The International Data Transfer Regulation, published under CD/ANPD Solution No. 19, defines the procedures for transferring personal data abroad or to international organizations that provide a level of data protection comparable to that of Law No. 13,709 of 2018. The ANPD may recognize this equivalence through an adequacy decision, assessing the regulations in force, the security adopted and the judicial guarantees of the receiving country or organization. This recognition facilitates the free flow of data between Brazil and the evaluated entities.
For international data transfers, the regulation establishes mechanisms such as standard contractual clauses, which provide minimum guarantees and conditions of validity. These clauses ensure compliance with data protection principles and the rights of data subjects, and cannot be modified or excluded by other contractual provisions. Specific contractual clauses are used when standard clauses are not applicable due to exceptional circumstances; they must be approved by the ANPD and comply with established legal requirements.
Global corporate standards are another valid mechanism for intra-group transfers, and must be linked to a privacy governance program that complies with applicable law. In addition, the regulation requires that the transfer of data be limited to the minimum necessary to fulfill the specified purposes, ensuring that the scope of the data transferred is proportionate and not excessive in relation to the purpose of the processing.
The regulation clarifies that the transfer of data must be limited to the minimum necessary to fulfill its purposes. This ensures that the scope of the data transferred is proportionate and not excessive in relation to the purpose of the processing. Although the main mechanisms are specified, the regulation also recognizes that other options provided by law may be used as long as the applicable legal requirements are met.
