You are currently viewing New ANPD Regulation International Data Transfers | Mayer Brown


##  


**Possible Titles:**

* Navigating the New ANPD Data Transfer Rules
Representation image: This image is an artistic interpretation related to the article theme.

New ANPD Regulation International Data Transfers | Mayer Brown ## **Possible Titles:** * Navigating the New ANPD Data Transfer Rules

1/2024, which sets forth the scope of the Brazilian General Data Protection Law (LGPD). This resolution clarifies the applicability of the LGPD to various sectors and clarifies the specific obligations of companies operating in these sectors.

The Regulation makes it clear that both the data controller and processor are responsible for proving compliance with the Regulation. Thus, if a foreign processor receives personal data from Brazil as an importer, it is also responsible for documenting the transfer and its compliance with the LGPD. Characterization of an International Transfer The Regulation covers international transfers, defined as: Transfers (transmission, sharing, or granting of access) of personal data from Brazil abroad; or Transfers abroad occurring directly between one or more countries when (i) the processing activity aims to offer or provide goods or services in Brazil; (ii) the processing activity aims to process data of individuals located in Brazil; or (iii) the personal data were collected within the Brazilian territory.

This regulation introduces a broader definition of international data transfers. It now encompasses data sharing that occurs between foreign countries, even if there wasn’t a previous transfer originating from Brazil. For instance, profiling an individual in Brazil could be considered an international data transfer under this regulation, necessitating the use of Article 33’s mechanisms for international data transfers.

The Regulation on the Protection of Personal Data (GDPR) governs the processing of personal data of EU citizens and residents. It also applies to organizations that process personal data of EU citizens, regardless of their location. The GDPR has a broad scope, encompassing various activities related to personal data, including collection, processing, storage, and transfer.

The Regulation also specifies that the ANPD will not exempt the application of the LGPD if the transfer could “violate or jeopardize the observance of the general principles of personal data protection and the rights of data subjects as provided in Brazilian legislation.” Determining when this scenario applies can be challenging. However, it likely pertains to transfers for public interest purposes conducted by governmental bodies, which should be specifically highlighted in ANPD’s adequacy decisions. Mechanisms for International Transfers Adequacy Decisions The Regulation establishes several criteria for ANPD’s analysis regarding the equivalent level of personal data protection in a foreign country or international organization with the Brazilian data protection framework. To date, no adequacy decision has been issued. There are high expectations that the European Union will be recognized as adequate, as well as countries similarly recognized by the Union, such as Argentina and Uruguay, which have close commercial and diplomatic ties with Brazil. Once deemed adequate, the parties will not need to implement any contractual measures, significantly easing data transfers.

This document outlines the adequacy of a particular jurisdiction for the transfer of personal data. It details the process for requesting recognition of a jurisdiction as adequate, the criteria for adequacy, and the procedures involved. The document also provides information on the adequacy of standard contractual clauses (SCCs) and their use in transferring personal data.

This process involves submitting a detailed dossier outlining the SCC’s scope, methodology, and data quality. The ANPD evaluates the dossier and, if deemed appropriate, grants recognition. **Key Points:**

* **Recognition of SCCs from other countries or international organizations:** The ANPD can recognize SCCs from other countries or international organizations as equivalent to Brazilian SCCs.

The Regulation also clarifies that data processing agents are responsible for ensuring that their data processing activities comply with the GDPR. This means they must implement appropriate technical and organizational measures to protect personal data. Furthermore, the GDPR requires that data processing agents have a legal basis for processing personal data. This means they must have a legitimate reason for collecting, using, or storing personal data.

**Conglomerates: A Unified Force in Business**

**Conglomerates:

The regulation defines a conglomerate as a combination of companies that operate under a unified control system. This control system is established by a single or multiple individuals who collectively hold ultimate authority over all the companies within the conglomerate. To be classified as a conglomerate, these companies must exhibit a significant level of interconnectivity, demonstrating shared goals and a unified approach to business operations.

The marketing team’s success is attributed to several key factors. First, their ability to adapt to the ever-changing market landscape is crucial. This adaptability allows them to stay ahead of the competition and capitalize on emerging trends.

However, the controller must provide a clear explanation of the reasons for such removal. This provision aims to balance the interests of data protection and the protection of legitimate business interests. It acknowledges that certain information, such as trade secrets, may be sensitive and require specific safeguards. The BCRs must be written in plain language, easily understandable by the average person.

Similarly to the approval of BCRs, during the approval process, the ANPD may conduct inspections to verify the personal data processing operations covered by the clauses, and may also request a series of documents and information. It is important to note that specific contractual clauses can only be requested if the ANPD’s SCCs cannot be adopted due to exceptional circumstances, which must be proven to the ANPD in the request. The Regulation leaves room for this approval of specific contractual clauses to be extended to other controllers performing international transfers in similar circumstances—the ANPD will even publish these specific clauses, respecting trade and industrial secrets if necessary, so that they may be used by third parties.

If a controller, in the absence of SCCs, had been adopting a specific clause to support their international transfers, requesting its approval from the ANPD could be a way to avoid amending all of their existing contracts. However, timing is crucial, as the probable delay in the ANPD’s approval could jeopardize compliance with the Regulation’s 12-month grace period to harmonize existing contracts with the ANPD’s new SCCs. The full text of the specific contractual clauses approved by the ANPD must be made available to the data subjects upon request within 15 calendar days. If there are any trade or industrial secret in the clauses, the controller may remove them before providing them to data subjects.

Any changes to the content of the approved specific clauses must be submitted for prior approval by the ANPD. Specific Transparency Measures The Regulation introduced a requirement for any new privacy notice or policy specifically for international transfers to be made available on the controller’s website in Portuguese, using clear, precise, and accessible language. This document on international transfer transparency can be published either on a specific page or integrated into the existing notice or policy. This notice for international transfers must include at least: The means, duration, and specific purposes of the international transfers being carried out; The destination jurisdictions of the personal data;

* **Emphasis on key points:** It highlights the most important aspects of the ANPD’s requirements. * **Clearer structure:** It presents the information in a logical and organized manner. **Detailed Explanation of ANPD Requirements for International Data Transfers**

The ANPD, Brazil’s data protection agency, has established specific guidelines for data controllers when transferring personal data internationally.

**Key Challenges:**

* **Implementation of the mechanisms:** Controllers and processors face difficulties in implementing the mechanisms for data protection, such as data minimization, purpose limitation, and storage limitation. These mechanisms require careful planning and execution, and they can be complex to implement in practice. * **Transparency measures:** Controllers and processors must ensure transparency in their data processing activities.

Leave a Reply