On August 23, 2024, the Brazilian Data Protection Authority (ANPD) issued CD/ANPD Resolution No. 19, which establishes the Regulation on International Transfer of Personal Data and approves the content of the Brazilian standard contractual clauses.
What are the impacts of the new Regulation?
The new Regulation applies both to transfers between organizations within the same group and to the sharing of personal data with other processing agentes outside Brazil. For example, the use of software and/or data hosting services abroad, such as cloud storage and processing.
Processing agents that carry out international transfer of personal data will need to implement specific contractual mechanisms or pre-approved governance mechanisms.
The deadline for processing agents to adapt their international transfer mechanisms to the Regulation is 12 months.
When will there be international data transfer?
There will be international data transfer when the processing agent (controller or operator) located in Brazil transfers personal data to a foreign country or international organization.
The collection of personal data directly by the processing agent located abroad is not considered an international transfer.
How to perform international data transfers?
Processing agents must update their governance program and privacy notices.
With the Resolution, it is mandatory to adopt one of the mechanisms provided for in the Brazilian Data Protection Law (LGPD) to allow the transfer of data to other jurisdictions, such as standard contractual clauses (known as Standard Contractual Clauses under the General Data Protection Regulation – GDPR).
The international transfer must necessarily be supported by one of the legal basis provided for in the Brazilian Data Protection Law – LGPD and one of the following mechanisms:
- Adequacy decision: the transfer may be made to countries or international organizations recognized by ANPD’s adequacy decision, in accordance with the criteria provided for in the Regulation.
- Standard contractual clauses (SCCs): if the international transfer is based on the standard contractual clauses, processing agents must use the template provided for in Annex II of the Regulation. The standard contractual clauses must be adopted unchanged, except for filling in the corresponding fields with information about the parties involved and the transfer.
- Specific contractual clauses: processing agentes may use specific contractual clauses if proven that standard contractual clauses are not applicable.. This mechanism must be approved by ANPD, in accordance with the Regulation.
- Binding corporate rules (BCR): for international transfer between organizations of the same group or conglomerate, processing agents may use binding corporate rules. This mechanism must also be approved by ANPD, in accordance with the Regulation.
In addition to the above, LGPD sets forth other mechanisms for international transfer that must be verified on a case-by-case basis.
What rights of the data subject must be guaranteed?
According to the Regulation, data subjects have the right to request full access to the clauses used for international data transfer.
The Regulation also sets forth that the controller must publish a document on its website in simple, clear, precise and accessible language, including:
- form, duration and specific purpose of the international transfer;
- country of destination of the transferred data;
- identification and contacts of the controller;
- controller’s shared use of data and the purpose;
- responsibilities of the processing agents and the security measures adopted; and
- data subjects’ rights and the means for their exercise.