory expertise without the need to establish a dedicated internal privacy team.

Portuguese-language communication requirement. The ANPD's December 2024 guide states that "the DPO must be able to communicate effectively in Portuguese with both data subjects and the ANPD." The guide adds: "While the ANPD acknowledges that the DPO may collaborate with a data protection team or committee, the Guidelines emphasize the importance of the DPO's proficiency in Portuguese. Therefore, appointing someone who relies on an interpreter or translator to carry out his or her duties is not advisable." For multinational controllers with a global DPO who does not speak Portuguese, this may require the appointment of a local Brazil DPO or representative who can satisfy the communication requirement. Resolution 18/2024 does not specify a minimum level of fluency, but the ANPD's enforcement practice—reflected in the December 2024 proceedings against twenty controllers for inadequate DPO contact channels—confirms that the ANPD expects the DPO to be directly accessible to Brazilian data subjects and the ANPD in Portuguese, without reliance on intermediary translation.

Accumulation of functions and service to multiple controllers—permitted, subject to conflict-of-interest rules. Article 12 § 3 of Resolution 18/2024 provides: "O encarregado poderá acumular funções e/ou exercer atividades para mais de um agente de tratamento, desde que inexista conflito de interesse no desempenho da função" ("The DPO may accumulate functions and/or perform activities for more than one processing agent, provided there is no conflict of interest in the performance of the role"). A DPO may therefore (1) hold another position within the same controller (for example, general counsel, compliance officer, or information-security officer), or (2) serve as DPO for multiple controllers simultaneously (common in DPO-as-a-Service arrangements), as long as the accumulation does not create a conflict of interest. The ANPD will evaluate whether a conflict exists on a case-by-case basis and may apply sanctions under Article 52 of the LGPD if a conflict compromises the DPO's objectivity (Article 12 § 3 in fine).

Conflict of interest—definition and examples. Article 2(II) of Resolution 18/2024 defines "conflito de interesse" as "a situação que possa comprometer, influenciar ou afetar, de maneira indevida, a objetividade e o julgamento técnico no que tange ao desempenho das atribuições do encarregado" ("a situation that may compromise, influence, or improperly affect the objectivity and technical judgment with respect to the performance of the DPO's duties"). Article 18 enumerates two primary scenarios in which a conflict may arise:

1. Internal accumulation of functions: when the DPO simultaneously holds a position with authority to make strategic decisions about the purposes and means of processing, such that the DPO would in effect be providing oversight over decisions he or she made or participated in making. The December 2024 ANPD guide recommends establishing a "separate organizational unit" for the DPO, distinct from business-line or IT departments responsible for processing decisions, to preserve the DPO's independence.

1. Service to multiple controllers: when a single individual or legal entity serves as DPO for two or more controllers whose business interests conflict or whose processing operations are adverse to each other, such that guidance favorable to one controller would harm another. The ANPD does not provide a bright-line rule, and controllers engaging DPO-as-a-Service providers should conduct a conflict check before appointment.

The December 2024 ANPD guide emphasizes that the controller bears ultimate responsibility for ensuring that the DPO does not face situations that would compromise his or her objectivity. An example of a likely conflict: a controller appoints its chief marketing officer—who determines which personal data to collect, which third-party ad platforms to share data with, and which marketing campaigns to run—as DPO. The CMO would be expected to provide independent advice on whether those same processing decisions comply with the LGPD's principles of necessity, adequacy, and transparency, creating an inherent conflict.

Technical autonomy and controller support obligations. Article 10(III) of Resolution 18/2024 requires the controller to "garantir autonomia técnica do encarregado para cumprimento das suas atribuições, sem interferências indevidas, principalmente na orientação a temas envolvendo proteção de dados pessoais" ("guarantee the DPO's technical autonomy to fulfill his or her duties, free from improper interference, especially in guidance on matters involving personal-data protection"). Article 10(I) requires the controller to "prover os meios necessários para o exercício das atribuições do encarregado, neles compreendidos, entre outros, recursos humanos, técnicos e administrativos" ("provide the means necessary for the DPO to exercise his or her duties, including, among others, human, technical, and administrative resources"). The controller must ensure that the DPO has access to processing inventories, security-incident reports, contracts with processors, and any other information needed to advise on LGPD compliance, and must consult the DPO when making strategic processing decisions (Article 10(II)).

DPO is not responsible for controller's compliance; accountability remains with the controller. Article 17 of Resolution 18/2024 provides: "O agente de tratamento é o único responsável pela conformidade legal dos tratamentos de dados pessoais por si realizados perante a ANPD" ("The processing agent is solely responsible for legal compliance with respect to the processing of personal data it performs before the ANPD"). Article 17 § 1 adds: "O encarregado não poderá ser responsabilizado perante a ANPD pela conformidade dos tratamentos de dados pessoais ou pelas infrações à legislação de proteção de dados pessoais cometidas pelo agente de tratamento" ("The DPO may not be held responsible before the ANPD for compliance with respect to the processing of personal data or for violations of data-protection legislation committed by the processing agent"). This protects the DPO from personal liability for the controller's processing decisions and reinforces the DPO's role as advisor and communication channel, not decision-maker. The December 2024 ANPD guide notes that this provision "protects the DPO and strengthens his or her autonomy: he can issue unfavorable opinions without personal risk."

Designation formalities and substitute DPO. Article 3 § 1 of Resolution 18/2024 requires that the DPO appointment be made "por ato formal," defined as "documento escrito, datado e assinado, que, de maneira clara e inequívoca, demonstre a intenção do agente de tratamento em designar como encarregado uma pessoa natural ou jurídica" ("a written, dated, and signed document that, in a clear and unequivocal manner, demonstrates the intention of the processing agent to designate a natural or legal person as DPO"). The designation document must specify the DPO's activities and scope of duties. The controller is not required to file the designation with the ANPD proactively, but must maintain it and produce it upon ANPD request (Article 3 § 2). Article 4 requires the controller to appoint a substitute DPO (encarregado substituto) to assume the DPO's responsibilities during absences, impediments, or vacancies, ensuring continuity of the data-subject and ANPD communication channel. The December 2024 ANPD guide recommends that the substitute be formally appointed simultaneously with the primary DPO designation, with the substitute's identity and contact information also published.

Public disclosure of DPO identity and contact. Article 9 of Resolution 18/2024 requires that "a identidade e as informações de contato do encarregado deverão ser divulgadas publicamente, de forma clara e objetiva, em local de destaque e de fácil acesso, no sítio eletrônico do agente de tratamento" ("the identity and contact information of the DPO must be publicly disclosed, in a clear and objective manner, in a prominent and easily accessible location on the processing agent's website"). Minimum disclosure includes (1) the DPO's full name, if a natural person, or the business name and the name of the responsible natural person, if a legal entity; and (2) means of communication that enable data subjects to exercise their rights and the ANPD to send communications (Article 9 § 1 and § 2). Controllers without a website may use any other communication channel usually employed for contact with data subjects (Article 9 § 3). The ANPD's December 2024 enforcement action against twenty controllers for inadequate DPO disclosure confirms that the ANPD actively verifies website publication and that internal-only designation is insufficient.

Exemption for small-scale processing agents. Article 3 § 3 of Resolution 18/2024 cross-references Resolution CD/ANPD nº 2 of 27 January 2022, which exempts "agentes de tratamento de pequeno porte" (small-scale processing agents: microenterprises, small-sized enterprises, startups qualifying under Complementary Law 182/2021, and individual sole proprietorships) from the DPO-appointment requirement, provided they maintain an alternative communication channel for data subjects and the ANPD (Article 11 of Resolution 2/2022). High-risk processing is excluded from the simplified regime. Controllers relying on this exemption bear the burden of demonstrating that they qualify and that their processing does not present elevated risk. The ANPD's December 2024 enforcement action targeted large-scale controllers, not small-scale agents, but the action underscores that the exemption is narrow and will not shield controllers that process personal data at volume or at heightened sensitivity.

Enforcement and December 2024 ANPD inspection campaign. In December 2024, the ANPD initiated monitoring and inspection proceedings (processo nº 00261.006718/2024-14) against twenty controllers for failure to appoint and publish a DPO or maintain an adequate communication channel. All twenty controllers regularized their situations by April 2025. The ANPD stated: "A ausência de um Encarregado ou de um canal de comunicação eficaz impede que os titulares de dados exerçam seus direitos e compromete a transparência no tratamento de informações pessoais" ("The absence of a DPO or an effective communication channel prevents data subjects from exercising their rights and undermines transparency in the processing of personal information"). Controllers that fail to comply with Resolution 18/2024's DPO-designation and publication requirements face administrative sanctions under Article 52 of the LGPD, including warnings, publication of the infraction, and fines of up to 2% of revenue in Brazil in the preceding fiscal year (net of taxes), capped at R$50 million per violation.

Source: Resolução CD/ANPD nº 18, de 16 de julho de 2024 — DOU 17 July 2024 Source: ANPD — Guia sobre atuação do Encarregado (19 December 2024) Source: ANPD — Fiscalização de encarregados — 20 empresas regularizadas (25 April 2025)

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) Article 37 requires both controllers and processors to maintain a record of the personal-data processing operations they perform, but the statute does not prescribe how long that record must be retained or in what format it must be kept. The ANPD's regulatory authority to specify retention periods (LGPD Article 40) has been partially exercised, and the authority's inspection power to demand production of processing records at any time (LGPD Article 55-J(IV)) is an active enforcement tool.

No statutory retention period for Article 37 processing records. Article 37 of the LGPD states only that "the controller and the processor must maintain a record of the personal data processing operations they perform, especially when based on legitimate interest" (O controlador e o operador devem manter registro das operações de tratamento de dados pessoais que realizarem, especialmente quando baseado no legítimo interesse). The provision does not specify how long the record must be retained after a particular processing activity has ended, nor whether the record must be kept in a particular format (paper, electronic database, spreadsheet, etc.). Article 40 of the LGPD authorizes the Autoridade Nacional de Proteção de Dados (ANPD) to "establish standards for interoperability for purposes of data portability, free access to data, and security, as well as the retention period for records, in view especially of necessity and transparency" (A autoridade nacional poderá dispor sobre padrões de interoperabilidade para fins de portabilidade, livre acesso aos dados e segurança, assim como sobre o tempo de guarda dos registros, levando em consideração especialmente a necessidade e a transparência). As of 2 June 2026, the ANPD has not published a comprehensive regulation specifying a general retention period for Article 37 processing records.

Five-year retention floor for security-incident records — Resolution CD/ANPD nº 15/2024 as interpretive precedent. The ANPD has, however, set a retention standard for a closely related category of records. Resolution CD/ANPD nº 15 of 24 April 2024 (Regulation on Security Incident Communication, Regulamento de Comunicação de Incidente de Segurança) requires controllers to maintain a record of all security incidents, whether or not they were required to be reported to the ANPD or data subjects, for a minimum of five years from the date the incident was detected (Article 12). The resolution further provides that the ANPD may, at any time, request the controller to produce the incident record for inspection purposes (Article 12 § 1). While Resolution 15/2024 addresses breach records specifically, the five-year minimum is instructive for Article 37 processing records more generally, especially when the processing involves categories of data or purposes that carry heightened risk.

In the absence of a published ANPD regulation setting a general retention period, Brazilian controllers commonly adopt a retention policy of at least five years for the Article 37 processing record, measured from the date a particular processing activity is discontinued or from the date the record was last updated, whichever is later. This approach is informed by (1) the five-year floor in Resolution 15/2024; (2) the five-year statute of limitations for civil liability under the Brazilian Civil Code (Código Civil, Lei nº 10.406 of 10 January 2002, Article 206 § 3(V)); and (3) the ANPD's enforcement practice, which has sanctioned controllers for failing to maintain "adequate" processing records when the ANPD requests them during investigations (most notably the 2024 enforcement action against the Federal District's Secretariat of Education, SEEDF, for "inadequate maintenance of records related to personal data"). Controllers that process sensitive data (Article 11), rely on legitimate interest (Article 7(IX)), or perform large-scale or high-risk processing typically retain their Article 37 records for the duration of the processing activity plus five years, to ensure they can respond to ANPD inspection requests and data-subject access requests (Article 18(II)) that arrive after processing has ended.

ANPD's power to request processing records at any time — Article 55-J(IV). Article 55-J of the LGPD, added by Lei nº 13.853 of 8 July 2019, enumerates the ANPD's inspection and regulatory powers. Article 55-J(IV) grants the ANPD authority to "request, at any time, from controllers and processors that perform processing operations, information on the scope and nature of the data processed and other details of the processing, and to issue a supplementary technical opinion to ensure compliance with this Law" (requisitar, a qualquer tempo, às entidades do poder público que realizem operações de tratamento de dados pessoais, informe específico sobre o âmbito, a natureza dos dados e os demais detalhes do tratamento realizado, podendo emitir parecer técnico complementar para garantir o cumprimento desta Lei — the statutory text applies to both public and private controllers, though the wording references public entities). This provision gives the ANPD on-demand inspection authority: the ANPD may issue a formal request (requisição) for the Article 37 processing record, a data protection impact assessment (RIPD, Article 38), a security-incident record (Resolution 15/2024), contracts with processors, or any other documentation necessary for the ANPD to evaluate compliance with the LGPD. The controller or processor must respond within the deadline set by the ANPD (typically 10 to 30 business days, depending on the complexity of the request), and failure to respond or production of incomplete or false information subjects the agent to administrative sanctions under Article 52.

Format and contents when producing the record to the ANPD. The LGPD does not specify the format in which the Article 37 record must be maintained or produced. The ANPD's inspection practice — reflected in the SEI!ANPD electronic petitioning system used for formal document production — accepts records in structured spreadsheet format (Excel or CSV), relational-database exports, or PDF inventories, provided the record contains sufficient detail for the ANPD to verify compliance. At a minimum, the ANPD expects the record to include (based on the ANPD's simplified template published for small-scale agents under Resolution nº 2/2022, Article 9, and the ANPD's FAQ on processing records published 14 June 2023): (1) name and contact information of the controller and, if applicable, the processor; (2) categories of data subjects (employees, customers, users, etc.); (3) categories of personal data processed (identification, contact, financial, health, etc.); (4) purposes of processing and the lawful basis under Article 7 or Article 11 (consent, contract, legal obligation, legitimate interest, etc.); (5) categories of recipients with whom data are shared (processors, joint controllers, cross-border recipients); (6) storage period or criteria for determining storage period; (7) general description of technical and organizational security measures (encryption, access controls, anonymization, etc.); and (8) for cross-border transfers, the destination country or international organization and the transfer mechanism under Article 33 (adequacy decision, standard contractual clauses, etc.). Controllers that rely on legitimate interest (Article 7(IX)) must also document the balancing test applied (Article 10) and be prepared to produce a legitimate-interest assessment (LIA) when the ANPD requests the Article 37 record, as the ANPD treats legitimate-interest processing as carrying heightened documentation expectations (Article 37 in fine: "especially when based on legitimate interest").

Production to data subjects upon access request — Article 18 cross-reference. In addition to the ANPD's right to request the processing record under Article 55-J(IV), data subjects have the right under Article 18(II) of the LGPD to obtain from the controller "access to the data" (acesso aos dados), which includes confirmation of the existence of processing and a copy of the data being processed. Controllers commonly satisfy Article 18(II) access requests by providing the data subject with (1) a copy of the personal data held about that individual, and (2) an extract from the Article 37 processing record describing the purposes, lawful bases, categories of recipients, and retention period applicable to that individual's data. The ANPD's December 2021 guidance on data-subject rights recommends that controllers respond to Article 18(II) requests within 15 days (the LGPD does not specify a deadline; the 15-day recommendation is drawn by analogy to the Access to Information Law, Lei nº 12.527 of 18 November 2011, Article 11). The Article 37 processing record is therefore not solely an internal accountability document or an ANPD-inspection artifact — it is also the evidentiary basis for responding to data-subject transparency requests, and controllers that fail to maintain a current, accurate processing record will be unable to comply with Article 18(II) obligations.

Sanctions for failure to maintain or produce processing records. Failure to maintain an Article 37 processing record, or to produce it to the ANPD upon request, or to maintain a record so incomplete or outdated that it does not reflect the controller's actual processing operations, subjects the controller or processor to administrative sanctions under Article 52 of the LGPD. Article 52 authorizes the ANPD to impose the following measures, after notice and opportunity for defense: (I) warning, with a deadline for adopting corrective measures; (II) publication of the infraction, after the infraction has been established and the opportunity for defense has been exhausted; (III) blocking of the personal data to which the infraction refers until the data are corrected; (IV) elimination of the personal data to which the infraction refers; (V)–(VI) [omitted]; (VII) daily fine, capped at a total of R$50 million; (VIII) administrative fine of up to 2% of the private legal entity's revenue in Brazil in the preceding fiscal year (excluding taxes), limited to R$50 million per violation; (IX) administrative fine of up to R$50 million per violation for entities that do not have revenue in Brazil or whose revenue cannot be determined (such as public-sector controllers, foundations, and nonprofit entities); and (X)–(XII) suspension or partial prohibition of processing activities. The ANPD's April 2024 enforcement action against the Federal District's Regional Secretariat of Education (Coordenação Regional de Ensino, SEEDF) imposed four warnings for "inadequate maintenance of records related to personal data" and failure to prepare a data protection impact assessment (DPIA) when requested by the ANPD during an investigation. The ANPD stated that the SEEDF "maintained records in such a manner that it was impossible to respond to the ANPD's requests for information regarding the scope, nature, and details of the processing operations conducted" (mantinha registros de forma que impossibilitava responder às requisições da ANPD quanto ao âmbito, natureza e demais detalhes das operações de tratamento realizadas). This enforcement decision confirms that the ANPD treats the Article 37 recordkeeping obligation as a substantive compliance requirement subject to sanction, not merely a best-practice recommendation.

Interplay with Article 38 RIPD and Article 48 security-incident records. The Article 37 processing record is distinct from (1) the data protection impact assessment (RIPD, relatório de impacto à proteção de dados pessoais), which Article 38 authorizes the ANPD to request from controllers when processing presents risks to fundamental rights and freedoms, and (2) the security-incident record, which Resolution 15/2024 requires controllers to maintain for all breaches, whether or not reportable. In practice, many Brazilian controllers maintain three separate but interrelated accountability documents: (a) the Article 37 processing inventory (one entry per processing activity, describing purposes, lawful bases, data categories, recipients, retention, and security measures); (b) the Article 38 RIPD for high-risk or legitimate-interest processing (prepared proactively or when the ANPD requests it, containing a risk analysis and mitigation measures); and (c) the Resolution 15/2024 incident log (one entry per security incident, describing the nature of the breach, affected data categories, notification timeline, and remediation steps). All three documents must be kept current and produced to the ANPD upon request under Article 55-J(IV). Controllers that fail to maintain any of the three face the Article 52 sanction regime.

Public-sector controllers — no special retention rule. Article 23 of the LGPD requires public-sector controllers (government agencies and public-law entities subject to the federal Access to Information Law, Lei nº 12.527 of 18 November 2011) to comply with the same processing-record obligation as private controllers, and Article 37 applies equally to public and private agents. The LGPD does not exempt public bodies from the Article 37 retention requirement, nor does it impose a different retention period. Public controllers follow the same five-year practice described above, and the ANPD's Article 55-J(IV) inspection authority applies with full force to government agencies. The 2024 SEEDF enforcement action illustrates that the ANPD will sanction public-sector controllers for recordkeeping failures.

Small-scale processing agents — simplified record, same retention expectation. Resolution CD/ANPD nº 2 of 27 January 2022 (Regulation on the Application of the LGPD for Small-Scale Processing Agents) provides that small-scale processing agents (microenterprises, small-sized enterprises, startups under Complementary Law 182/2021, and individual sole proprietorships organized as LLCs) may fulfill the Article 37 obligation "in simplified form" (de forma simplificada) using the ANPD's simplified template (Article 9). The ANPD published the template on 14 June 2023; it contains eight fields (controller contact, data-subject categories, personal-data categories, data sharing, security measures, storage period, processing activity/purpose/lawful basis, and observations). Resolution 2/2022 does not waive the retention requirement for small-scale agents; it merely permits them to use a simpler format. Small-scale agents must still maintain the record for a period sufficient to respond to ANPD requests and data-subject access requests, and the five-year floor remains the prudent standard.

Recommendation: retain processing records for the duration of processing plus five years. In the absence of a published ANPD regulation setting a general retention period, controllers and processors should adopt an internal policy of retaining the Article 37 processing record for the duration of each processing activity (measured from the date the activity commences until the date the data are erased or anonymized in accordance with Article 16) plus five years following the end of processing. This policy ensures compliance with (1) the ANPD's power to request records "at any time" under Article 55-J(IV), even for processing activities that have ended; (2) the five-year statute of limitations for civil liability claims under the Brazilian Civil Code; (3) data subjects' Article 18(II) right to access data and obtain information about processing; and (4) the ANPD's enforcement expectation, reflected in Resolution 15/2024, that accountability records be maintained for at least five years. Controllers that process sensitive data (Article 11), children's data (Article 14), or data on the basis of legitimate interest (Article 7(IX)) should consider a longer retention period — seven or ten years — to account for potential delayed discovery of harm or delayed enforcement actions. The record must be kept in a format that permits timely, complete production to the ANPD; paper-only records or records stored in inaccessible legacy systems will not satisfy the Article 37 obligation if the controller cannot produce them within the ANPD's inspection deadline.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD), Articles 37, 40, and 55-J(IV) Source: Resolução CD/ANPD nº 15, de 24 de abril de 2024 — Regulation on Security Incident Communication, Article 12 Source: Resolução CD/ANPD nº 2, de 27 de janeiro de 2022 — Small-Scale Agents, Article 9