On August 23, 2024, Brazil’s Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19/2024, focusing on international transfers of personal data. This new regulation establishes guidelines for data transfers based on the Brazilian General Data Protection Law (LGPD) and outlines specific responsibilities for both data controllers and processors regarding compliance. Notably, it emphasizes that foreign processors receiving data from Brazil must also adhere to these guidelines.
The regulation broadens the definition of international transfers, covering situations where personal data is shared or accessed across borders, including data collected from individuals in Brazil. It establishes mechanisms for compliance, such as adequacy decisions, Standard Contractual Clauses (SCCs), and Binding Corporate Rules (BCRs), requiring organizations to ensure that any international data transfers meet the LGPD’s standards for data protection. These mechanisms aim to enhance the security and transparency of personal data handling in the international context.
Companies must also implement specific transparency measures regarding international transfers, including detailed privacy notices on their websites. These notices must inform data subjects about the purposes, destinations, and security measures of the data transfers. This requirement aims to provide clarity and protect the rights of individuals whose data is being transferred abroad.
Overall, the regulation presents several challenges for organizations in terms of compliance and transparency. While it does not mandate specific impact assessments, organizations are encouraged to evaluate the risks associated with the data protection laws of the destination countries. The ANPD’s next steps in approving BCRs and SCCs will be closely monitored, as these approvals will significantly affect how companies manage international data transfers.
Reference:
