In an increasingly globalized world, in which the exchange of data between countries is constant and necessary for the functioning of various economic and technological activities, the General Data Protection Law (LGPD) imposes strict rules to ensure that the rights of data subjects are respected, even when this information crosses borders
About this subject, no dia 23/08/2024 a Autoridade Nacional de Proteção de Dados (ANPD) publicou a Resolução CD/ANPD n. 19/2024 (“Resolução”), that establishes the procedures and rules applicable to international data transfer operations
Preliminarily, it is worth remembering that the international transfer occurs when the agent, from inside or outside Brazil, transmit, shares or provides access to personal data outside the national territory. The transmitting agent is called the exporter, while the agent that receives the data is called the importer
Well then, the international transfer of personal data can only occur when supported by a legal basis provided for in the LGPD and by one of the following mechanisms: countries with adequate protection, standard contractual clauses, global corporate standards or specific contractual clauses and, finally, guarantees of protection and specific needs
Among the mechanisms described above, the instrument of standard contractual clauses was already known in international legislative contexts (especially in Europe, under the General Data Protection Regulation. In the Brazilian context, it is also possible to foresee a wide use of this instrument in contracts
The text of the standard contractual clauses is in the same Regulation, in Annex II, which provides for a set of 24 clauses formulated by the ANPD, to be incorporated into contracts involving the international transfer of data, to ensure that exporting and importing agents of personal data maintain an adequate level of protection, equivalent to that required by Brazilian legislation. Companies have a period of 12 months, from the publication, to adjust your contracts
Now, the use of standard clauses brings a series of impacts to the contracts of the agents. Among such main impacts, we highlight
Changes to the terms of the contractin addition to the text of the standard clauses not being able to be changed, the Resolution also determines that the original text of the contract must not contradict the provisions in the standard clauses. In this way, the agent must review and, if necessary, amend the provisions in the contracts to ensure compliance with international transfer
Distribution of responsibilitiesthe clauses clearly define the responsibilities of the parties involved in the processing and protection of personal data, assigning specific duties to both controllers and operators. These responsibilities are divided between the verification of the adoption of effective measures, transparency duties, service to the rights of the holders, security incident communication, compensation for damages and adjustment to various treatment modalities
TransparencyThe controller must provide the data subject, if requested, the full text of the contractual clauses used, observing commercial and industrial secrets, as well as publish on your site, on a specific page or integrated into the Privacy Policy, clear and accessible information about international data transfer
Risk of penaltiesthe non-compliance with standard clauses can result in severe penalties, including fines, in addition to harming the reputation of the companies involved
Definition of forum and jurisdictionany disagreement with the terms of the standard clauses must be resolved before the competent courts in Brazil
Due to such impacts, the renegotiation of contracts between agents will be necessary in many cases to include the standard clauses. More precisely, the standard clauses of the ANPD for international transfers of personal data impose a new layer of complexity to business contracts, requiring detailed revisions, adaptations in the clauses and greater formality in commercial relations. However, by standardizing practices and ensuring legal security, these clauses contribute to the creation of a safer and more reliable environment for the circulation of data across national borders, essential in an increasingly interconnected world
