ANPD publishes document regulating the international transfer of data

ANPD publishes document regulating the international transfer of data

On 23 August, the National Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19/2024, which approved its International Data Transfer Regulation. The aim of the document is to establish the procedures and rules applicable to international data transfer operations, both to countries or international organizations that provide a level of personal data protection adequate to that provided for in the General Data Protection Law (LGPD), and to controllers that offer and prove guarantees of compliance with the principles, the rights of the data subject and the data protection regime provided for in the LGPD, in the form of specific contractual clauses for a given transfer, standard contractual clauses or global corporate standards.

Firstly, the regulation sets out principles and guidelines to be observed in the context of international data transfers. These include compliance with the principles, the rights of the data subject and a level of protection equivalent to that provided for in national legislation, regardless of the country where the personal data being transferred is located; the adoption of simple procedures, preferably interoperable and compatible with international standards and best practices; and responsibility and accountability, through the adoption of measures capable of proving compliance with the principles of the rights of the data subject and data protection law. In addition, this same article emphasizes the implementation of effective transparency measures, which ensure that data subjects are provided with clear, precise and accessible information about the transfer, with due regard for commercial and industrial secrets.

The document then goes on to provide the definitions it adopts, such as the definition of exporter and importer, international data transfer, international data collection and international data transfer mechanisms. It also sets out in a separate article the general requirements for carrying out the international transfer of data. Here, it notes that it is up to the controller to check, under the terms of the LGPD and the regulation, whether the processing operation characterizes an international data transfer; whether it is subject to national personal data protection legislation; and whether it is supported by a valid legal hypothesis and international transfer mechanism.

In the following articles, the regulation also characterizes the international transfer of data and differentiates it from the international collection of data. At this point, it points out that international transfer is characterized when personal data is transferred from an exporting agent to an importing agent located in a foreign country. International data collection, on the other hand, is defined as obtaining the data subject’s personal data directly from an agent located abroad, and therefore does not constitute an international transfer, although it must follow the provisions of the LGPD.

With regard to the legal hypotheses and transfer mechanisms, the ANPD has ruled that the international transfer of data can only be carried out to meet legitimate, specific, explicit purposes that have been informed to the data subject, without the possibility of further processing in a way that is incompatible with these purposes, provided that it is supported by the hypotheses of articles 7 and 11 of the LGPD, and uses valid transfer mechanisms, such as an adequacy decision recognized by the ANPD, contractual clauses, or global corporate standards.

In this way, the regulation addresses the particularities of adequacy decisions, standard contractual clauses, specific contractual clauses and global corporate standards. Adequacy decisions are decisions by which the ANPD recognizes that the level of personal data protection of a foreign country or international body is equivalent to that of Brazilian law, based on specific criteria. Standard contractual clauses, on the other hand, which have already been approved by the ANPD, establish minimum guarantees and valid conditions for international data transfers. Here, it is important to highlight the so-called equivalent standard contractual clauses, i.e. standard contractual clauses from other countries or international organizations that can be recognized by the ANPD as equivalent to the contractual clauses published in the regulation. On the other hand, specific contractual clauses must be submitted by the controller for approval by the ANPD and must prove guarantees of compliance with the principles and rights set out in the LGPD. The global corporate rules, meanwhile, are intended for international data transfers between organizations in the same group or conglomerate of companies.

Finally, the document sets out the transparency measures to be adopted and indicates that the ANPD must publish a list of the specific contractual clauses and approved global corporate rules on its website. It also stipulates that the controller must make the full text of the specific contractual clauses or global corporate rules available to the data subject on request, by publishing a document in plain language on the international data transfer on its website. In addition, the regulation contains an annex with a model of content and form for the standard contractual clauses, which can be part of contracts concluded to specifically govern the international transfer of data.

The International Data Transfer Regulation can be accessed via the link: Resolução CD/ANPD nº 19/2024

Note: For quick release, this English version is provided by automated translation without human review.