Brazil — International Data Transfers

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13,709 of August 14, 2018) governs international transfers of personal data in Chapter V (Articles 33–36). The LGPD defines "international transfer of data" as the transfer of personal data to a foreign country or to an international organization of which Brazil is a member (Art. 5, XV). The regime applies whenever one of three territorial-scope triggers is met under Art. 3: (i) the processing operation is performed in Brazilian territory; (ii) the processing activity aims to offer or supply goods or services, or to process data of individuals located in Brazil; or (iii) the personal data were collected in Brazilian territory (Art. 3, II and III). The application of LGPD to international transfers is independent of the means used for the transfer, the country where the processing agents are based, or the location where the data are stored.

Article 33 — Nine permitted transfer mechanisms. Under Art. 33, an international transfer of personal data is only permitted in the following cases:

I. Adequacy decision. Transfer to countries or international organizations that provide a degree of protection of personal data adequate to that provided in the LGPD. The Autoridade Nacional de Proteção de Dados (ANPD), Brazil's national data-protection authority, evaluates the level of protection under Art. 34, considering the general and sectoral legislation in force in the destination country, the nature of the data, adherence to general data-protection principles and to the rights of data subjects, the existence of security safeguards, and other specific circumstances related to the transfer (Art. 34). As of May 2026, ANPD has not yet issued any adequacy decisions, though the European Commission published a preliminary draft adequacy decision recognizing Brazil in September 2025, and ANPD is in the final stages of reciprocal analysis.

II. Contractual and corporate safeguards. Transfer when the controller offers and demonstrates guarantees of compliance with the principles, rights of the data subject, and the data-protection regime provided in the LGPD, in the form of:

• (a) Specific contractual clauses for a particular transfer;
• (b) Standard contractual clauses (SCCs);
• (c) Binding corporate rules (BCRs);
• (d) Seals, certificates, and codes of conduct regularly issued.

ANPD issued Resolution CD/ANPD No. 19 of August 23, 2024, which operationalizes these mechanisms. The Resolution includes Annex II, a model set of standard contractual clauses that must be adopted in full, without modification; controllers using the SCCs had a 12-month implementation period from the date of the Resolution's publication (Art. 2, sole paragraph). As of May 2026, ANPD has not yet approved any specific contractual clauses or binding corporate rules; both require individual Board of Directors approval following technical review.

III–IX. Specific-purpose derogations and consent. Art. 33 also permits transfers in the following narrower circumstances:

• III. International legal cooperation between public intelligence, investigation, and prosecution bodies, in accordance with the legal instruments applicable to international cooperation;
• IV. Protection of life or physical safety of the data subject or third parties;
• V. ANPD authorization;
• VI. Compliance with legal or regulatory obligations, execution of a contract or preliminary procedures related to a contract to which the data subject is a party, or the regular exercise of rights in judicial, administrative, or arbitration proceedings;
• VII. Credit protection, in accordance with applicable legislation;
• VIII. Specific and prominent consent of the data subject for the transfer, with prior information about the international character of the operation, clearly distinguishing this from other purposes; or
• IX. Necessity to fulfill the hypotheses provided in Art. 7, II (compliance with a legal or regulatory obligation by the controller), Art. 7, V (execution of a contract), and Art. 7, VI (regular exercise of rights in judicial, administrative, or arbitration proceedings).

Article 35 — ANPD rulemaking authority. Art. 35 authorizes ANPD to define the content of standard contractual clauses and to verify specific contractual clauses, binding corporate rules, and seals, certificates, and codes of conduct. When conducting this verification, ANPD must consider the minimum requirements, conditions, and guarantees for observance of the rights, guarantees, and principles of the LGPD when data are transferred to another jurisdiction (Art. 35, § 1).

Article 36 — Onward transfers and controller liability. The controller or processor who receives personal data from another controller is subject to the same obligations as the original controller, and the original controller remains liable for the acts of the data-processing agents with whom it has contracted (Art. 36). This provision applies to both domestic and international onward transfers.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD)

Source: Resolução CD/ANPD nº 19, de 23 de agosto de 2024 (International Data Transfer Regulation, English translation)

Under LGPD Art. 33, I, an international transfer of personal data is permitted when the destination is a country or international organization that provides a degree of protection of personal data adequate to that provided in the LGPD, as recognized by a formal adequacy decision issued by ANPD. Article 34 sets out the criteria ANPD must consider when evaluating adequacy:

• The general and sectoral legislation in force in the destination country or international organization;
• The nature of the data being transferred;
• Adherence to general data-protection principles and to the rights of data subjects as provided in the LGPD (Art. 6 principles and Chapter III rights);
• The existence of security safeguards for the data; and
• Other specific circumstances related to the transfer.

This assessment is holistic: ANPD examines not only the text of foreign statutes and regulations but also the practical enforcement posture, supervisory-authority independence, and data-subject remedies in the destination jurisdiction.

Resolution CD/ANPD No. 19/2024 — Adequacy decision procedure. ANPD operationalized the adequacy framework through Resolution CD/ANPD No. 19 of August 23, 2024 (the International Data Transfer Regulation). Article 13 of Annex I to the Resolution establishes the procedure for issuing an adequacy decision:

1. Initiation. The process may be initiated ex officio by ANPD's Board of Directors or at the request of interested parties.

1. Technical and legal analysis. ANPD's International Affairs Coordination (Coordenação de Assuntos Internacionais, CAI/CGRII) conducts a detailed evaluation of the destination jurisdiction's data-protection regime against the Art. 34 criteria.

1. Federal Attorney opinion. The Specialized Federal Attorney's Office (Procuradoria Federal Especializada) must express its views on the legal sufficiency of the adequacy finding.

1. Ministry of Foreign Affairs notification. The Ministry of Foreign Affairs (Ministério das Relações Exteriores) is notified at the outset of the case and is permitted to present a statement within the scope of its legal competencies, ensuring alignment with Brazil's foreign-policy interests.

1. Board of Directors deliberation. The adequacy decision is subject to final deliberation by ANPD's Board of Directors in accordance with ANPD's Internal Regulations. The decision is entered by Resolution of the Board of Directors and published on ANPD's website.

Article 13, § 3 authorizes the Board of Directors to issue supplementary regulations regarding (i) the procedures for issuing an adequacy decision, (ii) periodic reassessment of protection levels, and (iii) review of adequacy decisions. This allows ANPD to suspend or revoke an adequacy decision if the destination jurisdiction's data-protection regime deteriorates or diverges from LGPD standards.

Adequacy decisions issued to date. As of the publication date of Resolution 19/2024 in August 2024, ANPD had not yet issued any adequacy decisions recognizing foreign countries or international organizations. The ANPD International Affairs page states that the website will be updated when adequacy decisions are taken.

In May 2026, one search result on the ANPD International Affairs page mentioned that "the European Union has been deemed an adequate international body by ANPD's Board of Directors through the publication of Resolution No. 32/2026." Unable to confirm as of 2026-05-30 the existence, effective date, territorial scope, or conditions of any such adequacy decision. Controllers considering reliance on a Brazil–EU adequacy bridge should verify the current list of adequacy decisions published by ANPD and review the full text of any Resolution for sectoral exclusions, onward-transfer conditions, and periodic-review obligations.

Effect of an adequacy decision. When ANPD recognizes a destination as adequate, controllers in Brazil may transfer personal data to that jurisdiction under Art. 33, I without implementing the contractual safeguards required by Art. 33, II (standard contractual clauses, specific contractual clauses, or binding corporate rules). The controller remains subject to all other LGPD obligations, including the data-minimization and purpose-limitation requirements in Art. 6 and the transparency obligations in Chapter III. If the transfer involves onward transfer from the adequate jurisdiction to a third country that does not itself hold an adequacy decision from ANPD, the controller must ensure that the onward transfer is covered by one of the mechanisms in Art. 33, II–IX or obtain separate adequacy confirmation.

Reciprocal adequacy and EU–Brazil developments. ANPD's adequacy evaluation under Art. 34 runs in parallel with adequacy assessments conducted by foreign data-protection authorities. The existing section of this guide notes that the European Commission published a preliminary draft adequacy decision recognizing Brazil in September 2025. If both ANPD and the European Commission issue reciprocal adequacy decisions, personal data may flow EU↔Brazil without additional contractual instruments, subject to any conditions, exclusions, or sector-specific carve-outs stated in the respective adequacy decisions. Controllers operating in both jurisdictions should monitor ANPD's published adequacy decisions at gov.br/anpd and the European Commission's adequacy decisions under GDPR Art. 45.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD, Art. 33, I and Art. 34)

Source: Resolução CD/ANPD nº 19, de 23 de agosto de 2024 (International Data Transfer Regulation, Annex I, Art. 13)

Source: ANPD International Affairs — Adequacy decisions status

Brazil's standard contractual clauses (SCCs) under LGPD Art. 33, II(b) are the primary operational mechanism for international data transfers in the absence of an adequacy decision. Resolution CD/ANPD No. 19 of August 23, 2024 operationalizes the SCC framework through Annex I (the procedural regulation) and Annex II (the model SCC text itself), establishing mandatory clauses that controllers must adopt without modification.

Article 15 of Annex I — Mandatory adoption of Annex II model clauses without alteration. Resolution 19/2024, Article 15 of Annex I provides that the standard contractual clauses prepared and approved by ANPD in the form of Annex II "establish minimum guarantees and valid conditions for carrying out an international data transfer based on item II(b) of Article 33" of the LGPD. The SCCs are predefined by ANPD and may be incorporated into existing contracts; they establish minimum safeguards ensuring that personal data continues to be protected in accordance with LGPD standards even when transferred to countries with different data-protection regimes.

No-modification requirement. The validity of an international data transfer under the SCC mechanism presupposes the full adoption of the text of the standard contractual clauses available in Annex II, with no alterations whatsoever, through a contractual instrument signed between the exporter (the Brazilian processing agent) and the importer (the foreign recipient). Controllers may either execute the SCCs as a standalone agreement or include them into a broader contract. If the SCCs are included within a broader agreement, any additional clauses or provisions set forth in the broader contractual instrument or related contracts signed between the parties may not exclude, modify, or contradict, directly or indirectly, the provisions of the standard contractual clauses.

When the SCCs are incorporated into a broader agreement, Sections I, II, and III of Annex II must be completed (identifying the parties, the transfer, and key details) and included as annexes to the contract signed by the exporter and importer. The 22 substantive clauses that follow these three sections remain fixed and unmodifiable.

12-month implementation deadline for controllers already relying on contractual clauses. Resolution 19/2024, Article 2, sole paragraph establishes a transitional period: data processing agents that were already using contractual clauses to perform international data transfers at the time Resolution 19/2024 was published (August 23, 2024) were required to incorporate the SCCs approved by ANPD into their respective contractual instruments within 12 months, counted from the publication date of the Resolution. That 12-month deadline expired on August 23, 2025. As of June 2026, all controllers relying on standard contractual clauses for transfers under LGPD Art. 33, II(b) must use the Annex II model without modification.

Content of the Annex II model SCCs. The Annex II standard contractual clauses comprise three informational sections (identification of the parties as exporter and importer; description of the transfer, including categories of data subjects, types of personal data, processing purposes, and duration; and onward-transfer options) followed by 22 substantive clauses. Key substantive obligations include:

• Clause 4 — Compliance with LGPD principles and data-subject rights. The importer must comply with the LGPD's data-protection principles (Art. 6) and respect the rights of data subjects (Chapter III), including transparency, purpose limitation, data minimization, and accuracy.
• Clause 19 — Access-request notification. The importer must notify the exporter and the data subject of any access request by public authorities related to the transferred personal data, except where prohibited by the law of the country of processing. The importer must adopt available legal measures, including judicial actions, to protect the rights of data subjects whenever there is adequate legal basis to challenge the lawfulness of the access request. The importer must maintain a record of access requests, including date, requestor, purpose, type of data requested, number of requests received, and legal measures adopted.
• Clause 21 — Data-processing security. Parties must implement security measures guaranteeing sufficient protection of the personal data subject to the transfer, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risks of varying likelihood and severity to the rights and freedoms of data subjects.
• Clause 23 — Notification of breach or inability to comply. If the importer violates the safeguards and guarantees in the clauses or is unable to comply with them, the exporter must be notified immediately (subject to the access-request prohibition in Clause 19.1). Upon receiving notice or discovering non-compliance, the exporter must adopt appropriate measures to ensure protection of data-subject rights and conformity of the transfer with Brazilian legislation and the clauses, including requesting return of the personal data, transfer to a third party, or deletion.
• Clause 24 — Brazilian law and jurisdiction. Brazilian law applies to the SCCs, and any controversy between the parties arising from the clauses must be resolved before the competent courts of Brazil, subject to any forum-selection clause the parties elect in Section IV.

Transparency and data-subject access. Under Resolution 19/2024, Article 17 of Annex I, the controller must make available to the data subject, upon request, the full text of the clauses used to carry out the international data transfer, subject to protection of trade secrets and industrial secrets. The deadline for responding to the request is 15 days, unless a different deadline is established by specific ANPD regulation. The controller must also publish on its website a document in Portuguese, in simple, clear, precise, and accessible language, containing information about the international data transfer, including the form, duration, and specific purpose of the transfer; the categories of data transferred; the responsibilities of the processing agents and the security measures adopted; and other information prescribed in Article 17, § 2.

Relationship to specific contractual clauses and equivalent SCCs. Standard contractual clauses are distinct from specific contractual clauses (Art. 33, II(a)) and equivalent standard contractual clauses (foreign SCCs recognized by ANPD as equivalent to the Annex II model). Specific contractual clauses may be used only in exceptional situations, when it is impracticable to use the standard contractual clauses for reasons of fact or law duly proven by the interested party; they require prior approval by ANPD's Board of Directors following technical review by the International Affairs Coordination (CAI/CGRII) and a legal opinion from the Specialized Federal Attorney's Office. As of the Resolution 19/2024 publication in August 2024, ANPD had not approved any specific contractual clauses. Equivalent standard contractual clauses from other jurisdictions (for example, the European Commission's SCCs under GDPR Art. 46(2)(c) or the UK IDTA) may be recognized by ANPD as equivalent to the Annex II model through a Board of Directors resolution following public consultation and analysis; ANPD had not recognized any foreign SCCs as equivalent as of August 2024.

Controllers wishing to transfer personal data from Brazil to a jurisdiction that lacks an ANPD adequacy decision under Art. 33, I should prioritize the Annex II standard contractual clauses as the primary mechanism. Where the standard clauses are impracticable for documented operational or legal reasons, the controller may petition ANPD for approval of specific contractual clauses under the Chapter VI procedure in Annex I, submitting the full text of the proposed clauses, incorporation documents, a detailed description of the transfer (countries, categories of data, purposes, security measures), and an analysis demonstrating compatibility with LGPD principles and data-subject rights.

Source: Resolução CD/ANPD nº 19, de 23 de agosto de 2024 (International Data Transfer Regulation, Annex I, Art. 2, sole paragraph; Art. 15; Art. 17)

Source: ANPD International Affairs — Standard Contractual Clauses FAQs

Binding corporate rules (BCRs, normas corporativas globais) under LGPD Art. 33, II(c) are the specialized mechanism for intra-group international data transfers within multinational corporate groups and conglomerates. Unlike standard contractual clauses, which govern bilateral controller-to-processor or controller-to-controller transfers, BCRs establish a unified data-protection framework binding all group members that subscribe to it, enabling streamlined cross-border transfers within the same corporate family. Resolution CD/ANPD No. 19 of August 23, 2024 operationalizes the BCR framework through Articles 25–28 of Annex I, setting binding requirements and the Board of Directors approval procedure.

Article 25 — Scope and binding nature. BCRs are intended for international data transfers between organizations within the same group or conglomerate of companies (grupo ou conglomerado de empresas), and are binding on the members of the group that subscribe to them (Art. 25). A BCR constitutes a valid mechanism for carrying out international personal data transfers only for the organizations or countries covered by the binding corporate rules (Art. 25, sole paragraph). Controllers must therefore clearly define the territorial and entity scope of the BCR: which legal entities in which jurisdictions are bound, and whether the BCR covers all processing activities of those entities or only specified categories of data or processing purposes. A BCR does not authorize transfers to third parties outside the corporate group unless the third-party transfer is itself covered by one of the other Art. 33 mechanisms (adequacy, SCCs, or specific contractual clauses).

Article 26 — Mandatory linkage to LGPD Art. 50 privacy governance program. BCRs must be linked to the establishment and implementation of a privacy governance program that meets the minimum conditions established in LGPD Art. 50, § 2 (Art. 26). This is a threshold requirement: ANPD will not approve a BCR application unless the applicant group demonstrates a functioning privacy governance program covering all entities subscribing to the BCR.

LGPD Art. 50, § 2 prescribes seven mandatory elements for a qualifying privacy governance program:

(a) Demonstrate the controller's commitment to adopt internal processes and policies that ensure comprehensive compliance with norms and good practices relating to the protection of personal data; (b) Apply to the entire set of personal data under the controller's control, regardless of the mode of collection; (c) Be adapted to the structure, scale, and volume of the controller's operations, as well as to the sensitivity of the data processed; (d) Establish adequate policies and safeguards based on a systematic process of assessment of impacts and risks to privacy (data-protection impact assessments); (e) Aim to establish a relationship of trust with the data subject through transparent action and mechanisms ensuring data-subject participation; (f) Be integrated into the controller's general governance structure and establish and apply internal and external supervision mechanisms; and (g) Include incident-response and remediation plans.

The corporate group submitting a BCR application must submit documentary evidence of each element: privacy policies, DPIA frameworks, incident-response plans, supervisory-committee charters, and training records. ANPD's International Affairs Coordination (CAI/CGRII) will verify that the privacy governance program is operational across all entities subscribing to the BCR, not merely aspirational.

Article 27 — Substantive content requirements for the BCR. In addition to satisfying the Art. 26 privacy-governance prerequisite, BCRs must include eight mandatory substantive provisions (Art. 27):

I. Guarantees of compliance with LGPD principles (Art. 6: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability) and data-subject rights (LGPD Chapter III: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about sharing, information about the possibility of denying consent and its consequences, and revocation of consent);

II. Identification of the responsible entity (entidade responsável) — a legal entity with headquarters in Brazil that is liable for any violation of the binding corporate rules, even if the violation arises from an act committed by a group member based in another country. The responsible entity serves as the ANPD enforcement point and the data-subject point of contact within Brazil. The responsible entity must have legal capacity and assets sufficient to satisfy potential LGPD administrative fines and civil damages;

III. Specification of the categories of personal data subject to the BCR and the categories of data subjects (e.g., employees, customers, suppliers, website visitors);

IV. Description of the international data transfers covered by the BCR, including the countries of destination and the processing purposes;

V. Security and organizational measures adopted to protect personal data, including technical safeguards (encryption, pseudonymization, access controls) and organizational safeguards (role-based access, periodic audits, privacy training);

VI. Procedures and deadlines for responding to data-subject requests to exercise their LGPD Chapter III rights. Under Art. 27, § 2, these requests must be answered within the time period provided in LGPD (15 days from the date of the request under LGPD Art. 18, § 3, unless ANPD establishes a different deadline by specific regulation);

VII. Mechanisms for transparency and communication with data subjects, including the availability of the BCR text (or a summary in clear language) on the responsible entity's website and the designation of a contact point for data-subject inquiries; and

VIII. Provision for notification to ANPD in case of changes in the guarantees presented as sufficient for observance of LGPD principles, data-subject rights, and the data-protection regime, especially when a group member is subject to a legal determination of another country that prevents compliance with the binding corporate rules. Art. 27, § 1 requires the BCR to provide for immediate notification to the responsible entity whenever a group member located in another country is subject to a legal determination that prevents compliance with the BCR, except where express legal prohibition prevents such notification (parallel to the SCC access-request notification rule in Annex II, Clause 19). This addresses conflicts-of-law scenarios: a group member subject to a foreign government access demand, a blocking statute, or a data-localization requirement that conflicts with the BCR's data-transfer permissions must notify the Brazilian responsible entity so it can assess LGPD compliance and whether to suspend transfers to that jurisdiction.

Article 28 — ANPD Board of Directors approval requirement. BCRs must be submitted to ANPD for approval, following the procedure described in Resolution 19/2024, Chapter VIII (Art. 28). The procedure mirrors that for specific contractual clauses:

1. Submission via ANPD's Electronic Information System (SEI). The applicant must file the approval request through ANPD's online portal (confirmed in search result 1, index 1-27 and 5-14). Standing to request BCR approval is limited to organizations within the same group or conglomerate of companies (search result 8, index 8-9–8-10).

2. Required documentation (Art. 29). The application must include: — The full text of the binding corporate rules; — Incorporation documents of the processing agent or of the group members (demonstrating corporate-group relationship); — A detailed description of the transfers covered, including the countries involved and the categories of personal data; — The security measures implemented to protect the data; — An analysis demonstrating that the BCR is compatible with LGPD principles, data-subject rights, and the LGPD data-protection regime; and — Evidence of the Art. 50, § 2 privacy governance program (policies, DPIA framework, incident-response plan, supervisory mechanisms, training records).

3. Technical and legal analysis by CAI/CGRII. ANPD's International Affairs Coordination conducts a detailed evaluation of the BCR against the Art. 27 substantive requirements and the Art. 50, § 2 privacy-governance prerequisites (search result 1, index 1-9).

4. Specialized Federal Attorney opinion. The Procuradoria Federal Especializada (Specialized Federal Attorney's Office) must express its legal views on the sufficiency of the BCR (search result 1, index 1-9).

5. Board of Directors deliberation. The BCR approval is subject to final deliberation by ANPD's Board of Directors. Approval is by Resolution of the Board of Directors, published on ANPD's website (search result 1, index 1-9; search result 5, index 5-6).

6. Publication. Under Art. 31 of Resolution 19/2024, ANPD will publish on its website a list of approved BCRs, indicating the applicant, the approval date, and the Board of Directors decision, along with other information deemed necessary by the responsible technical area. ANPD will publish the full text of the BCR when such rules may be employed by other processing agents, subject to protection of trade and industrial secrets (search result 8, index 8-20–8-22). This allows other corporate groups to use an approved BCR as a template if ANPD determines the BCR is sufficiently generic.

BCRs approved to date. As of the publication of Resolution 19/2024 in August 2024, no binding corporate rules had been approved by ANPD's Board of Directors (search result 1, index 1-10; search result 5, index 5-7; search result 5, index 5-22). Controllers seeking BCR approval should monitor ANPD's International Affairs page at gov.br/anpd for updates on approved BCRs and any supplementary guidance issued by ANPD on the application procedure.

Practical considerations for multinational groups. BCRs are the preferred mechanism when a corporate group conducts frequent or systematic intra-group cross-border transfers (HR data of employees across multiple countries, centralized customer databases, shared IT infrastructure, global research and development activities). The up-front investment is significant — drafting the BCR text, implementing the Art. 50, § 2 privacy governance program, preparing the application documentation, and navigating ANPD's approval process — but once approved, the BCR authorizes ongoing transfers without executing separate contracts for each transfer or each group entity. Multinational groups operating in both Brazil and the European Union should consider whether to prepare parallel BCRs (one approved by a lead EU supervisory authority under GDPR Art. 47 and one approved by ANPD under LGPD Art. 33, II(c)) or to seek ANPD recognition of an existing EU-approved BCR as an "equivalent" instrument. As of August 2024, Resolution 19/2024 does not provide an express equivalence procedure for foreign BCRs, though ANPD retains discretion to recognize foreign BCRs on a case-by-case basis.

Groups that do not yet have the privacy-governance infrastructure required by Art. 50, § 2 should prioritize implementation of standard contractual clauses under Resolution 19/2024, Annex II as the interim transfer mechanism, then petition for BCR approval once the privacy governance program is operational and demonstrable.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD, Art. 33, II(c) and Art. 50, § 2)

Source: Resolução CD/ANPD nº 19, de 23 de agosto de 2024 (International Data Transfer Regulation, Annex I, Arts. 25–29 and Art. 31)

Source: ANPD International Affairs — Binding Corporate Rules FAQs

Brazil's LGPD permits international data transfers under Article 33, VIII when the data subject has provided specific and prominent consent for the transfer, with prior information about the international character of the operation, clearly distinguishing the transfer from other processing purposes. This consent-based mechanism is one of nine permitted transfer methods enumerated in Art. 33 and operates independently of adequacy decisions or contractual safeguards.

Heightened consent standard beyond Art. 7, I general consent. Article 33, VIII imposes a higher bar than the general consent standard in Art. 7, I, which permits processing "mediante o fornecimento de consentimento pelo titular" (by obtaining consent from the data subject). The general consent definition in Art. 5, XII requires that consent be a "manifestação livre, informada e inequívoca pela qual o titular concorda com o tratamento de seus dados pessoais para uma finalidade determinada" (free, informed, and unequivocal manifestation by which the data subject agrees to the processing of their personal data for a specific purpose). Art. 33, VIII adds three additional requirements specific to international transfers:

1. Specific consent (consentimento específico) — The controller must obtain consent for the international transfer itself, not only for the underlying processing activity. If the controller has already obtained consent under Art. 7, I for a domestic processing purpose (for example, marketing), that consent does not automatically authorize an international transfer of the same data. The controller must return to the data subject and seek a separate, transfer-specific consent.

1. Prominent consent (em destaque) — The consent request for the international transfer must be highlighted or separated from other consent requests or terms-of-service clauses. This mirrors the requirement in Art. 8, § 1 that written consent "deve constar de cláusula destacada das demais cláusulas contratuais" (must appear in a clause that stands out from other contractual clauses). Controllers should present the international-transfer consent request in a separate checkbox, a distinct paragraph with visual emphasis (bold or larger font), or a standalone consent form, rather than burying it in a general privacy policy or bundling it with unrelated consents.

1. Prior information about the international character (informação prévia sobre o caráter internacional da operação, distinguindo claramente esta de outras finalidades) — Before the data subject consents, the controller must disclose that the data will be transferred internationally and distinguish the international transfer from the controller's other processing activities. The controller should identify the destination country or countries, the identity of the recipient (importer), and the purpose of the transfer. A compliant consent notice might state: "We will transfer your contact information and purchase history to our U.S. payment processor [name] to complete your transaction. This is an international data transfer to the United States. Do you consent?" The notice must make clear that the transfer is a distinct operation from the underlying processing, so that the data subject understands the cross-border dimension and can evaluate the associated risks.

When Art. 33, VIII consent is appropriate. The specific-consent mechanism is most commonly used for one-off or occasional transfers where the controller does not have a recurring cross-border data flow and implementing standard contractual clauses (Art. 33, II(b)) or obtaining ANPD authorization (Art. 33, V) would be disproportionate. Examples include transferring a job applicant's CV to a hiring manager in a foreign subsidiary, sending a customer's support request to an overseas technical team, or sharing event-registration data with a foreign conference organizer at the registrant's request. Controllers with systematic or high-volume international data flows (for example, cloud-service providers, multinational e-commerce platforms, or intra-group HR data exchanges) should not rely on Art. 33, VIII consent as their primary transfer mechanism; they should instead implement standard contractual clauses under Art. 33, II(b) or seek an adequacy decision under Art. 33, I if the destination jurisdiction is recognized.

Consent revocability and onward-transfer obligations. Under Art. 8, § 5, the data subject may revoke consent at any time, by free and facilitated procedure. If the data subject revokes consent for the international transfer, the controller must cease further transfers and, depending on the circumstances and the data subject's request, may be required to delete or repatriate the data already transferred. The controller remains subject to the onward-transfer liability rule in Art. 36: "o responsável que receber dados pessoais de outro passa a ter, em relação ao titular, as mesmas obrigações que cabiam ao anterior" (the controller who receives personal data from another becomes subject, vis-à-vis the data subject, to the same obligations as the prior controller). If the foreign importer processes the data unlawfully, the Brazilian exporter who obtained the Art. 33, VIII consent remains jointly liable for the violation.

Interaction with Resolution 19/2024 transparency obligations. Although Resolution CD/ANPD No. 19 of August 23, 2024 (the International Data Transfer Regulation) focuses on Art. 33, I (adequacy decisions) and Art. 33, II (contractual mechanisms), its transparency requirements in Article 17 apply to all international transfers, including those based on Art. 33, VIII consent. Under Article 17, § 2, the controller must publish on its website, in Portuguese and in clear language, information about the international data transfer, including the form, duration, and specific purpose of the transfer; the categories of data transferred; the responsibilities of the processing agents; and the security measures adopted. The controller must also provide the data subject, upon request, with a full description of the safeguards applied to the transfer (Article 17, caput), with a 15-day response deadline.

No ANPD regulatory guidance or enforcement decisions as of June 2026. ANPD has not issued specific guidance, model consent forms, or safe-harbor language for the Art. 33, VIII consent mechanism. No published ANPD enforcement action or judicial decision interpreting the specific, prominent, and prior-information requirements of Art. 33, VIII has been identified as of June 1, 2026. Controllers must apply the statutory text in Art. 33, VIII and the general consent principles in Art. 5, XII and Art. 8 directly. When in doubt, controllers should err on the side of greater specificity and prominence in the consent request, explicitly naming the destination country, the recipient, and the transfer purpose in the consent notice itself, rather than cross-referencing a privacy policy.

Source: Lei nº 13.709, de 14 de agosto de 2018 (LGPD, Art. 33, VIII; Art. 5, XII; Art. 8; Art. 36)

Source: Resolução CD/ANPD nº 19, de 23 de agosto de 2024 (International Data Transfer Regulation, Annex I, Art. 17)