ANDP regulates international data transfer

On August 23, the National Data Protection Authority (ANPD) published Resolution CD/ANPD 19, which approves the International Data Transfer Regulation and establishes the content of the standard contractual clauses.

The regulation defines essential guidelines and procedures for transferring personal data to countries or international organizations, ensuring compliance of these operations with Law 13,709/18 – the General Data Protection Law (LGPD).

In general, the Regulation applies where:

the processing operation is carried out in the national territory;
the processing activity is aimed at offering or supplying goods or services or processing data of individuals located in the national territory; or
when the personal data processed are collected in the national territory.

On the other hand, the regulation excluded from its scope personal data from abroad and processed in the national territory when such data is returned to the country or international organization of origin under the conditions outlined in Article 8, II.

Regarding the new topics the ANPD addresses, the distinction between international data transfer and international data collection stands out. The first case is characterized by the export of data to the importer. The second involves collecting the data subject's data directly by the processing agent located abroad.

The distinction's relevance is evident in the non-application of the regulation to the collection hypotheses, which must comply with the provisions of the LGPD when one of the situations indicated in Article 3 is verified.

International data transfers may only occur to meet legitimate, specific, explicit purposes and must be informed to the data subject without the possibility of further processing incompatible with these purposes. These transfers must also be based on one of the legal bases provided for in the LGPD and made through one of the mechanisms provided for in the regulation.

Also noteworthy is the regulation of transfer mechanisms, that is, how the international transfer can be executed. The regulation covers the following mechanisms:

transfers to countries or international organizations that provide a degree of data protection recognized by the ANPD; or
transfers through standard contractual clauses, global corporate standards, or specific contractual clauses.

Thus, ANPD defined the procedure applicable to issue a decision on the level of protection of personal data of a foreign country or international organization. The regulation identifies legitimate parties to initiate the process, including public agencies, the specialized federal prosecutor's office, and the ANPD itself by letter, among others.

In Annex II of the regulation, the ANPD published the standard clauses for personal data transfer. These contractual clauses aim to ensure the adoption of appropriate safeguards for compliance with the principles, the rights of the data subject, and the data protection regime. They can be incorporated both in specific transfer contracts and in contracts with broader objects, as long as they are inserted in total, that is, without changes.

At this point, the regulation establishes that the controller must publish on its website information about the international transfer of data, including at least the following:

information on the form, duration, and specific purpose of the international transfer;
the country of destination of the transferred data;
the identification and contacts of the controller;
the shared use of data by the controller and the purpose;
the responsibilities of the agents who will carry out the processing and the security measures adopted; and
the rights of the data subject and the means for exercising them, including an easily accessible channel and the right to petition against the controller at the ANPD.

The regulation establishes the obligation of the controller – subject to commercial and industrial secrecy – to present to the data subject, upon his demand, the data transfer clauses. This includes the specific clauses and global corporate standards, as explained below. In this way, one more right is incorporated into the already established list of data subject rights of Article 18 of the LGPD.

The regulation also allows for specific contractual clauses where the international transfer of data cannot be carried out through the standard contractual clauses, due to exceptional circumstances of fact or law duly proven by the controller.

In any case, the clauses must provide for the application of national legislation on the protection of personal data to the international transfer of data and its submission to the supervision of the ANPD.

The last regulated transfer mechanism is the global corporate standard, intended for international data transfers between organizations of the same group or conglomerate of companies. It is binding on the members of the group who subscribe to it.

These standards should provide information such as:

the categories of personal data;
the processing operation and its purposes;
the legal hypothesis and types of data subjects;
the structure of the group or conglomerate of companies, containing the list of related entities;
the role played by each organization in the processing and
the contact details of each organization processing personal data.

On the subject, despite covering several companies of the same group, the legislation defined the liability of the responsible entity, which is the one headquartered in Brazil, for non-compliance with global corporate standards, even if the violation is due to an act performed by a member of the group or conglomerate of companies headquartered in another country.

These rules, as well as the specific clauses, need to be approved by the ANPD according to the procedure established by the regulation – which is expected for both mechanisms.

After the approval of these mechanisms, the ANPD will publish, on its website, the list of specific contractual clauses and approved global corporate standards, observing commercial and industrial secrets. The respective applicant, the date of approval, and the decision rendered by the board of directors must be indicated, in addition to other necessary information, by the responsible technical area.

The regulation inserted several specific obligations that must be observed by processing agents to carry out international transfers. In many cases, this will require the amendment of contracts to reflect these new duties, under penalty of the application of the sanctions provided for in the LGPD.

Entities subject to the regulation will have up to 12 months to adapt their contracts and processes to the new requirements established by the ANPD. During this time, organizations should review their processes to ensure that all international data transfers comply with standard contractual clauses or other legal bases provided for in the LGPD.

ANDP regulates international data transfer

The new regulation defines essential guidelines and procedures applicable to transfers to ensure compliance of these operations with the LGPD.

Authors

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

Information Security

Integrity

ANDP regulates international data transfer

The new regulation defines essential guidelines and procedures applicable to transfers to ensure compliance of these operations with the LGPD.

Authors

Related Content

Data protection officer gets a new regulation in Brazil

New rules for operating fixed-odds bets

ANPD publishes data breach reporting regulation

Ebook: Artificial Intelligence In Brazil

Ebook: Digital transformation on the path to innovation

Games, betting and esports law series: what do you need to know?

Gaming, betting and esports: the road to compliance

An overview of gambling, betting, gaming and wagering practices

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

Information Security

Integrity