Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Cross-border data transfers under the General Data Protection Law
The General Data Protection Law (LGPD) sets the standard for international data transfers in Brazil. Brazilian employers are able to transfer employee data in cases including:
- when the data is being transferred to countries or international organizations that provide a level of protection that is deemed adequate under the new LGPD (The Data Protection Authority, ANPD, will determine which countries and international organizations are considered to have adequate protections in place);
- when the controller can prove compliance with the principles and rights that are outlined in the law via: a) contractual clauses (either standard or specific to a given transfer); b) global corporate rules; or, c) regularly issued stamps, certificates and codes of conduct (The ANPD will define the minimum content of the model contractual clauses and verify contractual clauses, global corporate rules, stamps, certificates and codes of conduct);
- when the employees have given their specific consent for the transfer, and they were given prior information about the international nature of the operation (i.e. they have specifically consented to their data being transferred internationally for the given purpose);
- when the ANPD has authorized the transfer;
- when necessary to: comply with a legal or regulatory obligation of the employer; execute a contract or preliminary procedure relating to a contract of which the employee is a party (at the request of the employee); or, when necessary to protect the life or safety of the employee or a third party.
HR Best Practices: More specific rules relating to data transfers are expected to be introduced in the future. The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Brazil when an adequate level of protection and privacy is ensured.