Technology & Digital
solutions for enabling and governing international data transfer_
international data transfer _
International data transfers must be adjusted to comply with ANPD standards.
Recently, the National Data Protection Authority (ANPD) issued Resolution No. 19/24 , which approved the regulation dealing with international data transfers in Brazil.
What characterizes an international data transfer?
According to ANPD regulations, international data transfer refers to the sending of personal data to a foreign country or to an international organization of which the country is a member.
Examples of everyday business situations that may involve international data transfer include:
Sharing of HR database between companies in the same group (head office-subsidiary);
Data storage in data centers physically located abroad;
Outsourcing customer service to a foreign company;
Hiring a foreign cloud computing provider.
What is required for international data transfers to comply with the new regulations?
Obligations regarding international data transfers apply to both controllers and processors of personal data.
All data processing agents must identify operations involving international transfers and ensure that they comply with at least one of the legal requirements that legitimize them, as per article 33 of the LGPD.
This is done in 4 steps:
Mapping
Understand data flows and international data transfer operations within the organization.
Framing
Define the legal mechanisms that underpin international data transfers, ensuring compliance with the LGPD and the Regulation approved by the ANPD.
Strategy
Develop a governance strategy for managing international data transfers.
Implementation
Monitor and provide the necessary legal assistance for the implementation of the previously defined strategy.
1
Identification of all personal data collected and processed, classifying them by type (sensitive and non-sensitive), origin, purposes and life cycle.
Data Inventory
2
Identify all data processing agents (data importers) involved in international transfer operations. Determine the location of the data and verify which countries or international organizations are involved.
Recipient Mapping
3
Identify the legal bases for each transfer, in accordance with articles 7, 11 and 33 of the LGPD (e.g.: consent, compliance with legal obligation, contract, etc.).
Analysis of Legal Bases
4
Check whether the recipient countries have adequacy decisions recognized by the ANPD or other international authorities. If necessary, identify the additional legal requirements applicable to each destination.
Assessment of Local and International Standards
5
Assess the need to use standard contractual clauses. Implement approved standard clauses or propose the creation of specific clauses, if necessary.
Definition of Transfer Mechanisms
6
Check whether transfers are being made to countries or international organizations with adequacy decisions recognized by the ANPD.
Assessment of Adequacy Decisions
7
Incorporate standard contractual clauses or specific clauses into existing contracts with data importers. Review contracts to ensure that all actors are in agreement with the new obligations and responsibilities.
Contractual adjustments
8
Creation of documentation to provide transparency to international data transfers carried out by the exporter, to be made available on the website. Establish an efficient procedure to meet requests from data subjects who require the full clauses used in international data transfers.
Measures for transparency