National Data Protection Authority regulates the international transfer of personal data in Brazil (Resolution No. 19)
Versão em português brasileiro/Brazilian Portuguese.
On August 23, 2024, the National Data Protection Authority (“ANPD”) published the Resolution no. 19, which approved the Regulation on International Data Transfer, which establishes the procedures and rules for international data transfer operations and the content of standard contractual clauses, as provided for in the Brazilian General Data Protection Law (Federal Law No. 13,709/2018 – “LGPD”).
This Regulation provides guidelines for the international transfer of data to countries or international organizations with a level of personal data protection that is adequate under the LGPD, as long as the adequacy is recognized by the ANPD, or when the controller proves guarantees of compliance with the LGPD in the form of contractual clauses or global corporate standards. However, the Regulation does not exclude the possibility of carrying out international data transfers based on the other mechanisms provided for in art. 33 of the LGPD, such as seals, certificates and regularly issued codes of conduct, provided that the specifics of the case and the applicable legal requirements are observed.
Specifically regarding the standard contractual clauses, the ANPD has drawn up and approved a standard form of clauses in accordance with the LGPD, which can be part of a contract signed to specifically govern the international transfer of data, or a contract with a broader object, including the signing of an addendum by the importer and exporter involved in the operation (as a document attached to the general contract signed by the parties).
However, for this mechanism to be valid, the ANPD model must be used in full, without any changes. The Regulation also stipulates a period of 12 months from the publication of the Regulation for companies using standard contractual clauses to adjust their contracts to this new model clause.
In order to preserve publicity, the controller must make available within 15 (fifteen) days to the data subject, upon request, the full text of the clauses used for the transfer, respecting commercial and industrial secrets. At the same time, the controller must also publish on its website a document containing information, in Portuguese, about the international data transfer, including, for example, the country of destination of the data transferred and the identification and contact details of the controller, among other information provided for in the Regulation. Alternatively, this document can be integrated, in a prominent and easily accessible way, into the Privacy Policy or an equivalent instrument.
Furthermore, it is important to note that the ANPD may recognize the equivalence of standard contractual clauses from other countries or bodies with the standard clauses drawn up by the ANPD through a procedure that may be initiated by decision of the Board of Directors, ex officio, or at the request of interested parties.
Controllers will also be allowed to ask the ANPD to approve specific contractual clauses to carry out the international transfer of data, in accordance with the procedure set out in the Regulation, but only in cases where it is not possible to use the standard contractual clauses.
The ANPD’s decisions regarding the Regulation, such as the standard contractual clauses that are considered equivalent and the suitability of countries, will be approved by resolution of the Board of Directors and published on the ANPD’s official website.
With regard to global corporate rules, the Regulation establishes the requirements and approval procedure for such rules that can be used to authorize international data transfers between organizations of the same group or conglomerate of companies, which are binding on the members of the group that subscribe to them. These rules must be linked to the implementation of a data protection governance program in compliance with the LGPD, as well as comply with the minimum requirements set out in the Regulation, such as the description of the international data transfers to which the instrument applies, including the categories of personal data, the processing operation and its purposes, the legal hypothesis and the types of data subjects.
Finally, the international data transfer may only be carried out to fulfill legitimate, specific, explicit purposes that have been informed to the data subject, without the possibility of further processing in a way that is incompatible with these purposes, in addition to being based on one of the legal hypotheses provided for in articles 7 and 11 of the LGPD. In this sense, the Regulation establishes the responsibility of controller to verify these issues and whether the processing operation characterizes an international transfer of data, without prejudice to the processor’s duty to assist the controller by providing the necessary information on the subject.
In case of any doubts about this subject, please do not hesitate to contact us.
Comentários