Imagem de fallback

Key Points on ANPD Guides

18 May 2023

Check out the essential points from the main guidance materials published by ANPD.


The National Data Protection Authority (“ANPD”) was created by Law No. 13,853/2019 and officially began operating in August 2020, playing a fundamental role in regulating and supervising the General Data Protection Law (“LGPD,” Law No. 13,709/2018). It is responsible for applying sanctions and guiding companies and organizations on best practices for processing personal data.

In this regard, ANPD has launched several public consultations to gather input from society on topics to be regulated and has published various guides and reports to assist data subjects and processing agents in understanding and applying LGPD. Below are the key points from the main guidance materials published by ANPD to date:

  1. Guidance on Cookies and Data Protection

    By drawing inspiration from the European Union’s General Data Protection Regulation (“GDPR”), ANPD seems to have overlooked the fact that, in Europe, the requirement to obtain consent for non-essential cookies stems from an explicit provision in Article 5.3 of the ePrivacy Directive, which mandates user consent for storing or accessing data on their device. However, no equivalent rule exists in Brazilian legislation, making this interpretation in the guidance document questionable and debatable.

    Although this guide does not have regulatory force, it naturally serves as a reference for ANPD’s perspective on the matter and provides insights into how the authority may apply LGPD in future situations, even though it remains subject to updates and corrections. In this context, we believe this section of the guide should be revised, as its legal basis appears unsustainable.

  2. Guidance on Defining Data Processing Agents and the Data Protection Officer (DPO)

    ANPD issued a guidance document introducing new insights into the definition of data processing agents and the data protection officer (DPO), as outlined in LGPD. The document clarifies that the role of the DPO can be fulfilled by either a natural or legal person, regardless of specific academic qualifications, as long as they have the necessary skills to perform the function. It also emphasizes that responsibility for data processing always lies with the data processing agent (company or entity), not the DPO. ANPD recommends that companies establish criteria for appointing the DPO, such as prior experience in data protection and knowledge of the organization’s activities.

    A key point of concern in the guide is the concept of joint controllership – something not explicitly defined in LGPD. ANPD clarifies that joint controllership will be characterized if three conditions are met simultaneously: a) More than one controller has decision-making power over data processing; b) There is a mutual interest between two or more controllers, based on their own purposes, regarding the same data processing; andc) Two or more controllers make common or convergent decisions regarding the purposes and essential elements of processing.

    It is important to remember that joint controllers have joint liability, requiring careful analysis to determine whether the three conditions highlighted by ANPD are indeed met in the specific processing context.

  3. Preliminary Study – Legal Bases for Processing Personal Data of Children and Adolescents

    One of the key positive points is the indication that, although consent is the most common legal basis for processing children’s personal data, it is not the only possibility. The document highlights that other legal bases may also apply, provided that the best interest of the minor is observed in each specific case. ANPD conducted a preliminary study on the legal bases applicable to the processing of personal data of children and adolescents.

    This interpretation reinforces Enunciado 684 of the Federal Justice Council, which states that “Article 14 of Law No. 13,709/2018 (General Data Protection Law – LGPD) does not exclude the application of other legal bases, if applicable, as long as the best interest of the child is observed.” We hope that ANPD confirms this interpretation in future regulations. Due to its significance and level of detail, the Regulation on Dosimetry and Application of Administrative Sanctions is analyzed in a separate post.