Flag of Brazil



Article 55-J

Competencies ANPD - National Data Protection Authority

ANPD is responsible for:

  • I - ensure the protection of personal data, in accordance with the law;
  • II - ensure compliance with commercial and industrial secrets, observing the protection of personal data and the confidentiality of information when protected by law or when breach of confidentiality violates the fundamentals of art. 2 of this Law;
  • III - elaborate guidelines for the National Policy of Personal Data Protection and Privacy;
  • IV - supervise and apply sanctions in case of processing of data carried out in breach of the law, through administrative process that ensures the contradictory, the broad defense and - the right of appeal;
  • V - to consider petitions of holder against controller after the holder evidences the filing of a complaint to the controller that is not resolved within the period established by regulation;
  • VI - promote in the population the knowledge of the norms and the public politics on protection of personal data and the security measures;
  • VII - promote and elaborate studies on national and international practices of personal data protection and privacy;
  • VIII - encourage the adoption of standards for services and products that facilitate the exercise of control of the holders over their personal data, which should take into account the specificities of the activities and the size of those responsible;
  • IX - promote cooperation actions with personal data protection authorities of other countries, of an international or transnational nature;
  • X - provide for the forms of advertising of personal data processing operations, respecting commercial and industrial secrets;
  • XI - request, at any time, the public authorities to carry out personal data processing operations to provide specific information on the scope, nature of the data and other details of the processing performed, with the possibility of issuing a complementary technical opinion to ensure the compliance with this law;
  • XII - prepare annual management reports on its activities;
  • XIII - to edit regulations and procedures on protection of personal data and privacy, as well as on reports of impact to the protection of personal data for cases where the treatment represents high risk to the guarantee of the general principles of protection of personal data foreseen in this Law;
  • XIV - listen to treatment agents and society on matters of relevant interest and report on their activities and planning;
  • XV - collect and apply its income and publish, in the management report referred to in item XII of the caput of this article, a breakdown of its income and expenses;
  • XVI - perform audits, or determine their performance, within the scope of the inspection activity dealt with in item IV and with due observance of the provisions of item II of the caput of this article, on the processing of personal data by the processing agents, including the public power;
  • XVII - enter into, at any time, a commitment to treatment agents to eliminate irregularity, legal uncertainty or contentious situation in the context of administrative proceedings, in accordance with Decree-Law No. 4,657 of September 4, 1942;
  • XVIII - Edit simplified and differentiated rules, guidelines and procedures, including deadlines, so that micro and small businesses, as well as incremental or disruptive business initiatives that call themselves startups or innovation companies, can adapt to this. Law;
  • XIX - ensure that the data processing of the elderly is carried out in a simple, clear, accessible and appropriate to their understanding, pursuant to this Law and Law No. 10,741, of October 1, 2003 (Statute of the Elderly);
  • XX - deliberate, at the administrative level, on a terminative basis, on the interpretation of this Law, its powers and omitted cases;
  • XXI - report to the competent authorities the criminal offenses of which he is aware;
  • XXII - report to the internal control organs the non-compliance with the provisions of this Law by federal public administration agencies and entities;
  • XXIII - articulate with public regulatory authorities to exercise their powers in specific sectors of economic and governmental activities subject to regulation; and
  • XXIV - implement simplified mechanisms, including by electronic means, for the registration of complaints about the processing of personal data in breach of this Law.
  • 1. In imposing administrative conditions on the processing of personal data by private processing agents, whether limits, charges or obligations, the ANPD shall observe the requirement of minimum intervention, ensuring the grounds, principles and rights of the holders provided for in art. 170 of the Federal Constitution and this Law.
  • 2. The regulations and rules issued by the ANPD shall be preceded by public consultation and hearing, as well as regulatory impact analyzes.
  • 3. The ANPD and the public bodies and entities responsible for the regulation of specific sectors of economic and governmental activity shall coordinate their activities, in the corresponding spheres of activity, with a view to ensuring the fulfillment of their duties with the greatest efficiency and promoting the proper functioning. regulated sectors, according to specific legislation, and the processing of personal data, pursuant to this Law.
  • 4. The ANPD shall maintain a permanent communication forum, including through technical cooperation, with public administration bodies and entities responsible for the regulation of specific sectors of economic and governmental activity, in order to facilitate the ANPD's regulatory, supervisory and punitive powers.
  • 5. In exercising the powers referred to in the main section of this article, the competent authority shall ensure the preservation of business secrecy and confidentiality of information, in accordance with the law.
  • 6. Complaints collected in accordance with the provisions of section V of the caput of this article may be analyzed in aggregate form, and any measures resulting from them may be adopted in a standardized manner.