In brief
The Brazilian Data Protection Authority (ANPD) published the Resolution CD/ANPD No. 19, which creates the procedures and rules for recognizing the suitability of other countries or international bodies to carry out international personal data transfer operations (“Regulation“), as well as approving the standard contractual clauses that may be used by processing agents to legitimize the international transfer of personal data.
The Regulation establishes procedures and criteria for recognizing the adequacy of other countries and international bodies, attesting to the equivalence of the level of protection of personal data in relation to the Brazilian regime, thus authorizing the transfer of personal data to such countries and bodies without the need to execute additional documents. The procedures set out in the Regulation for issuing the adequacy decision include technical and legal analysis and deliberation by the Board of Directors by means of a Resolution.
In addition, as established by the Brazilian Data Protection Law (LGPD), in cases where the country or international body does not have an adequacy decision, controllers can use contractual instruments to provide the necessary guarantees to authorize international transfers by executing standard contractual clauses, specific contractual clauses or corporate binding rules.
Some of the main aspects related to the aforementioned contractual instruments introduced by the Regulation are described below:
- Standard Contractual Clauses: Processing agents have twelve (12) months to adapt their previously executed contracts to the standard contractual clauses. The standard contractual clauses must be adopted unchanged to guarantee the validity of the international transfer of personal data. The ANPD may recognize the equivalence of standard contractual clauses from other countries or international bodies with the standard contractual clauses published by the ANPD ex officio or upon request.
- Specific Contractual Clauses: Controllers may ask the ANPD to approve specific contractual clauses when the standard clauses are not applicable, due to exceptional circumstances of fact or law. These clauses must offer, as a minimum, guarantees of compliance with the principles and rights established by the LGPD.
- Corporate Binding Rules: For transfers of personal data between entities in a group or conglomerate of companies, corporate binding rules may be drawn up, which will be mandatory for all entities in the group and must be linked to the implementation of a privacy governance program. These standards must be submitted to the ANPD and are subject to its evaluation and approval.
The Regulation also establishes that the ANPD will publish approved specific contractual clauses and corporate binding rules on its website, indicating the respective applicant, as well as other information deemed relevant by the technical area.
In addition, the Regulation establishes the obligation of controllers to make available to data subjects, in full and upon request, the clauses used to base international transfers of their personal data, observing commercial and industrial secrets.
The Regulation is binding and effective from 23 August 2024.
* * * * *
Trench Rossi Watanabe and Baker McKenzie have executed a strategic cooperation agreement for consulting on foreign law.
