On August 23, the National Data Protection Authority (ANPD) published the Resolution CD/ANPD No. 19/2024, which regulates International Transfers of Personal Data and defines the content of Standard Contractual Clauses, as provided for in the Brazilian General Data Protection Law (LGPD).
The primary objective of the Regulation is to ensure legal certainty and protect the rights of data subjects, irrespective of the location where such personal data is processed. Accordingly, the Regulation stipulates that an International Data Transfer occurs when the exporter transfers data to the importer and identifies the data processing agents involved in the operation
The Regulation establishes that the International Transfer of Personal Data will only be permitted when based on a lawful basis provided for in the LGPD, accompanied by one of the following mechanisms:
(i) Countries with Adequate Level of Protection: International Data Transfer is permitted to countries or international organizations that provide an adequate level of data protection, as determined by an adequacy decision to be issued by the ANPD.
(ii) Standard Contractual Clauses (SCCs): The Standard Contractual Clauses may be incorporated: (a) in a specific contract that exclusively regulates International Data Transfers; or (b) in a broader scope contract, through the inclusion of an addendum signed by the exporters and importers involved in the operation. The Standard Contractual Clauses must be incorporated into existing contracts within 12 (twelve) months from the publication of the Regulation.
The Regulation also provides for the possibility of recognizing Equivalent Standard Contractual Clauses from countries or international organizations by the ANPD, as long as they are compatible with the LGPD and comply with the requirements set forth in the Regulation.
(iii) Specific Contractual Clauses: The controller may implement Specific Contractual Clauses, provided that these ensure full compliance with the principles, the rights of the data subject, and the applicable data protection regulations. Additionally, the controller must unequivocally demonstrate that the data transfer cannot be carried out using the Standard Contractual Clauses due to exceptional circumstances, whether factual or legal.
(vi) Binding Corporate Rules (BCRs): This mechanism is intended for companies within the same economic group that carry out International Data Transfers. The Binding Corporate Rules may only be used with the approval of the ANPD and must include the following information: (a) description of the International Data Transfers, including personal data categories, processing operations, purposes, legal basis, and types of data subjects involved; (b) identification of the countries to which the data may be transferred; (c) structure of the corporate group, listing the affiliated entities, their roles in data processing, and the organizations’ contact details; (d) determination of the binding nature of the corporate rule for the members of the group or conglomerate of companies that subscribe to it; (e) allocation of responsibilities, with the identification of the responsible entity; (f) data subjects’ rights and communication channels; (g) rules on the revision of the rules and provision for submission to the ANPD; and (h) communication to the ANPD in case of changes to the guarantees related to the principles, data subjects’ rights, and the data protection regime provided for in the LGPD.
(v) Regularly Issued Seals, Certificates, and Codes of Conduct: These mechanisms are permitted as long as they offer guarantees of compliance with the principles, the data subject’s rights, and the data protection regime provided for in the LGPD.
(vi) Specific contexts provided for in article 33, Items III to IX, such as: (a) international legal cooperation between public intelligence, investigation, and prosecution authorities, in accordance with international law instruments; (b) protection of the life or physical safety of the data subject or a third party; (c) commitment assumed in an international cooperation agreement; (d) implementation of public policy or the legal mandate of a public service; (e) specific and detailed consent, distinguishing it from other purposes; (f) compliance with a legal or regulatory obligation by the controller; or (g) when necessary for the execution of a contract to which the data subject is a party.
The controller must confirm the characterization of International Data Transfers and ensure transparency of the operation. To this end, it will be necessary to provide data subjects with clear information about the purpose of the Transfer, the recipient countries, and the security measures adopted. Additionally, the controller and the processor will be responsible for adopting effective measures to comply with data protection regulations, in a manner compatible with the level of risk associated with the processing and the transfer mechanism used.
The Regulation imposes an obligation on companies to implement changes or improvements in their International Data Transfer processes, representing a significant step towards aligning Brazil with international data protection standards.
For detailed information about the Regulation and the measures required to ensure compliance, please contact the Data Protection team at KLA.