Insights

Brazil’s Data Protection Authority formally notifies DPO in landmark enforcement action

The publication of Notice No. 1, dated March 23, 2026, marks the first formal electronic notification of a Data Protection Officer in a sanctioning process involving a private entity.

This represents a turning point in enforcement.

DPO role becomes enforceable

The DPO is no longer a formal requirement.

It becomes an operational and accountable role.

Authorities expect:
clear designation
public contact channel
technical response capability

Shift in enforcement approach

The authority is moving from reactive enforcement to proactive verification of compliance structures.

Companies without a properly designated and accessible DPO are already non-compliant.

Strategic implications

Organizations must ensure that their DPO is effectively integrated into governance and capable of responding to regulatory scrutiny.

Conteúdo relacionado

Brazil’s Data Protection Authority sets guidance on age assurance under digital child protection framework

Improper use of former employee image may lead to indemnification and highlights corporate governance risks

Brazil’s Data Protection Authority becomes a full regulatory agency with enforcement powers

MENU

Fale conosco
+55 (21) 99073 4906
contato@pdka.com.br