Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Cross-border data transfers are not prohibited under Brazilian law. When transferring employee data, the Internet Law and other Brazilian laws which regulate data privacy should be followed. The Internet Law outlines that individuals have the right to privacy and confidentiality, regardless of where their personal data and communication records are processed. This applies to employers who have an establishment and/or employees located in Brazil.
Cross-border data transfers under the General Data Protection Law
Effective August 2020, the General Data Protection Law will set the standard for international data transfers in Brazil. Brazilian employers will be able to transfer employee data in cases including:
- when the data is being transferred to countries or international organizations that provide a level of protection that is deemed adequate under the new General Data Protection Law (The Data Protection Authority, ANPD, will determine which countries and international organizations are considered to have adequate protections in place);
- when the controller can prove compliance with the principles and rights that are outlined in the law via: a) contractual clauses (either standard or specific to a given transfer); b) global corporate rules; or, c) regularly issued stamps, certificates and codes of conduct (The ANPD will define the minimum content of the model contractual clauses and verify contractual clauses, global corporate rules, stamps, certificates and codes of conduct);
- when the employees have given their specific consent for the transfer, and they were given prior information about the international nature of the operation (i.e. they have specifically consented to their data being transferred internationally for the given purpose);
- when the ANPD has authorized the transfer;
- when necessary to: comply with a legal or regulatory obligation of the employer; execute a contract or preliminary procedure relating to a contract of which the employee is a party (at the request of the employee); or, when necessary to protect the life or safety of the employee or a third party.
HR Best Practices: Note that more specific rules relating to data transfers may be introduced prior to the new General Data Protection Law going into effect in August 2020. The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Brazil when an adequate level of protection and privacy is ensured.