10000 caracteres
Consultation - International data transfer
Órgão: Autoridade Nacional de Proteção de Dados
Status: Encerrada
Abertura: 19/05/2022
Encerramento: 30/06/2022
Contribuições Recebidas: 12
Resumo
International data transfer mechanisms have become a key instrument both for the adequate protection of data subjects rights and for the development of the digital economy and international trade. Given the urgent need to regulate such mechanisms, ANPD plans to issue the regulation in stages. The first stage will have as scope the contractual instruments for international transfers of personal data, under article 33, II, (a), (b), and (c), of the LGPD, which are the standard contractual clauses, the specific contractual clauses, and the binding corporate rules.
To facilitate the understanding of the questions, consider “exporter” as the processing agent located in Brazil who will transfer the personal data to an importer situated in another country and “importer” as the processing agent located outside the national territory who will receive such data from the exporter.
ANPD welcomes contributions to any of the questions below, as it is not mandatory to prepare answers to all the questions listed below.
With this consultation, the ANPD begins compliance with item 9 of the Authority`s 2021-2022 biannual regulatory agenda, approved by Ordinance No. 11, on January 27th, 2021, which deals with the regulation of the international transfer of personal data.
To share reports, images or other attachments, please send a mail to normatizacao@anpd.gov.br during the period of Consultation. By e-mail it will be only accepted complementary attachments. Answers to questions will not be accepted by email.
*ATTENTION* Responses may be sent at once by each user.
Registre sua Opinião
1) What are the current obstacles for companies to transfer data from Brazil to other countries? And from other countries to Brazil?
2) What is the best way to promote convergence and interoperability between contractual instruments for international data transfers with instruments from other jurisdictions? And how can ANPD act in this regard?
10000 caracteres
3) What are the most effective and the most used instruments to legitimize the international data transfer by large and small companies or organizations?
10000 caracteres
4) What are the main benefits and impacts of international data transfers, and what are the best alternatives for addressing them in each of the contractual instruments for data transfers included in the LGPD and international practice?
10000 caracteres
5) Wich criteria and/or requirements should be considered in regulating each of the following international data transfer mechanism and why?
a.standard contractual clauses;
b. specific contractual clauses; and
c. binding corporate rules.
10000 caracteres
6) To what extent the elements to be considered by ANPD in assessing the level of data protection of foreign countries or international bodies for adequacy purposes (article 34 of the LGPD) should be considered within the scope of the rules for contractual instruments?
10000 caracteres
7) Should the standard contractual clauses be rigid and with predefined content , or should their regulation allow certain flexibility concerning the text of the clauses, specifying the desired results and allowing changes as long as they do not conflict with the standard text made available?
10000 caracteres
8) What would be the most appropriate format for ANPD to make available models of standard contractual clauses for international data transfers? Are there any tools that could be interesting for it (e.g., decision tree, forms, checkboxes)? Are there any experiences on the theme that could serve as an example for ANPD?
10000 caracteres
9) Is it necessary to have different rules depending on the type of processing agents (e.g., specific modules for controllers or operators) as data exporters or importers in international data transfers carried out by contractual clauses? If so, what would it be?
10000 caracteres
10) Are there requirements that need to be different for Binding Corporate Rules from those usually required for Standard Contractual Clauses? If so, what would it be?
10000 caracteres
11) What criteria should be considered when defining eligibility of an economic or business group for the application of Binding Corporate Rules?
10000 caracteres
12) What is the minimum information (level of detail) on personal data needed to allow proper compliance analysis by the ANPD of the international transfers of data carried out by contractual instruments that may minimize negative impacts on business activities and preserve a high degree of protection to the data subject?
10000 caracteres
13) What are the risks and benefits of allowing transfers between different economic groups whose binding corporate rules have been approved by ANPD?
10000 caracteres
14) Are there any experiences with the verification and approval of specific contractual clauses and binding corporate rules that could serve as an example for ANPD?
10000 caracteres
15) What are the data subject`s rights in case of changes in the original configuration of the transfer? In which situations would be essential a direct communication with the data subjects or some type of intervention by them?
10000 caracteres
16) What are the best alternatives for resolving conflicts between processing agents and/or between those agents and data subjects involving contractual instruments for international data transfers? Could bilateral, multilateral or international cooperation between data protection authorities assist in conflict resolution? If so, how?
10000 caracteres
17) What are the best alternatives to promote regulatory compliance (including concerning the importer) regarding international data transfers?
10000 caracteres
18) What are the best alternatives to resolve practical issues related to the accountability of stakeholders who transfer data overseas, especially in cases where onward transfers to other jurisdictions occur or when the data even in the same jurisdiction are processed by other data processing agents different from importer?
10000 caracteres
19) What obligations should be assigned to the importer and exporter in case of access to data by determination of foreign public authorities?
10000 caracteres
20) What are the most appropriate mechanisms to provide data subjects with clear and relevant information about the possible transfer of their personal data outside of Brazil as well as to ensure the adequate protection of data subjects` rights in international data transfer? How should these instruments be implemented?
10000 caracteres