backInternational Data Transfers (IDT) are critical to global business and data flows. Brazil’s General Data Protection Law (LGPD) sets out specific rules to ensure that the personal data of individuals located in Brazil remains protected even when transferred abroad.
In August 2024, the Brazilian National Data Protection Authority (ANPD) issued Resolution No. 19/2024, which regulates certain legal mechanisms provided in Article 33 of the LGPD to authorize international data transfers. These include:
-
Recognition of an Adequate Level of Data Protection in foreign countries
-
Standard Contractual Clauses (SCCs) issued by the ANPD
-
Specific Contractual Clauses, subject to prior approval
-
Global Corporate Rules also require ANPD’s approval
Companies intending to use the Brazilian SCCs must implement them by August 2025, the official compliance deadline set forth in the resolution.
Other legal bases mentioned in the LGPD—such as consent, contract execution, public policy implementation, or regulatory obligations—were not covered by this resolution and remain unregulated for now. Likewise, no adequacy decisions, specific clauses, or corporate rules have been approved as of the date of this publication.
The resolution also reinforces transparency obligations: organizations must inform data subjects, usually through Privacy Notices, about any international transfers and identify the destination countries.
To comply with the LGPD, companies should:
-
Conduct due diligence on all international data flows
-
Identify and apply appropriate legal mechanisms for each scenario
-
Review and update contracts to include adequate data protection safeguards
-
Ensure privacy notices are accurate and transparent
-
Adopt robust technical and organizational security measures
Resolution No. 19/2024 significantly develops Brazil’s data protection landscape. It brings legal certainty for companies involved in cross-border data operations and aligns the country with international data privacy and security standards.
share
