Written by By Vanessa Borges and Fabiano Deffenti
International data transfers are critical for businesses operating in a globalised digital environment. Both Brazil and the European Union have implemented specific legal frameworks to regulate international data transfers and ensure that personal data is protected when transferred across borders.
Brazil’s National Data Protection Agency (“ANPD”) has published Resolution 19/2024, which establishes the guidelines and rules for international data transfers for Brazilian companies under the General Data Protection Law (“GDPL”). The Resolution’s counterpart in the EU is found in Chapter V of the General Data Protection Regulation (“GDPR”).
While both frameworks aim to secure personal data during international transfers, there are important differences in their structure, scope and implementation mechanisms. The table below compares the key points of ANPD’s Resolution 19/2024 and Chapter V of the GDPR.
| Topic | Brazil (ANPD Resolution 19/2024) | EU (GDPR Chapter V) |
|---|---|---|
| Scope | Applies to organisations processing personal data in Brazil, or processing data of individuals in Brazil to offer goods or services, or where the data was collected in Brazil. | Applies to data controllers and processors established in the EU, and to non-EU entities handling the data of EU residents. |
| Transfer mechanisms | Adequacy decisions, standard contractual clauses (SCCs) and binding corporate rules (BCRs). Transfers must provide equivalent protection to that required under the GDPL. | Adequacy decisions, SCCs, BCRs, codes of conduct, certification mechanisms and ad hoc contractual clauses. Specific derogations also apply (including explicit consent by the data subject). |
| Adequacy decisions | The ANPD may recognise foreign countries or international organisations as providing adequate protection. No countries or organisations have been recognised to date. | The European Commission issues adequacy decisions. Recognised countries include Andorra, Argentina, Canada (commercial organisations), Israel, Japan, New Zealand, Republic of Korea, Switzerland, the UK and the US (organisations participating in the EU-US Data Privacy Framework), among others. |
| Standard contractual clauses (SCCs) | Available as a transfer mechanism, but SCCs must align with the GDPL’s requirements. The ANPD has published model clauses. | Widely used. The European Commission has approved standard SCCs that ensure data is protected according to EU standards. |
| Binding corporate rules (BCRs) | Available for intragroup transfers between affiliates in different jurisdictions. BCRs must be individually approved by the ANPD. | Available for intragroup transfers. Approved by the competent national supervisory authority. The GDPR has a more mature and well-established BCR approval process. |
| Data owners’ rights | Data owners must be informed about international transfers and have the right to access, rectify and delete their data. | Robust rights, including transparency regarding where data is transferred and the ability to exercise rights across borders. Includes the same rights provided under the GDPL, plus additional protections. |
| Supervision and enforcement | The ANPD oversees compliance, issues penalties and provides guidance. The enforcement framework is relatively new and still developing. | Enforced by national supervisory authorities in each EU member state. Significant fines have already been issued against major global businesses. |
| Derogations | Exceptions exist for transfers necessary for the performance of contracts or compliance with legal obligations. | Derogations under Article 49 include explicit consent, contractual necessity and substantial public interest, among others. |
| Penalties | Administrative fines of up to 2% of a company’s Brazilian revenue, capped at R$50 million per violation. | Fines of up to €20 million or 4% of annual global turnover, whichever is higher. |
| Flexibility and updates | Resolution 19/2024 is subject to future amendments by the ANPD as the framework matures. | The GDPR allows updates by the European Commission and national authorities to adapt to new data protection challenges. |
Final remarks
The GDPR and the GDPL rules relating to international transfers are similar, not identical, and they differ in specific and relevant areas.
The GDPR has a more established framework for adequacy decisions, with various countries already recognised. In contrast, the ANPD’s process for granting adequacy decisions is still under development, which may initially complicate international transfers for Brazilian organisations.
The GDPR is known for its stringent enforcement and significant penalties, which have been imposed on several global businesses (for example, Meta was fined US$1.3 billion in 2023 and Amazon €886 million in 2021).
While the ANPD’s penalty structure is relatively new, the legal basis for significant fines exists under the GDPL. The ANPD’s first public sanction was issued in October 2023, when a company was fined R$14,400 for violations relating to transparency in data processing. Higher fines are expected as the ANPD ramps up its enforcement efforts.
Both the GDPR and the GDPL recognise BCRs, offering flexibility for multinational companies. However, the GDPR has a more mature system for the approval and use of BCRs, making compliance comparatively more straightforward for companies already operating within the EU framework.
While both frameworks apply to entities within their respective jurisdictions, the GDPR’s extraterritorial scope is broader, affecting any business dealing with EU data owners regardless of the company’s location. The GDPL also applies to companies outside Brazil that process personal data of individuals located in Brazil, but its extraterritorial reach is limited to situations where the processing is carried out for the purpose of offering goods or services to Brazilian residents, or where the data was collected in Brazil.
Checklist for multinationals transferring data into or out of Brazil
The following checklist is intended to assist multinational companies in identifying the key steps for compliance with Brazil’s international data transfer rules under the GDPL and ANPD Resolution 19/2024.
- Map your data flows. Identify all personal data that is transferred from Brazil to third countries (outbound) or received from abroad for processing in Brazil (inbound). This includes data shared with group companies, cloud service providers, customers and suppliers.
- Identify the applicable transfer mechanism. For each data flow, confirm which mechanism will be used: adequacy decision, SCCs, BCRs, contractual necessity or another derogation. Note that, as at the date of this article, no country has been granted an adequacy decision by the ANPD.
- Review and adapt your SCCs. If you use SCCs approved by the European Commission, do not assume they are sufficient for GDPL purposes. Review them against the ANPD’s model clauses and adapt as necessary to ensure alignment with the GDPL’s requirements.
- Obtain ANPD approval for BCRs if applicable. Companies wishing to rely on BCRs for intragroup transfers must submit their BCRs to the ANPD for individual approval. This process takes time and should be initiated well in advance of the intended transfer.
- Update privacy notices. Data owners must be informed about international transfers, including the countries to which their data is transferred and the mechanisms used. Review and update your privacy notices and consent forms accordingly.
- Assess dual compliance obligations. If your organisation also processes data of EU residents, check whether your Brazil-related data flows trigger GDPR obligations as well. The two frameworks are similar but not identical, and compliance with one does not guarantee compliance with the other.
- Conduct vendor due diligence. If personal data is transferred to third-party processors or subprocessors outside Brazil, confirm that data processing agreements are in place and that the relevant transfer mechanisms are operative.
- Monitor ANPD developments. The ANPD’s framework is still maturing. Monitor publications from the ANPD for adequacy decisions, updated model SCCs and enforcement guidance that may affect your compliance position.
Transferring personal data into or out of Brazil?
Our firm advises on data protection compliance under Brazil’s GDPL, international data transfer mechanisms and cross-border matters involving both Brazilian and EU law.
Brazil Compliance Corporate law Data Privacy Data Protection Data Protection Law GDPL GDPR GDPR compared General Data Protection Law
Last modified: 4 April 2026
The site is managed by Fabiano Deffenti, a lawyer admitted to practise in Brazil and Australia, enrolled as a barrister and solicitor in New Zealand and licensed as an attorney-at-law in New York.
