International data transfers

Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) approved Resolution CD/ANPD No. 15 on 23 February 2024, publishing the first legally binding standard contractual clauses (SCCs) for Lei Geral de Proteção de Dados (LGPD) Article 33 transfers, instituting a mandatory national register for international data flows, and defining objective criteria for adequacy, risk assessments, and remediation plans.

The regulation became effective on 26 February 2024 after its Diário Oficial da União publication. Controllers and processors that already engage in cross-border transfers have a 15-month adaptation period to migrate existing agreements to the new clauses, update transfer impact assessments (Relatórios de Impacto à Proteção de Dados Pessoais, RIPDs), and file the information needed for the ANPD registry. New contracts executed after the effective date must adopt the approved modules immediately, while teams relying on binding corporate rules (BCRs), certification, or specific consent must still document the safeguards laid out in the resolution.

Resolution scope and linkage to LGPD enforcement

Resolution 15 was issued under Articles 33–36 of the LGPD, which condition cross-border transfers on either an adequacy decision or demonstrable safeguards. The text introduces four SCC modules that mirror the European Union’s modular approach—controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Each module includes non-negotiable core clauses covering legality of processing, data subject rights facilitation, security controls, and supervisory cooperation, and it specifies which optional clauses can be tailored without undercutting the ANPD’s minimum guarantees.

The resolution also sets the procedural expectations for ANPD adequacy decisions. It enumerates the elements the Board will consider—respect for human rights, general and sectoral data protection rules, security measures, professional rules and enforcement mechanisms, and international commitments.

Companies seeking to rely on future adequacy recognition will need to evidence how their transfer destinations satisfy these criteria and monitor the ANPD’s periodic reviews. Because the LGPD authorizes significant fines (up to 2% of revenue in Brazil, capped at BRL 50 million per infraction) and suspension of data processing, the Resolution elevates international transfer compliance to a board-level risk topic.

Compliance milestones

• SCC alignment workstreams. Privacy, procurement, and legal teams must map all existing international transfers and determine the module that applies to each relationship. The ANPD allows ancillary commercial clauses provided they do not contradict the SCC guarantees, so contract lifecycle management (CLM) systems should include controls that prevent conflicting liability caps, indemnities, or inspection limits from creeping into the agreements.
• Transfer registry submissions. Article 16 of the regulation compels controllers to maintain granular records of transfer purposes, categories of personal data, receiving countries, safeguards, and contact points. The registry must be made available to the ANPD on request, and high-risk processing activities may trigger mandatory filings through the ANPD’s data transfer module. Maintaining a living inventory requires integration with data mapping tools and change-control processes whenever new vendors or data categories are added.
• RIPD updates. For transfers that rely on SCCs or contractual safeguards, controllers must reassess the foreign legal environment, oversight mechanisms, and redress availability. The ANPD expects documentation of technical and organizational compensating controls, such as encryption, pseudonymization, segregation of duties, and audit logging. When residual risks remain, the resolution requires documented mitigation plans and senior management approval.
• Vendor due diligence. Processors receiving Brazilian personal data must provide evidence of information security programs aligned with ANPD Guidance on Security for Small Agents and sectoral norms such as ISO/IEC 27001 or NIST SP 800-53. Sub-processor onboarding must be transparent, with prior authorization and flow-down of SCC obligations. Controllers should expand third-party risk assessments to include site visits or independent assurance (for example, SOC 2 reports) for high-risk transfers.
• Incident response and notification. Resolution 15 mandates contractual commitments to support prompt breach notification both to the controller and to the ANPD. Response runbooks need to incorporate cross-border escalation, translation of incident reports, and preservation of forensic evidence in jurisdictions with differing procedural rules. Drills should test communication channels with processors and local counsel in recipient countries.

Governance, accountability, and stakeholder engagement

Boards and executive risk committees should receive quarterly dashboards detailing the organization’s international transfer posture. Recommended metrics include percentage of transfers migrated to the new SCCs, number of pending registry updates, outstanding RIPD action items, and vendor assurance coverage. The Data Protection Officer (Encarregado) must certify to leadership that all data subjects can exercise their rights through accessible channels, regardless of the data’s storage location.

Global privacy steering groups should coordinate with Latin America legal leads to harmonize contractual templates. Where multinational groups already adopted EU SCCs, legal teams can use common annexes but must account for LGPD-specific definitions, especially the broad classification of sensitive data (dados pessoais sensíveis) and children’s data. Training programs should target contract managers, procurement, IT security, and business unit sponsors to embed the new requirements into daily operations.

Engagement with industry associations—such as the Brazilian Association of Information Technology and Communication Companies (Brasscom) or the International Association of Privacy Professionals (IAPP) Brazil KnowledgeNet—can provide benchmarking on registry setup and ANPD supervisory expectations. Teams should also maintain dialog with their cloud and SaaS providers to confirm that Brazilian tenants receive updated data transfer documentation, particularly for shared-responsibility models.

Path to implementation

1. Weeks 0–4: Launch a cross-functional transfer compliance program. Confirm scope, assign workstream leads, and inventory all active and planned international transfers using data discovery tools, privacy notices, and vendor registers.
2. Weeks 4–12: prioritize high-volume and sensitive-data transfers. Conduct gap analyzes between existing agreements and SCC modules, initiate renegotiations with critical vendors, and draft updated annexes describing technical and organizational measures, sub-processor lists, and audit rights.
3. Weeks 8–20: Update RIPDs, incorporating assessments of recipient-country legal frameworks, law enforcement access risks, and redress mechanisms. Integrate encryption, key management, and access controls into the compensating measures, and log decisions in governance, risk, and compliance (GRC) platforms.
4. Weeks 12–24: Build the registry operating model. Align data mapping outputs with metadata requirements, establish submission workflows, and configure role-based access controls. Pilot the registry with representative transfers and conduct quality assurance reviews.
5. Weeks 20–60: Complete contract migrations, update privacy notices, and execute targeted training. Monitor transfer metrics monthly, remediate overdue actions, and prepare artifacts for potential ANPD inspections, including SCC copies, registry extracts, and incident playbooks.

Technology enablement and assurance

Automation reduces manual overhead in managing SCC obligations. Teams should integrate contract repositories with privacy management platforms (for example, OneTrust, Collibra) to automatically flag agreements nearing the adaptation deadline. Security information and event management (SIEM) systems must be configured to segregate logs by jurisdiction and show access controls for Brazilian data. Data loss prevention (DLP) policies should be tuned to detect outbound transfers that lack approved safeguards.

Internal audit teams ought to design assurance reviews that test control effectiveness. Sample procedures include verifying that SCC templates match the ANPD’s official text, reviewing registry completeness against HR, CRM, and ERP data sources, and testing breach notification rehearsals. Findings should be escalated to the audit committee with remediation deadlines aligned to the regulatory adaptation window.

Because Resolution 15 contemplates future guidance on certification and BCR approvals, teams should monitor the ANPD’s normative agenda. Companies in regulated sectors—financial services, telecoms, health, and education—should coordinate with their respective supervisory agencies to align SCC obligations with sectoral compliance regimes.

Looking ahead

The ANPD has signaled that it will intensify enforcement of international transfers once the adaptation period lapses. Firms should anticipate targeted inspections requesting proof of transfer inventories, SCC adoption timelines, and effectiveness of technical controls. Cross-border data flows supporting AI model training, behavioral advertising, or cloud migrations will attract scrutiny, particularly when involving jurisdictions with expansive surveillance laws. preventive transparency with data subjects and regulators, paired with rigorous governance and documentation, will position teams to show accountability under the LGPD’s extraterritorial reach.

Source material

• Resolution CD/ANPD No. 15/2024 establishing SCCs and adequacy criteria
• ANPD announcement on the international transfer regulation
• ANPD regulatory agenda for 2024–2025

This brief supports LGPD governance programs with SCC migration playbooks, registry automation, and third-country risk assessments tailored to Brazil’s enforcement expectations.

More on this topic

Further reading from our research library.

Data Strategy · Credibility 73/100 · February 8, 2024

ANPD regulatory agenda

Brazil's ANPD published its regulatory agenda, signaling upcoming guidance on data transfers, AI, and sector-specific rules. Understanding regulatory priorities helps with compliance planning in the Brazilian market.

Data Strategy · Credibility 86/100 · February 14, 2025

International data transfers

Brazil's cross-border data transfer rules under LGPD got clearer in February 2025 with new ANPD guidance. Standard contractual clauses are now explicitly recognized, which makes life easier for companies transferring…

Data Strategy · Credibility 91/100 · February 13, 2024

Digital Services Act

The EU Digital Services Act data access implementing regulation took effect in 2024. Researchers can now request access to platform data for studying systemic risks. If you are a Very Large Online Platform, you need…

Data Strategy · Credibility 73/100 · March 15, 2024

Data Strategy — EU regulation

EU institutions reached a provisional agreement on the European Health Data Space, setting governance for primary and secondary health-data use across Member States.

Data Strategy · Credibility 73/100 · March 18, 2024

Data Strategy — Healthcare interoperability

The U.S. Office of the National Coordinator released Draft USCDI v5, expanding interoperability data classes that providers and digital health platforms must prepare to exchange as HTI-1 enforcement nears.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

February 23, 2024

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

International data transfers · LGPD compliance · Regulatory governance

Sources cited

3 sources (in.gov.br, gov.br, iso.org)

Reading time

7 min

Source material

1. Resolução CD/ANPD nº 15, de 23 de fevereiro de 2024 — Autoridade Nacional de Proteção de Dados
2. ANPD aprova regulamento sobre transferência internacional de dados pessoais — Autoridade Nacional de Proteção de Dados
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization