The publication of Resolution CD/ANPD No. 19/2024 by the National Data Protection Authority (ANPD) brought important advances for companies that carry out international data transfers. With the aim of providing clarity and legal certainty, the regulation defines authorization mechanisms and detailed rules for the movement of personal data between countries. Below, we discuss the main changes and implications of this new regulation.

Clear Rules for International Transfers

According to the new regulation, the transfer of personal data to processing agents abroad now requires, in addition to a legal basis provided for in the General Data Protection Law (LGPD), the application of a valid international transfer mechanism. This requirement aims to standardize the conditions under which data can be transmitted, ensuring greater control and transparency.

Among the main authorization mechanisms are:

1️⃣ Countries with Adequate ProtectionData can be sent to countries that the ANPD (Brazilian National Data Protection Authority) considers to have adequate protection; this occurs through what is called a "Decision of Adequacy". 

2️⃣ Standard and specific clausesCompanies can use standard clauses already approved by the ANPD, or specific clauses that may obtain the authority's approval.

3️⃣ Global Corporate StandardsIt provides for the international transfer of data between organizations within the same group or conglomerate of companies.

4️⃣ Equivalent Standard ClausesCompanies can use standard clauses from other countries or international organizations, as long as they are recognized by the ANPD (Brazilian National Data Protection Authority).

New Deadlines and Obligations

The regulation also brought an important change: companies that use contractual clauses to carry out international transfers will have up to 12 months to adjust their contracts to the new standard clauses approved by the ANPD (National Data Protection Authority). This timeframe is crucial for organizations to review and adapt their contractual practices in accordance with the authority's requirements, avoiding potential penalties or risks to data protection.

Impact on Companies and Treatment Agents

The new regulation has immediate practical impacts for any company that transfers personal data outside of Brazil. Data controllers need to reassess their international data flows and ensure they are using the correct mechanisms for each type of transfer.

Furthermore, the resolution seeks to increase confidence in the international data trade, ensuring that Brazilian companies can operate globally in compliance with international best practices for data protection. This helps protect the fundamental rights of data subjects.

Outlook for the future

Resolution CD/ANPD No. 19/2024 represents an important regulatory milestone for privacy and data protection in Brazil. With it, the ANPD not only defines clear rules for the international transfer of data, but also ensures that these operations are in line with global best practices. For companies, adapting to the new requirements is essential to maintain compliance with the LGPD (Brazilian General Data Protection Law) and guarantee the security of their customers' personal data.

Want to know more about ANPD news? Access the text about it. 1st ANPD Meeting of Data Protection Officers Find out what happened at the event.