In an increasingly globalized world, in which the exchange of data between countries is constant and necessary for the functioning of various economic and technological activities, the General Data Protection Law (LGPD) imposes strict rules to ensure that the rights of data subjects are respected, even when this information crosses borders.
Regarding this matter, on 08/23/2024, the National Data Protection Authority (ANPD) published Resolution CD/ANPD No. 19/2024 ("Resolution"), which establishes the procedures and rules applicable to international data transfer operations.
Firstly, it is worth noting that international transfer occurs when the agent, from inside or outside Brazil, transmits, shares, or makes access to personal data available outside the national territory. The transmitting agent is called the exporter, while the agent that receives the data is called the importer.
Well, the international transfer of personal data can only occur when it is supported by a legal basis provided for in the LGPD and by one of the following mechanisms: countries with adequate protection, standard contractual clauses, global corporate standards or specific contractual clauses and, finally, protection guarantees and specific needs.
Among the mechanisms described above, the instrument of standard contractual clauses was already known in international legislative contexts (especially in Europe, under the General Data Protection Regulation). In the Brazilian context, it is also possible to foresee a wide use of this instrument in contracts.
The text of the standard contractual clauses is in the same Regulation, Annex II, which provides a set of 24 clauses formulated by the ANPD to be incorporated into contracts involving international data transfer, to ensure that exporting and importing data agents maintain an adequate level of protection, equivalent to that required by Brazilian legislation. Companies have a period of 12 months from the publication to adjust their contracts.
Now, the use of standard clauses brings a series of impacts to the agents' contracts. Among these main impacts, we highlight:
Changes to the terms of the contractIn addition to the standard clause texts not being alterable, the Resolution also stipulates that the original contract text must not contradict the provisions of the standard clauses. In this way, the agent must review and, if necessary, amend the provisions in the contracts to ensure compliance with the international transfer.
Distribution of responsibilities:The clauses clearly define the responsibilities of the parties involved in the processing and protection of personal data, assigning specific duties to both controllers and operators. These responsibilities are divided among proving the adoption of effective measures, transparency duties, respecting the rights of data subjects, reporting security incidents, compensating damages, and complying with various data processing modalities.
Transparency: The controller must provide the data subject, if requested, with the full contractual clauses used, taking into account commercial and industrial secrets, as well as publish on its website, on a specific page or integrated into the Privacy Policy, clear and accessible information on the international transfer of data.
Risk of penalties:Failure to comply with standard clauses may result in severe penalties, including fines, as well as damaging the reputation of the companies involved.
Definition of forum and jurisdiction: any disagreement with the terms of the standard clauses must be resolved before the competent courts in Brazil.
Due to these impacts, contract renegotiations between agents will be necessary in many cases to include standard clauses. More precisely, the ANPD's standard clauses for international transfers of personal data impose a new layer of complexity on business contracts, requiring detailed revisions, clause adaptations, and greater formality in commercial relationships. However, by standardizing practices and ensuring legal certainty, these clauses contribute to creating a safer and more reliable environment for the flow of data across national borders, which is essential in an increasingly interconnected world.
