The National Data Protection Authority (ANPD) has approved Resolution CD/ANPD No. 19, dated August 23, 2024, which establishes new guidelines for international data transfers.
Below, we highlight the key points of this regulation:
/ Legal Basis and Transfer Mechanisms
The Regulation stipulates that international data transfers may only occur when supported by a legal basis provided in the LGPD and by one of the following international transfer mechanisms:
- Countries with Adequate Protection: Transfer is permitted to countries that offer an adequate level of personal data protection, as determined by an adequacy decision issued by the ANPD.
- Contractual Clauses and Standards: Transfer can be conducted based on standard contractual clauses, binding corporate rules, or specific contractual clauses approved by the ANPD.
- Protection Guarantees: Transfer is also permitted when the controller provides and demonstrates guarantees of compliance with the principles, data subject rights, and data protection regime established in the LGPD, using mechanisms such as seals, certificates, and codes of conduct regularly issued.
- Specific Necessities: Transfer is possible when necessary for:
- International legal cooperation between public authorities for intelligence, investigation, and prosecution purposes, in accordance with international legal instruments.
- Compliance with a legal or regulatory obligation.
- Performance of a contract to which the data subject is a party.
- The regular exercise of rights in judicial, administrative, or arbitration proceedings.
/ Standard Contractual Clauses
- The ANPD has approved the content of standard contractual clauses, which may be incorporated into contracts involving the international data transfers.
- Companies have 12 months from the Regulation’s publication date to bring their contracts into compliance with the new standard clauses.
- For the validity of this mechanism, the full adoption of the text provided by the ANPD, without alterations, is required.
- The full text of the clauses used must be made available to data subjects upon request within 15 days, subject to commercial and industrial confidentiality.
- Controllers must publish on their website a detailed document about the international data transfer. This information may be integrated into the Privacy Policy and must include, among other details: (i) the destination country of the data; and (ii) the complete identification and contact details of the controller.
Note: The ANPD may also recognize the equivalence of standard contractual clauses from other countries or international organizations through its specific procedures.
/ Specific Contractual Clauses
- The controller may request ANPD’s approval of specific contractual clauses, following the process described in the Regulation.
- For approval, the specific clauses must ensure the application of the LGPD to the international data transfer and its submission to ANPD’s supervision.
- The ANPD will review whether the clauses are compatible with the LGPD and the risks and benefits of approval, including impacts on international data flows and Brazil’s international relations.
- The ANPD will publish the list of approved specific contractual clauses on its website, including the name of the applicant and the date of approval. Additionally, if requested by the data subject, the controller must provide the full text of the clauses.
/ Binding Corporate Rules
- Binding corporate rules (BCRs) can be used for data transfers within companies of the same group and must be binding for the members that adhere to them.
- The BCRs must detail the international data transfer operations, including the categories of data, purposes of processing, and the countries to which the data may be transferred. It must also identify the corporate group structure, the responsibilities of each entity in the data processing, and provide information on how data subjects can exercise their rights.
- To be valid, BCRs must be submitted to the ANPD for approval, which will assess whether they provide sufficient data protection guarantees in accordance with the LGPD. Furthermore, these clauses must be linked to a privacy governance program in compliance with the LGPD.
- The ANPD will publish the list of approved BCRs on its website, including the name of the applicant and the date of approval. Additionally, if requested by the data subject, the controller must provide the full text of the clauses.
For more details, download the complete infographic with the main topics of the Regulation.
