Resolution CD/ANPD No. 19/2024 (the "Resolution") deepened the provisions of the Brazilian General Data Protection Law ("LGPD") regarding International Data Transfers ("IDT") and brought the country closer to European legislation. In its annexes, it introduced Standard Contractual Clauses ("SCCs"), which are mandatory provisions to be executed between data controllers and processors carrying out international transfers, to ensure an adequate level of protection for exported data.
The grace period granted for incorporating the SCCs to regularize international data transfers ended on August 23, 2025, one year after the publication of the Resolution.
Attention: From this point on, international data transfers will only be valid if the SCCs are implemented or if other mechanisms previously approved by the Brazilian Data Protection Authority ("ANPD") are used, ensuring an equivalent level of protection. Otherwise, organizations may face significant fines, administrative sanctions by the ANPD, reputational damage, business limitations, and operational vulnerabilities.
Therefore, data controllers and processors must keep in mind the following provisions to comply with current legislation and ensure the protection of data subjects.
I. What Constitutes an International Data Transfer?
An International Data Transfer occurs when a data exporter transmits, shares, or makes personal data accessible to a data importer located abroad. If there is no data controller or processor located outside Brazil, there is no international data transfer.
The obligations under the LGPD and the Resolution apply to international transfers originating from Brazil or abroad when:
i. The processing activity aims to offer or provide goods or services in Brazil;
ii. The processing activity targets the processing of data of individuals located in Brazil; or
iii. The personal data is collected within Brazilian territory.
II. How to Identify an International Data Transfer
A mapping of data flows within an organization, a requirement under the LGPD, allows identification of processing activities involving international transfers. With the globalization of business and the increasing adoption of international technological solutions, it is increasingly unlikely that a company does not carry out some form of international data transfer.
It is the responsibility of the Data Controller (GDPR: Controller), who makes decisions regarding data processing, to conduct this assessment and, with the assistance of the Data Processor (GDPR: Processor) where necessary, ensure compliance with a valid transfer mechanism.
Common examples in most organizations include:
a) Cloud storage with servers located abroad;
b) Shared servers and databases among companies within the same multinational group;
c) Use of email providers with infrastructure outside Brazil; and
d) Use of artificial intelligence agents hosted in other countries.
III. How to Complete the Standard Contractual Clauses
The text of the SCCs must be maintained in its essence, under penalty of invalidation. Adjustments or additions may only be made in fields expressly permitted in Sections I, III, and IV, and must reflect the specifics of each operation.
When completing the SCCs, one must:
a) Identify all Parties, indicating legal name, CNPJ or equivalent registration, address, and contact information for data subjects;
b) Qualify each Party as Controller or Processor and, cumulatively, as Exporter or Importer;
c) Specify the categories of personal data, main purposes of the transfer, data retention period, and additional information;
d) Choose, among the options provided in the SCCs, whether onward transfer of data by the Importer to third parties will be allowed or prohibited. If onward transfer is allowed, it is mandatory to detail the characteristics and purposes of such transfer and, whenever possible, identify the third parties involved;
e) Choose, according to the roles of the processing agents, the clause option regarding the parties' liability and designate the Controller(s);
f) Exclude any inapplicable options from the instrument; and
g) Describe the existing technical and organizational security measures (encryption, anonymization, access control policies, logging, etc.).
Additional clauses and annexes are permitted in the final section to address other matters, provided they do not exclude, modify, or contradict the SCCs.
IV. What are the Parties Committing to by Signing the SCCs?
By adhering to the SCCs, the Exporter and Importer assume contractual obligations that prevail over any conflicting provisions in the main agreement, binding each other and ensuring data subjects the national standard of personal data protection, in accordance with LGPD requirements, even for processing operations carried out outside Brazil.
Among these obligations:
- The International Data Transfer must be based on a lawful processing activity, and any further processing incompatible with its purpose is prohibited;
- Notification to data subjects and the ANPD within three days of a security incident;
- Joint and several liability (when Controllers) for damages resulting from unlawful processing, without prejudice to the right of recourse between the Parties;
- The Importer must ensure that the applicable law in the destination country is compatible with the SCCs and must communicate any relevant changes;
- Breach of the clauses by the Importer allows immediate termination and requires the return or deletion of all received data;
- The Importer must notify about any access requests from authorities in the recipient country;
- The designated parties, in mutual assistance, must guarantee the rights of data subjects to self-determination and transparency; and
- Provide, upon data subject request, the full text of the filed clauses and publish simplified information about the characteristics of the international transfer.
V. What Other Mechanisms are Possible for International Data Transfers?
The Resolution recognizes alternatives that may be more suitable for certain business models. For more information on them, see our Legal Update.
i. The first is an adequacy decision issued by the ANPD, whereby a country or international organization is declared to have a level of protection equivalent to Brazil's, waiving the need for specific clauses.
a. As of the date of this Legal Update, the authority has not yet issued a positive decision recognizing any country or international organization as an adequate destination for international data transfers. However, there are high expectations for a favorable decision regarding the European Union soon.
ii. Secondly, multinational corporate groups may submit their Binding Corporate Rules (BCRs) for approval by the Authority, which standardize internal policies and procedures across all entities in the group.
iii. There are also Equivalent Standard Contractual Clauses: clauses from other countries and international organizations recognized as equivalent by an ANPD decision. To date, no such recognition has been granted.
iv. It is also possible to request approval of specific contractual clauses that offer protection similar to the LGPD and the Resolution, modifying the standard clauses only where necessary.
All these mechanisms, however, depend on formal decisions and approvals by the ANPD, processes that may take months or even years. These decisions will be made available on the official ANPD website.
Finally, the other cases provided for in Article 33 of the LGPD remain valid, provided they do not require further regulation and their legal requirements are duly met.
The Resolution containing the SCCs, as well as the ANPD's FAQ on International Data Transfers, can be accessed on the official website.
*This content was prepared with the collaboration of intern Diego Semeraro
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2025. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
