Logotipo Galante Sociedade de Advogados
28/08/2024

International Data Transfer is regulated

On August 23rd, Resolution CD/ANPD No. 19/2024 (“Resolução CD/ANDP nº 19/2024”) came into force, approving the International Data Transfer Regulation (“Regulation”) and the content of the standard contractual clauses, which are extremely important for data security. Check out the details below!

Applicability

The new rules apply to operations involving international data transfers a) to countries or international organizations that provide an adequate level of personal data protection (under Law No. 13709/2018, formerly known as “General Data Protection Law” or “LGPD”); or b) when the data controller offers guarantees of compliance with the (i) principles, (ii) data owner rights, and (iii) data protection under LGPD, which must occur in one of the following manners: either through specific contractual clauses for a specific transfer; or standard contractual clauses; or global corporate standards.

The provisions of the new Regulation do not nullify the possibility of international transfers occurring under the other mechanisms already provided for in LGPD, that is, those that do not depend on the Regulation, if the specific requirements of a particular case are accomplished.

International transfer characterization

An international transfer will occur whenever the exporter transfers personal data to the importer. Otherwise, international data collection alone does not characterize the transfer.

National legal basis application

The international transfer must comply with LGPD and the Regulation when: (i) the data is processed in Brazil; (ii) the processing’ purpose is offering or providing items or services, or processing data of individuals located in Brazil; (iii) the personal data subject to the processing were collected in Brazil.

LGPD will also apply to data originating from abroad whenever they are processed in Brazil. Only in the following cases will data originating from abroad not have to comply with LGPD: (i) when there is a transfer of personal data without communication or shared use of data with the processing agent in Brazil; or (ii) when there is a return of personal data, subject to processing in Brazil, provided that the return is to the country or international organization of origin and the requirements outlined in the Regulation are met (Article 8, first paragraph, II, “a”, “b” and “c”).

Transfer mechanism

The data international transfer may only occur to meet legitimate, specific, explicit, and informed purposes to the data owner, without the possibility of subsequent processing if such processing is incompatible with these purposes. Furthermore, it must be limited to the minimum necessary to achieve its purposes. Nevertheless, the transfer must be supported by (i) one of the hypotheses of Articles 7 or 11 of LGPD; and (ii) one of the valid mechanisms for international transfer.

Protection of Personal Data Level Assessment

The protection of personal data level assessment criteria in a foreign country or international organization is:

  • General and sectoral standards in force;
  • The data nature;
  • Compliance with general principles of personal data protection and the of data owner rights under LGPD;
  • Adoption of adequate security measures to minimize impacts on data owners;
  • Existência de garantias judiciais e institucionais para o respeito aos direitos de proteção dos dados pessoais; e
  • Other specific circumstances related to the transfer.


The adequacy decision will be made through a Board of Director’s resolution and will be published on ANPD’s website.

Standard contractual clauses

Available as a Regulation’s appendix, the standard clauses establish minimum guarantees and valid conditions for carrying out international data transfers.

Such clauses must be fully adhered to and without amendments, through a contractual instrument signed between the exporter and the importer and may also be part of (a) an agreement entered into specifically govern international data transfers; or (b) an agreement with a broader purpose, including through the signing of an amendment by the exporter and the importer involved in the transaction. Furthermore, any other contractual instrument between the parties may not exclude, amend, or contradict the standard clauses.

An interesting point is that ANPD may recognize the equivalence of standard contractual clauses from other countries or international organizations with the contractual clauses published in the regulation, according to a specific procedure.

Transparency

If requested, the controller must provide the owner with the full clauses used to carry out the international transfer, except for commercial and industrial secrets, within 15 days.

On its website, the controller must also publish a document, in Portuguese and using simple, clear, precise, and accessible language, about the transfer, containing at least the following information: (i) the form, duration, and specific purpose of the international transfer; (ii) the country of destination of the transferred data; (iii) the identification and contact details of the controller; (iv) the shared data use by the controller and the purpose; (v) the responsibilities of the agents who will carry out the processing and the security measures adopted; and (vi) the data owner rights and the means for exercising them, including an easily accessible channel and the right to petition against the controller to the ANPD.

Specific contractual clauses

In rare cases, only when the international data transfer can not occur through the standard clauses due to exceptional circumstances of fact or the law (which must be proven by the controller), the controller may request the ANPD to approve specific contractual clauses. Such clauses must provide for the application of national personal data protection legislation to the international data transfer and their submission to the ANPD’s supervision.

Global corporate rules

Global corporate rules, which must contain the minimum information required by the Regulation, are those intended for international data transfers between organizations in the same group or conglomerate of companies. Such rules are binding on the members of the group that subscribe to them. Furthermore, such rules constitute a valid mechanism for carrying out international transfers of personal data only to the organizations or countries covered by them.

Adequacy

Finally, all data processing agents that use contractual clauses to transfer data internationally have 12 months to incorporate the standard clauses into their agreements.