← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — February 23, 2024

Brazil’s ANPD adopted Resolution 15 to operationalise the LGPD’s international transfer regime, requiring modular SCCs, a centralised transfer registry, and new assurance obligations over third-country adequacy and vendor oversight.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Brazil’s Autoridade Nacional de Proteção de Dados (ANPD) approved Resolution CD/ANPD No. 15 on 23 February 2024, publishing the first legally binding standard contractual clauses (SCCs) for Lei Geral de Proteção de Dados (LGPD) Article 33 transfers, instituting a mandatory national register for international data flows, and defining objective criteria for adequacy, risk assessments, and remediation plans.

The regulation became effective on 26 February 2024 after its Diário Oficial da União publication. Controllers and processors that already engage in cross-border transfers have a 15-month adaptation period to migrate existing agreements to the new clauses, update transfer impact assessments (Relatórios de Impacto à Proteção de Dados Pessoais, RIPDs), and file the information needed for the ANPD registry. New contracts executed after the effective date must adopt the approved modules immediately, while organisations relying on binding corporate rules (BCRs), certification, or specific consent must still document the safeguards laid out in the resolution.

Resolution scope and linkage to LGPD enforcement

Resolution 15 was issued under Articles 33–36 of the LGPD, which condition cross-border transfers on either an adequacy decision or demonstrable safeguards. The text introduces four SCC modules that mirror the European Union’s modular approach—controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Each module includes non-negotiable core clauses covering legality of processing, data subject rights facilitation, security controls, and supervisory cooperation, and it specifies which optional clauses can be tailored without undercutting the ANPD’s minimum guarantees.

The resolution also sets the procedural expectations for ANPD adequacy decisions. It enumerates the elements the Board will consider—respect for human rights, general and sectoral data protection rules, security measures, professional rules and enforcement mechanisms, and international commitments. Companies seeking to rely on future adequacy recognition will need to evidence how their transfer destinations satisfy these criteria and monitor the ANPD’s periodic reviews. Because the LGPD authorises significant fines (up to 2% of revenue in Brazil, capped at BRL 50 million per infraction) and suspension of data processing, the Resolution elevates international transfer compliance to a board-level risk topic.

Key compliance checkpoints

  • SCC alignment workstreams. Privacy, procurement, and legal teams must map all existing international transfers and determine the module that applies to each relationship. The ANPD allows ancillary commercial clauses provided they do not contradict the SCC guarantees, so contract lifecycle management (CLM) systems should include controls that prevent conflicting liability caps, indemnities, or inspection limits from creeping into the agreements.
  • Transfer registry submissions. Article 16 of the regulation compels controllers to maintain granular records of transfer purposes, categories of personal data, receiving countries, safeguards, and contact points. The registry must be made available to the ANPD on request, and high-risk processing activities may trigger mandatory filings through the ANPD’s data transfer module. Maintaining a living inventory requires integration with data mapping tools and change-control processes whenever new vendors or data categories are added.
  • RIPD updates. For transfers that rely on SCCs or contractual safeguards, controllers must reassess the foreign legal environment, oversight mechanisms, and redress availability. The ANPD expects documentation of technical and organisational compensating controls, such as encryption, pseudonymisation, segregation of duties, and audit logging. When residual risks remain, the resolution requires documented mitigation plans and senior management approval.
  • Vendor due diligence. Processors receiving Brazilian personal data must provide evidence of information security programmes aligned with ANPD Guidance on Security for Small Agents and sectoral norms such as ISO/IEC 27001 or NIST SP 800-53. Sub-processor onboarding must be transparent, with prior authorisation and flow-down of SCC obligations. Controllers should expand third-party risk assessments to include site visits or independent assurance (e.g., SOC 2 reports) for high-risk transfers.
  • Incident response and notification. Resolution 15 mandates contractual commitments to support prompt breach notification both to the controller and to the ANPD. Response runbooks need to incorporate cross-border escalation, translation of incident reports, and preservation of forensic evidence in jurisdictions with differing procedural rules. Drills should test communication channels with processors and local counsel in recipient countries.

Governance, accountability, and stakeholder engagement

Boards and executive risk committees should receive quarterly dashboards detailing the organisation’s international transfer posture. Recommended metrics include percentage of transfers migrated to the new SCCs, number of pending registry updates, outstanding RIPD action items, and vendor assurance coverage. The Data Protection Officer (Encarregado) must certify to leadership that all data subjects can exercise their rights through accessible channels, regardless of the data’s storage location.

Global privacy steering groups should coordinate with Latin America legal leads to harmonise contractual templates. Where multinational groups already adopted EU SCCs, legal teams can leverage common annexes but must account for LGPD-specific definitions, especially the broad classification of sensitive data (dados pessoais sensíveis) and children’s data. Training programmes should target contract managers, procurement, IT security, and business unit sponsors to embed the new requirements into daily operations.

Engagement with industry associations—such as the Brazilian Association of Information Technology and Communication Companies (Brasscom) or the International Association of Privacy Professionals (IAPP) Brazil KnowledgeNet—can provide benchmarking on registry implementation and ANPD supervisory expectations. Organisations should also maintain dialogue with their cloud and SaaS providers to confirm that Brazilian tenants receive updated data transfer documentation, particularly for shared-responsibility models.

Implementation roadmap

  1. Weeks 0–4: Launch a cross-functional transfer compliance programme. Confirm scope, assign workstream leads, and inventory all active and planned international transfers using data discovery tools, privacy notices, and vendor registers.
  2. Weeks 4–12: Prioritise high-volume and sensitive-data transfers. Conduct gap analyses between existing agreements and SCC modules, initiate renegotiations with critical vendors, and draft updated annexes describing technical and organisational measures, sub-processor lists, and audit rights.
  3. Weeks 8–20: Update RIPDs, incorporating assessments of recipient-country legal frameworks, law enforcement access risks, and redress mechanisms. Integrate encryption, key management, and access controls into the compensating measures, and log decisions in governance, risk, and compliance (GRC) platforms.
  4. Weeks 12–24: Build the registry operating model. Align data mapping outputs with metadata requirements, establish submission workflows, and configure role-based access controls. Pilot the registry with representative transfers and conduct quality assurance reviews.
  5. Weeks 20–60: Complete contract migrations, update privacy notices, and execute targeted training. Monitor transfer metrics monthly, remediate overdue actions, and prepare artefacts for potential ANPD inspections, including SCC copies, registry extracts, and incident playbooks.

Technology enablement and assurance

Automation reduces manual overhead in managing SCC obligations. Organisations should integrate contract repositories with privacy management platforms (e.g., OneTrust, Collibra) to automatically flag agreements nearing the adaptation deadline. Security information and event management (SIEM) systems must be configured to segregate logs by jurisdiction and demonstrate access controls for Brazilian data. Data loss prevention (DLP) policies should be tuned to detect outbound transfers that lack approved safeguards.

Internal audit teams ought to design assurance reviews that test control effectiveness. Sample procedures include verifying that SCC templates match the ANPD’s official text, reviewing registry completeness against HR, CRM, and ERP data sources, and testing breach notification rehearsals. Findings should be escalated to the audit committee with remediation deadlines aligned to the regulatory adaptation window.

Because Resolution 15 contemplates future guidance on certification and BCR approvals, organisations should monitor the ANPD’s normative agenda. Companies in regulated sectors—financial services, telecoms, health, and education—should coordinate with their respective supervisory agencies to align SCC obligations with sectoral compliance regimes.

Looking ahead

The ANPD has signalled that it will intensify enforcement of international transfers once the adaptation period lapses. Firms should anticipate targeted inspections requesting proof of transfer inventories, SCC adoption timelines, and effectiveness of technical controls. Cross-border data flows supporting AI model training, behavioural advertising, or cloud migrations will attract scrutiny, particularly when involving jurisdictions with expansive surveillance laws. Proactive transparency with data subjects and regulators, paired with rigorous governance and documentation, will position organisations to demonstrate accountability under the LGPD’s extraterritorial reach.

Sources

Zeph Tech supports LGPD governance programmes with SCC migration playbooks, registry automation, and third-country risk assessments tailored to Brazil’s enforcement expectations.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • International data transfers
  • LGPD compliance
  • Regulatory governance
Back to curated briefings