News and Business
Deadline for implementing Brazilian DPA’s standard contractual clauses ends August 23, 2025
Companies that transfer data internationally must review their contractual instruments and implement necessary changes to mitigate regulatory risks
Subjects
Companies that carry out international data transfers based on standard contractual clauses have until August 23, 2025, to ensure they have been adapted to requirements determined in the Brazilian Data Protection Authority’s (ANPD) Resolution No. 19/2024.
This resolution approved Brazil’s International Data Transfer Regulation and set out the content of the standard contractual clauses for such transfers, in accordance with the country’s General Data Protection Law – LGPD (Law No. 13,709/2018).
In practice, this means that:
- The standard contractual clauses must be fully incorporated (without changes) into a contractual instrument signed between the data exporter and the importer;
- The standard clauses can be incorporated into a specific or broader contract, provided they are not modified;
- Controllers must comply with the additional transparency obligations provided for in the regulation.
Given the deadline is fast approaching, organizations should review contractual instruments and implement any necessary adjustments to ensure they mitigate potential regulatory risks in Brazil.
For more information on this topic, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.
