News
Data Protection and Conflict of Interest
The role of the Data Protection Officer (DPO), or Encarregado de Dados, is critical to fostering a culture of privacy and data protection in organisations. Given their unique position, DPOs must have independence, autonomy, and direct access to senior management to fulfil their duties effectively. However, as organisations seek to optimise resources, the possibility of role accumulation often arises, whereby a DPO might take on additional responsibilities within the company. This raises significant questions around conflict of interest, particularly as data protection regulations continue to evolve in Brazil and globally.
At the heart of the conflict of interest discussion is whether a DPO can genuinely remain impartial when their role intersects with other business functions, especially if those functions might impact or influence data privacy policies. The recent Resolution CD/ANPD No. 18 issued by the National Data Protection Authority (ANPD) addresses this, setting out guidelines to help organisations navigate potential conflicts. This resolution marks an important regulatory advance, as it brings clarity to the DPO’s role, stipulating that while additional roles may be permissible, they should not interfere with the DPO’s duty to protect data and advise on privacy-related matters.
In the private sector, this discussion aligns with broader corporate governance principles, where independence and unbiased judgement are crucial. Under Article 115 of Law 6.404/76, which governs corporate entities in Brazil, a shareholder’s voting rights are limited when exercised with intent to harm the company or its stakeholders. By extension, this principle supports the argument that a DPO’s responsibilities should remain free of any organisational influence that could impair their ability to protect data effectively. This standard also helps reinforce the DPO’s role as a neutral advisor who can engage in decision-making processes without undue pressure.
In the public sector, conflict of interest is addressed under Law 12.813/13, which defines such a situation as one in which a public official’s private interests may improperly influence their official duties. Applying this principle to the DPO’s role underscores the importance of maintaining clear boundaries between their responsibilities and any personal or organisational interests that could impact their judgement. As the DPO role becomes more embedded in Brazilian companies, the need for such clear demarcations grows, especially as privacy becomes a more central aspect of governance.
Resolution CD/ANPD No. 18 includes provisions that ensure a DPO’s technical autonomy, granting them direct access to the organisation’s top decision-makers and thereby reinforcing their ability to make independent recommendations. However, recognising that organisational structures vary widely, the ANPD’s framework allows flexibility for the DPO to accumulate other roles, provided no conflict of interest arises. This flexibility enables organisations to tailor the DPO function to their specific governance needs without compromising privacy principles.
To further mitigate conflicts, organisations may appoint an Alternate DPO in cases of absence or potential conflict, establish a Privacy Committee that supports the DPO, or even opt for an external “DPO as a Service” arrangement. These alternatives provide the support structures needed to allow the DPO to remain impartial and effective, particularly in complex or highly regulated environments.
In practical terms, managing conflict of interest involves assessing three primary risks: ensuring that data protection takes priority when competing with other DPO responsibilities, evaluating the DPO’s influence within the organisation, and providing adequate resources for the DPO to perform their duties effectively. This holistic approach ensures that privacy is given the prominence it deserves in decision-making and is protected from any organisational pressures that may compromise its integrity.
When a potential conflict is identified, organisations should reassess the DPO’s placement, particularly if they are involved in departments where strategic data processing decisions are made, such as HR, Finance, or Auditing. In such cases, safeguards such as clear role definitions, transparent reporting lines, and regular conflict assessments are crucial. The failure to address these conflicts proactively could expose the organisation to regulatory scrutiny and potential penalties from the ANPD, highlighting the importance of these preventive measures.
Documenting potential conflicts is an essential best practice. By identifying roles or responsibilities that may be incompatible with the DPO’s duties, organisations can proactively manage these conflicts. For instance, if a DPO holds an additional role in a high-stakes department, the organisation may wish to clearly document this arrangement and outline any steps taken to mitigate potential conflicts. This documentation should extend beyond senior management roles to include lower-level positions that might still have an impact on data processing practices.
Another key consideration is transparency in organisational policies. It is advisable for organisations to include conflict of interest guidelines in their internal policies, which should detail the actions taken to avoid conflicts, as well as the consequences for failing to comply. Ensuring that the DPO’s employment contract includes safeguards against unwarranted dismissal is equally important, protecting the DPO from retaliatory actions that could arise from performing their duties objectively. These measures provide the DPO with the security needed to carry out their role independently, strengthening the organisation’s data protection framework.
Effective conflict of interest management also contributes to a wider culture of data protection within the organisation. By recognising the DPO’s role as a long-term advisor on privacy matters rather than a temporary project lead, organisations can integrate privacy more deeply into their core operations. The ANPD’s regulatory guidelines promote this by encouraging organisations to establish educational campaigns, conduct regular privacy committee meetings, and document all actions taken, further embedding privacy in daily operations.
In summary, while the accumulation of roles by a DPO may offer flexibility, it must be accompanied by a rigorous and ongoing conflict of interest assessment. Implementing comprehensive safeguards to protect the DPO’s independence, such as transparent documentation, cross-functional privacy committees, and direct reporting lines, strengthens the DPO’s advisory capacity and reinforces the organisation’s commitment to data protection. These proactive measures not only enhance the DPO’s function but also reflect an organisation’s dedication to maintaining high standards of governance and regulatory compliance, ensuring that privacy remains a priority in an ever-evolving data landscape.
Article provided by INPLP member: Patricia Peck Pinheiro (Peck Advogados, Brazil)
co-author: Cecilia Castro
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010