International Personal Data Transfer Policy
Objective
Provide guidelines for carrying out international data transfers and guidance on how to manage the various data processing activities and operations.
The compliance process involves interpreting the law in order to define the legal obligations, diagnosing the pertinent and relevant facts for its application and mapping the flows and processes that contribute or not to the facts being
in accordance with the legal document.
This Policy establishes rules for the control of personal data, within the limits prescribed in the General Personal Data Protection Law (LGPD) Law 13.709/2018.
Related documents are the CAST Privacy Policy:
https://www.cast4it.com/politica-de-privacidade-2/.
CONTEXT
The LGPD is a cross-cutting law, which cuts across different economic agents in Brazil, such as academia, the private sector, the public sector and the third sector.
Among the regulated agents, CAST is located in the Information Technology (IT) sector, and therefore includes a series of particularities in the processing of personal data carried out within its structure. within its structure.
As you know, CAST works with a number of clients
inside and outside the country, which also have synergies with the field of data protection.
As a result of this work, the aim is to develop: CAST's compliance with the new data protection regulatory context of the LGPD and, alternatively, to that established by the GDPR. established by the GDPR; with the potential for dissemination and replication by other institutions and influence government agents and other private actors.
AREAS INVOLVED
All areas of CAST.
DEFINITIONS
PROCESSING AGENT: the Controller and the Operator (Art. 5, IX, LGPD).
ANONYMIZATION: use of reasonable technical means available at the time of processing, whereby a piece of data loses the possibility of direct or indirect association with an individual (Art. 5, XI, LGPD). Anonymized data, under the terms of the law, is no longer considered personal data, guaranteeing greater freedom in its processing (Art. 12, LGPD).
NATIONAL PERSONAL DATA PROTECTION AUTHORITY ("ANPD"): Public Administration body responsible for ensuring, implementing and supervising compliance with the Law throughout
national territory (Art. 5, XIX, LGPD). The ANPD was established by the LGPD as a federal public administration body with technical autonomy, part of the Presidency of the Republic, defined as transitory in nature and subject to transformation by the
Executive Branch into an indirect federal public administration entity, subject to a special autarchic regime and linked to the Presidency of the Republic (Art. 55-A).
LEGAL BASIS: this is the basis that authorizes the processing of personal data by an agent, and must be defined, in specific cases, on the basis of one of the hypotheses set out in the LGPD in Article 7 (in the case of personal data) or Article 11 (in the case of
sensitive personal data). Legal bases will only not be necessary in cases where the LGPD does not apply, such as in the hypotheses of article 4 or in processing situations involving anonymized data, where it is not possible to identify the owner
by reasonable means.
CONSENT: free, informed and unequivocal expression (Art. 7, I, LGPD) by which the data subject agrees to the processing of their personal data for a specific purpose (Art. 5, XII, LGPD). It must be provided in writing or by another means that demonstrates the data subject's expression of will (Art. 8, LGPD).
CONTROLLER: natural or legal person, public or private, who is responsible for decisions regarding the processing of personal data (Art. 5, VI, LGPD). It determines how the data is processed.
DATA SUBJECT: natural person to whom the personal data being processed refers (Art. 5, V, LGPD).
PERSONAL DATA: information relating to an identified or identifiable natural person (Art. 5, I, LGPD). Also considered personal data for the purposes of the law are those
used to form the behavioral profile of a given natural person, if identified (Art. 12, §2, LGPD).
SENSITIVE PERSONAL DATA: personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or religious, philosophical or political organization, data relating to health or sex life, genetic or biometric data, when linked to a natural person (Art. 5, II, LGPD).
DATA PROTECTION OFFICER (DPO): is the natural or legal person appointed by the Processing Agent to act as a communication channel between the Controller, the data subjects and the National Data Protection Authority (ANPD).
EUROPEAN ECONOMIC AREA ("EEA"): created in 1994 to extend provisions of the European Union's internal market to the countries of the European Free Trade Area (EFTA). Under EU regulation, there are no prohibitions on the free movement of personal data between EU Member States for reasons relating to the protection of natural persons in relation to the processing of personal data. The area of free flow of data has been extended to the EEA, which brings Iceland, Liechtenstein and Norway into the internal market.
GDPR (GENERAL DATA PROTECTION REGULATION): General Data Protection Regulation 2016/679. These are rules on the protection of natural persons with regard to the processing of personal data and the free movement of such data. It repealed Directive 95/46/EC (General Data Protection Regulation).
LGPD (GENERAL DATA PROTECTION LAW): Law 13.709/2018 provides for the processing of personal data, including in digital media, by natural persons or legal entities governed by public or private law (Art. 1, LGPD). It applies to any processing operation carried out by a natural person or by a legal entity governed by public or private law, regardless of the medium, the country in which it is based or the country where the data is located, provided that: the processing operation is carried out in the national territory; the processing activity is aimed at offering or supplying
goods or services or processing the data of individuals located in the national territory; or the personal data that is the object of the processing has been collected in the national territory (Art. 3, heading and items I to III, LGPD).
ADPPA (THE U.S. DATA PROTECTION AND PRIVACY ACT): Act passed with some amendments on July 20, 2022 and the ADPPA applies to covered data processing, i.e. only to data that identifies or is linked or
reasonably linkable to the individual.
OPERATOR: natural or legal person, public or private, who processes personal data on behalf of the Controller (Art. 5, VII, LGPD). This is the person who gives the orders on how the data should be processed.
PROCESSING: any operation carried out with personal data, such as those relating to the collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction (Art. 5, X, LGPD).
INTERNATIONAL DATA TRANSFER: is the transfer of personal data to a foreign country or international foreign country or international organization of which the country is a member (Art. 5, XV, LGPD).
EUROPEAN UNION ("EU"): is an economic bloc made up of 28 European countries (27 with Brexit, i.e. the departure of the United Kingdom): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom.
LGPD PRINCIPLES
In legal terminology, a principle is a type of rule that must be complied with to the greatest extent possible and whose content serves as a general guideline for interpreting concrete situations. In the LGPD, the principles are listed throughout Article 6 and are as follows:
ADEQUACY: compatibility of the processing with the purposes informed to the data subject, in accordance with the context of the processing (art. 6, II, LGPD).
GOOD FAITH: means the observance of loyal, correct and honest behavior when carrying out personal data processing activities. This principle acts as a guide for all the others and serves as a benchmark for interpreting open concepts (art. 6, caput, LGPD).
PURPOSE: processing carried out for legitimate, specific, explicit purposes and informed to the data subject, without the possibility of subsequent processing in an incompatible or distorted manner (art. 6, I, LGPD).
FREE ACCESS: guaranteeing data subjects free and easy consultation on the form and duration of processing, as well as on the completeness of their personal data (art. 6, IV, LGPD).
NON-DISCRIMINATION: impossibility of processing for unlawful or abusive discriminatory purposes (art. 6, IX, LGPD).
NECESSITY: limitation or minimization of processing to the minimum necessary for the achievement of its purposes, covering data that is relevant, proportionate and not excessive in relation to the purposes of data processing (art. 6, III, LGPD).
PREVENTION: adoption of measures to prevent the occurrence of damage as a result of the processing of personal data (art. 6, VIII, LGPD).
DATA QUALITY: guaranteeing data subjects the accuracy, clarity, relevance and up-to-dateness of their data, in accordance with the need for it and for the fulfillment of the purpose for which it is processed (art. 6, V, LGPD).
RESPONSIBILITY AND ACCOUNTABILITY: demonstration by the agent of the adoption of effective measures capable of proving compliance with personal data protection rules, including the effectiveness of these measures (art. 6, X, LGPD).
SECURITY: use of technical and administrative measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or dissemination (art. 6, VII, LGPD).
TRANSPARENCY: guaranteeing data subjects clear, precise and easily accessible information about the processing and the respective processing agents, with due regard for commercial and industrial secrets (art. 6, VI, LGPD).
RIGHTS OF THE HOLDER IN THE LGPD
The rights of data subjects are mainly set out in article 18 of the LGPD. There is also the right of ownership (article 17) and, with regard to automated processing, the rights to information and review (article 20):
ACCESS TO DATA: the data subject has the right to receive a copy of the personal data held by the company, if they so request (art. 18, II, LGPD). According to the LGPD, this right will be regulated by the national authority and the health and sanitary authorities, within the scope of their powers (art. 13, § 3, LGPD). It should be noted that notary and registry offices must provide access to data by electronic means to the public administration, in view of their purposes (art. 23, § 5, LGPD).
ANONYMIZATION, BLOCKING OR DELETION: the data subject has the right to request that their data be anonymized, blocked or that unnecessary, excessive data or data processed in breach of the provisions of the Law be deleted (art. 18, IV, LGPD).
CONFIRMATION OF THE EXISTENCE OF PROCESSING: the right of the data subject to obtain from the Controller, in relation to the data of the data subject processed by it, at any time and upon request, information on the existence of processing (art. 18, I, LGPD), that is, of every operation carried out with their personal data (art. 5, X, LGPD).
CORRECTION OF INCOMPLETE, INEXACT OR OUTDATED DATA: the data subject can request the rectification of data if it is incorrect, insufficient, inaccurate, does not express the completeness of the information stored or needs to be updated (art. 18, III, LGPD).
ELIMINATION OF PERSONAL DATA: the data subject can request that their data be deleted, so that the company must eliminate all data collected in relation to that data subject, unless there is another legal basis for maintaining this data (art. 18, VI, LGPD).
INFORMATION ON SHARING: the data subject may request information from public and private entities with which the Controller has shared data (art. 18, VII, LGPD).
INFORMATION ON NON CONSENT: the data subject can request information on the possibility and hypotheses of not providing consent, as well as understanding the consequences of refusal (art. 18, VIII, LGPD).
INFORMATION ON AUTOMATED PROCESSING: the data subject may request information on the criteria and procedures used for the automated decision. This information, to be provided by the Controller, must be clear and consistent with what was requested (art. 20, §1, LGPD).
OPPOSITION: the data subject may object to the context of the data processing and/or the purposes of the processing, including processing carried out on the basis of one of the hypotheses for waiving consent (art. 18, §2, LGPD).
PETITION: the data subject can make any request regarding their data against the Controller before the national authority (art. 18, §1, LGPD).
PORTABILITY: making the data subject's data available to another service or product provider, upon express request and observing commercial and industrial secrets, in accordance with the regulations of the Controlling Body (art. 18, V, LGPD).
REVIEW: the data subject can request a review of decisions taken solely on the basis of automated processing of personal data that affect their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality (art. 20, caput, LGPD).
REVOCATION OF CONSENT: express manifestation by the data subject, through a free and facilitated procedure (art. 18, IX, LGPD), ratifying the processing carried out under the protection of the consent previously manifested as long as there is no request for elimination (art. 8, §5, LGPD).
OWNERSHIP OF PERSONAL DATA: every natural person is guaranteed ownership of their personal data and is guaranteed the fundamental rights of freedom, privacy and intimacy (art. 17, LGPD), so that the owner is therefore the natural person to whom the personal data being processed refers (art. 5, V, LGPD).
SCOPE OF APPLICATION
The purpose of this Policy is to provide some guidelines for processing operations involving the international transfer of personal data. When we think of Clients, Employees, Candidates, Suppliers and Partners, data relating to identified or identifiable natural persons will be transferred internationally. In this sense, it is necessary to comply with the applicable laws and regulations, guaranteeing a high and coherent level of personal data protection and safeguarding the individual rights and freedoms of the data subjects involved. The content of this Policy is laid out as follows:
- International data transfer: applicable rules: This section explains the scope of the LGPD and some points of the GDPR, defining what international data transfer is and when it occurs.
- Cautions for carrying out an international transfer: outlines the cases in which an international transfer is permitted, what the requirements are and what questions should be asked before carrying it out.
INTERNATIONAL DATA TRANSFER: APPLICABLE RULES
REQUIREMENTS FOR ANY PROCESSING OF PERSONAL DATA
The LGPD lists hypotheses authorizing the processing of personal data in Article 7 and Article 11 (sensitive personal data), which are known as legal bases. All processing operations must be based on a valid and adequate legal basis and
this choice must be registered and made in advance, prior to processing.
In addition, all processing operations must respect the principles of personal data protection (Art. 6 and Art. 16 of the LGPD), and must be carried out for specific purposes (e.g. if the purpose is the execution of a contract, the data cannot be used for marketing purposes), and it is not permissible to indicate a generic purpose (e.g. providing that the data may eventually be used for other purposes). Also, the purpose must be explicit (not presumed) and informed to the data subject, i.e. the data subject must have clear, sufficient and accurate information to understand the purposes and necessity of the processing, in accordance with the principle of
transparency. In this sense, if the processing is linked to compliance with a legal obligation, for example, it is imperative that this information is presented to the data subject, so that there is an expectation of processing.
The processing must therefore be adequate, i.e. compatible with the purposes informed to the data subject, in accordance with the context in which it is carried out, limited to the minimum necessary to achieve its purposes, covering only pertinent, proportionate and non-excessive data and respecting the other data protection principles (Art. 6 of the LGPD).
In line with the best governance practices, it is also essential to make it possible for data subjects to exercise their rights (Art. 18 of the LGPD), by providing them with sufficient information about their rights and how to exercise them, as well as giving them a channel for making requests.
It is important to note that all documents dealing with privacy and data protection, such as contracts, Privacy Policies and Terms of Consent, must contain sufficient information on how, for what purpose and on what basis (legal basis) the data is processed. From the above recommendations, it can be seen that there are some legal requirements for the processing of personal data to be considered legitimate. Some questions aimed at verifying the legitimacy of processing are summarized below.
SUMMARY: WHEN IS THE PROCESSING OF PERSONAL DATA LEGITIMATE?
- Question 1: Is the processing necessary for the achievement of the intended object and its corresponding purpose? Is there any other way to proceed without the processing? If not, move on to the next questions.
- Question 2: Are the data processed for specific, explicit and informed purposes for the data subject and the person responsible for the data subject?
- Question 3: Is the treatment based on a valid and adequate legal basis?
- Question 4: If consent is the legal basis, is it properly obtained and recorded?
TRANSPARENCY AND SECURITY OBLIGATIONS OF CONTROLLERS
The LGPD stipulates that the Controller or Operator who, as a result of carrying out personal data processing activities, causes property, moral, individual or collective damage to others as a result of a breach of personal data protection legislation, is obliged to make reparation (Art. 42).
Note that the operator will be jointly and severally liable for the damage caused by the processing when it fails to comply with the obligations of the data protection legislation or when it has not followed the lawful instructions of the Controller, in which case the Operator is equivalent to the Controller (Art. 42, I, of the LGPD). In other words, the Operator must comply with the lawfulness of the order received by the Controller.
Processing agents will not be held liable unless they can prove: that they have not carried out the processing of personal data assigned to them; that, although they have carried out the processing, there has been no breach of data protection legislation; or that the damage is the sole fault of the data subject or a third party.
It should be noted that the processing of personal data will be irregular when it fails to comply with the law or does not provide the security that the data subject can expect from it, taking into account the manner in which it is carried out, the result and the risks reasonably expected from it and the personal data processing techniques available at the time it was carried out (Art. 44, LGPD).
There is an obligation for processing agents to guarantee the security of personal data, to the extent of their responsibility in carrying out the processing. Considering that the international transfer of data poses a greater risk to the rights and freedoms of data subjects, if appropriate and satisfactory techniques and measures are not employed, the chances of
security incidents occurring increase.
The Controller or Operator who fails to adopt the appropriate security measures, causing the damage, may therefore be liable for damages arising from a breach of data security. Thus, processing agents must take technical and administrative security measures to protect personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication or any form of improper or unlawful processing (Art. 46, LGPD).
In any operation involving the international transfer of data, the data controller must respect the principles of data protection and safeguard the rights of data subjects, including transparency, i.e. the data subject must have clear, precise and easily accessible information about the processing and the respective processing agents. Additional information about the transfer must also be provided to data subjects, especially when sensitive data is involved.
WHAT IS INTERNATIONAL DATA TRANSFER?
It may happen that, due to the nature of the Controllers' operations, it is necessary to process personal data jointly with employees, departments, or even bodies and institutions in other countries, operators of outsourced services contracted outside the domestic jurisdiction, or even share data with foreign institutions with which agreements and partnerships are established.
In these situations, there will be an international transfer of data, i.e. the personal data will be transferred to a foreign country or international body of which the country is a member (Art. 5, XV, of the LGPD). International transfer implies the shared use of data (Art. 5, XVI, of the LGPD).
However, a distinction must be made, taking into account that nowadays data travels at speeds that were previously unimaginable. Obviously, a considerable amount of information is transported over the network from point "A" to point "B", in different countries, via internet providers, from one application to another.
In this context, the mere transport of information over the network is not characterized as the international transfer of data. Therefore, the Internet provider will not be characterized as an operator.
However, when agents located at points "A" and "B", in different countries, wish to share the information of identified or identifiable natural persons for certain purposes, this implies an international transfer and can only be carried out when it complies with certain legal (or regulatory) requirements.
Below are some examples to help you understand when international data transfer is characterized.
EXAMPLES:
- Example 1 - exchange of e-mails: imagine that an e-mail is sent from a natural person in Brazil to a recipient in England. If this email contains spreadsheets or documents with data on candidates for a particular job, this would be an international data transfer.
Example 2 - access to a system abroad: an executive of a certain multinational travels internationally and accesses information about clients in her files and in her company's system on her computer. This would not constitute an international transfer of data. However, if datais passed on to third parties via this system, it would constitute a transfer.
- Example 3 - telephone call: an employee of a certain foreign company calls his supervisor, passing on data about the investments and assets of two of his clients, Brazilian individuals. At the end of the call, the supervisor records and stores the data on his computer in the foreign company's system. This characterizes an international data transfer.
We will see that the LGPD provides for some exhaustive hypotheses in which the international transfer of personal data is permitted (Arts. 33 to 36 of the LGPD). After all, international transfer implies greater risks to the rights and freedoms of personal data subjects, either because of the distance between points "A" and "B", or because of the need for harmonization between the laws of different countries, in order to safeguard the guarantees that these laws confer on data subjects.
WHEN IS THE INTERNATIONAL TRANSFER OF PERSONAL DATA PERMITTED UNDER THE LGPD?
According to the LGPD (Art. 33), the international transfer of personal data is only permitted, alternatively, when:
(a) The countries or international organizations provide a level of personal data protection that is adequate to that provided for in the LGPD (Art. 33, I, of the LGPD). It is stipulated that the level of data protection of the foreign country or international body will be assessed by the ANPD (Art. 34 of the LGPD), so that legal entities governed by public law, within the scope of their legal powers, and those responsible for them, within the scope of their activities, may request the ANPD to assess the level of personal data protection provided by a country or international body (Art. 33, sole paragraph of the LGPD).
(b) The Controller offers and proves guarantees of compliance with the principles, the rights of the data subject and the data protection regime provided for in the LGPD. It is the Controller's responsibility to guarantee data security and the protection of data subjects' rights and guarantees. This hypothesis is covered in more detail in the section "Transfer to countries with a different regime from Brazil".
(c) The transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with instruments of international law (Art. 33, III, of the LGPD). (d) The transfer is necessary for the protection of the life or physical safety of the data subject or third parties (Art. 33, IV, of the LGPD). In this case, studies involving COVID-19, algorithms on the behavior of epidemic systems could be covered.
(e) The national authority authorizes the transfer (Art. 33, V, of the LGPD).
(f) The transfer results from a commitment made in an international cooperation agreement (Art. 33, VI, of the LGPD). Here, the transfer can be made through a bilateral agreement between ministries in different countries, for example.
(g) The transfer is necessary for the execution of public policy or legal attribution of the public service (Art. 33, VII, of the LGPD).
(h) The data subject has provided specific and prominent consent for the transfer (Art. 33, VIII, of the LGPD), with prior information on the international nature of the operation, clearly distinguishing between this and other purposes; or
(i) It is necessary to comply with the hypotheses provided for in items II, V and VI of Art. 7 of the LGPD (Art. 33, IX, of the LGPD), i.e. respectively: for the fulfillment of a legal or regulatory obligation by the Controller, when necessary for the execution of a contract or preliminary procedures related to a contract to which the data subject is a party, at the request of the data subject and for the regular exercise of rights in judicial, administrative or arbitration proceedings.
Among the hypotheses mentioned above is the possible protection of the health or physical integrity of the data subject or third party (Art. 33, VI, of the LGPD), so that if the data subject or third party is at risk, the transfer may exceptionally be carried out to safeguard them.
The provisions of Art. 33, II, of the LGPD regarding when the Controller offers and proves guarantees of compliance with the principles, rights of the data subject and the data protection regime of the LGPD will be presented in the next section of this Policy.
Specific and prominent consent of the data subjects (Art. 33, VIII, of the LGPD) The transfer can be carried out with the specific and prominent consent of the data subjects, provided that prior information is given on the international nature of the operation, clearly distinguishing it from other purposes.
EXAMPLE:
A certain institution wants to promote new international partnerships, so the transfer must be based on an authorizing legal hypothesis, for example when the owner gives their consent specifically for the desired purpose (which must be described in a clear and easy-to-understand manner) and highlighted. It is also recommended that the transfer be provided for in the platform's terms of use and privacy policy. In some cases it will be necessary to prepare more than one version of these documents for the data subjects in the countries involved, in accordance with the applicable regulations.
The consent of the holder of personal data is the free, informed and unequivocal expression by which the holder agrees to the processing of personal data for a specific purpose. The characteristics of consent indicated here should be briefly detailed.
In this sense, the consent of a data subject can be considered free in situations where they express their choice spontaneously and without any kind of coercion or duress. It is also important to note that the data subject must be informed of the possibility of not providing consent and of the consequences of refusing to do so.
The data subject must be informed, in a clear and transparent manner, about which personal data they must provide, which will be collected regardless of the data subject's provision, and the consequences of not consenting to the provision or collection of such data (such as elimination from the selection process, for example).
The data subject will be informed when there is clear, precise information in accessible, easy-to-understand language. It is essential to make sure that essential information about the processing operation, its methods, the agents involved and any risks have not been withheld from the data subject. In this sense, they will have more control over their data.
The adjective unequivocal encompasses the way in which the data subject expresses their agreement to the processing of their data in a firm and clear manner. It is essential to guarantee that the natural person has agreed to the operations that will be carried out with their information, so that the data subject must always be guaranteed the prominence of the personal data processing clauses, whether in electronic or printed form. In other words, under the new personal data protection legislation, in addition to clear confirmation from the data subject, they must have decided without any ambiguities, confusions or elements that could prejudice their decision.
Having explained the concept of consent, it is also necessary to point out that its concept can hardly be assessed in isolation, in a static way. Consent can only be considered free, informed and unambiguous if the purpose of the personal data processing operation is taken into account. Purpose is much more than a mere accessory to consent, it is one of the principles of the General Personal Data Protection Act.
By purpose, we mean the purpose informed to the natural person about the operations that will be carried out to process their data. The combination of consent and purpose makes it possible to ensure that, firstly, the agent responsible for processing personal data has made an effort to make clear the purposes for collecting, storing and using the data subject's data and, secondly, that the data subject's consent is made as clear as possible.
With regard to the adjective highlighted, the clause relating to the international transfer of data cannot be in the middle of other clauses in a contract, for example, and must be separate. If it is an online document, e.g. terms of use, it must be in its own window.
It is also advisable to separate the purposes for which consent is being given, so as not to impose excessive treatment on the data subject. A good way out is to use checkboxes to obtain consent granularly. In addition, it is not recommended that the checkboxes are already checked, misleading the data subject into thinking that selecting those options would be the only possibility for using the services, and should therefore be presented blank in the term or clause for the data subject to check.
EXAMPLE:
(I) Consent for international data transfer:
I hereby authorize the [CONTROLLER] and/or any of its [OPERATORS] to process my personal data indicated in item II for the purposes of [...] set out in item III;
(II) Personal data: (mark the desired options with an "x" or leave blank if you disagree) ☐ name and personal telephone number; ☐ name and personal e-mail address; ☐ name and corporate e-mail address;
(III) Purposes: (mark at least one option with an "x") ☐ hiring employees publicizing events; ☐ publicizing
courses; ☐ publicizing the newsletter; ☐ general publicizing; ☐ I do not wish to receive any of the publicizing listed above;
(IV) Additional information on the transfer Data may be transferred to the third-party operator [...] located in [...], for the reason of [...], to fulfill the purpose [...] listed above, being guaranteed the rights, principles and safeguards established by the LGPD regime [...].
Compliance with a legal/regulatory obligation by the Controller; execution or preliminary procedures related to a contract and the regular exercise of rights in judicial, administrative or arbitration proceedings (Art. 33, IX, of the LGPD).
If the purpose of the international transfer is linked to the need to comply with a legal obligation by the Controller, it will be permitted (Art. 7, II, of the LGPD) and whether they are relevant to the GDPR itself in the case of countries in the European Economic Area, or other regulations concerning the matter.
In the case of the execution of a contract, pre-contractual procedures can be carried out in relation to a contract to which the data subject is a party, at their request (Art. 7, V, of the LGPD). In other words, the Controller cannot use this justification if it does not have a contractual relationship with the data subject, if the data subject has no direct connection with the Controller and the procedures are not carried out at the data subject's request, e.g. a bank with which a data subject does not have an account, which carries out a background check on the data subject's financial situation and offers them a loan, based on their CPF.
Furthermore, the transfer is legal when it has the purpose of regularly exercising rights in judicial, administrative or arbitration proceedings (under the terms of Law No. 9.307, of September 23, 1996, the "Arbitration Law"). This provision seeks to safeguard the right to produce evidence within a process, also avoiding the curtailment of the right of defense and guaranteeing the adversarial process and a broad defense. After all, the purpose of the international data transfer can be discussed in the proceedings, or relate to their subject matter. In this sense, the proviso is established to clarify that the parties have the aforementioned rights and cannot oppose processing in this sense.
SIMILARITIES AND DIFFERENCES BETWEEN LGPD AND GDPR
In many respects, the LGPD has very similar provisions on the international transfer of data to the GDPR. For the GDPR, the international transfer of data is only permitted under the conditions set out in Chapter V of the Regulation, and must comply with its other provisions (Art. 44). Transfer to a third country or international body outside the EEA can take place when an adequate level of protection is guaranteed, based on an adequacy decision by the European Commission.
In the absence of an adequacy decision, the transfer is possible when the Controller or Operator provides appropriate safeguards in the form of: binding corporate rules; standard protection clauses adopted by the European Commission or a supervisory authority; a code of conduct approved under Article 40, accompanied by binding and enforceable commitments; and a certification procedure, approved under Article 42, accompanied by binding and enforceable commitments.
In addition to these hypotheses, there is specific authorization (derogations) for the transfer of transfer of data upon: the explicit consent of the data subject to the transfer, informed of the possible risks; when the transfer is necessary for the performance of a contract between the data subject and the data controller, or when the transfer is necessary to prior to the formation of the contract, at the request of the data subject; when the transfer is necessary for reasons of public interest; when necessary for the establishment, exercise or defense of legal claims. establishment, exercise or defense of legal claims; and when necessary to protect the vital interests of the data subject or third parties.
A different provision, not contained in the LGPD, is Article 49, which provides for specific authorization when the transfer is made from an agreed register which, under Union or Member State law, offers information to the public and is open to consultation by the general public or any person with a legitimate interest, but only to the extent that the conditions for consultation laid down in Union or Member State law are met in the specific case.
In addition, Art. 49 also provides that when a transfer to a third country or international body cannot be based on the provisions of Articles 45 or 46, the transfer can only take place if (i) it is not repetitive (i.e. recurring), (ii) it only involves a limited number of data subjects, (iii) it is necessary for legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and (iv) the controller assesses all the circumstances surrounding the operation, providing adequate safeguards in relation to the protection of personal data. The controller must inform the supervisory authority of the transfer and inform the data subject of the transfer and the legitimate interests.
Below are some targeted questions to assess whether the international transfer of personal data complies with the requirements established in the LGPD.
SUMMARY: INTERNATIONAL DATA TRANSFER CHECKLIST
- Question 1: Do we plan to transfer personal data outside Brazil? For what purpose?
- Question 2: Is the transfer strictly necessary to achieve the desired goal? Is there any other way of achieving this purpose? If the processing is strictly necessary and there is no other way of achieving the purpose, proceed to the next question.
- Question 3: will the transfer be made to a country with a level of adequacy consistent with that established by the LGPD, assessed by the ANPD? (art. 33, I, of the LGPD) If not, proceed.
- Question 4: Does the Controller provide and prove guarantees of compliance with the principles, the rights of data subjects and the data protection regime provided for in the LGPD? (Art. 33, II of the LGPD) Through what instruments? If not, continue.
- Question 5: Is the transfer based on any other authorizing hypothesis provided for in items III to IX of art. 33 of the LGPD? If not, the transfer cannot take place.
TRANSFER TO COUNTRIES WITH A DIFFERENT LEVEL OF DATA PROTECTION THAN BRAZIL
According to the LGPD, the international transfer of data can take place to countries or international organizations that provide an adequate level of protection (Art. 33, I, LGPD). This is because the scope of the LGPD provides a series of guarantees and protective mechanisms for the rights of personal data subjects. Thus, if the country or organization to which the transfer will be made does not demonstrate a level playing field with this protection, the fundamental rights and freedoms of the data subjects will be put at risk.
However, how do you know the level of protection of the country to which the transfer will take place? Article 34 of the LGPD states that the level of data protection of the foreign country or international body mentioned will be assessed by the National Personal Data Protection Authority (ANPD), which will take the following criteria into account:
(a) the general and sectoral rules of the legislation in force in the country of destination or in the international organization;
(b) the nature of the data;
(c) compliance with the general principles of personal data protection and the rights of data subjects as set out in the LGPD;
(d) the adoption of security measures provided for in regulations;
(e) the existence of judicial and institutional guarantees for the respect of personal data protection rights; and other specific circumstances relating to the transfer.
However, until the level of data protection of the foreign country or international body that intends to carry out the transfer is assessed and Art. 33, I of the LGPD is implemented, it has already been seen that there are other provisions that authorize international transfers.
As Brazil has so far not recognized another country as having an adequate level of data protection and, on the other hand, has not yet had this recognition from foreign authorities, each data flow must be evaluated on a case-by-case basis, for the consideration of a specific authorization or compensatory measure, as explained below.
When the Controller offers and proves guarantees of compliance with the principles, rights of the data subject and the data protection regime provided for in the LGPD (Art. 33, II, of the LGPD).
The LGPD provides for certain measures that can be adopted by the Controller to ensure that a not identical, but equivalent level of personal data protection is guaranteed in relation to the rights and freedoms of data subjects and their safeguards, which we will call "compensatory measures", as they are mechanisms that seek to compensate for this differentiation in levels.
Thus, Art. 33, II, of the LGPD states that the international transfer of data can be carried out when the Controller offers and proves guarantees of compliance with the principles, rights of the data subject and the protection regime provided for in the LGPD by means of:
(a) specific contractual clauses for a given transfer;
(b) standard contractual clauses;
(c) global corporate standards;
(d) regularly issued seals, certificates and codes of conduct.
Among these instruments, the ones that CAST will use the most at the moment are the specific contractual clauses for a certain transfer and the standard contractual clauses. In the case of specific contractual clauses, they must clearly describe the relationship between the purposes of the processing and the international transfer of personaldata , indicating the authorizing hypothesis of the LGPD that substantiates the operation (Articles33 to 36 of the LGPD), specifying its purpose, detailing the responsibilities of the processing agents and the flow of data, as well as how safeguardswill be guaranteed for the rights and freedoms of data subjects.
Regarding standard contractual clauses, it is worth mentioning that the European Commission may decide that standard contractual clauses (SCC) offer sufficient safeguards on data protection for data to be transferred
internationally and has so far issued two sets of standard contractual clauses for data transfers from Data Controllers in the EU to Data Controllers and Operators established outside the EU or the European Economic Area (EEA).
The provisions of Art. 33, II, of the LGPD present "compensatory measures" that seek to ensure that adequate safeguards for the rights and freedoms of data subjects will be guaranteed, even if the transfer is made to a level of personal data protection that differs from Brazil. Thus, if the transfer takes place from a country whose level of data protection is different from Brazil, Controllers have a duty to ensure that this international transfer will not negatively affect the level of protection of personal data. Controllers must provide data subjects with additional details about the international data transfer, especially when the operation involves sensitive data.
The Controller responsible for the operation must therefore ensure that the rights of personal data subjects are safeguarded. If the international transfer of data is carried out by a Party other than CAST, it will be responsible and must ensure that the operation is carried out in a country with an adequate level of protection, or ensure that this level is guaranteed, through the use of the instruments provided for in the subparagraphs of Art. 33, II, of the LGPD, as standard clauses.
EXAMPLE:
- In a contract signed with a foreign institution, CAST appears as a mere Operator to provide a service in Brazil. For this to be possible, the foreign institution will need to carry out the international transfer of data and, as Controller, must demonstrate that it guarantees safeguards for the rights of data subjects, if it bases the transfer on compensatory measures, such as the use of specific contractual clauses (art. 33, II, "a"). It will be up to CAST to assess the lawfulness of the Controller's order. However, if CAST also appears in the contractual relationship as the Controller, it must also offer these guarantees.
Duties of the ANPD with regard to the international transfer of data and proof of "compensatory measures" by the Controller.
The LGPD entrusts the ANPD with defining the content of standard contractual clauses and verifying specific contractual clauses for a given transfer, global corporate standards or seals, certificates and codes of conduct (Art. 35). For this verification, the minimum requirements, conditions and guarantees for the transfer that comply with the rights, guarantees and principles of the LGPD will be considered (Art. 35, § 1, of the LGPD).
In addition, in the analysis of contractual clauses, documents or global corporate rules submitted for approval by the National Authority, additional information may be required or due diligence may be carried out on processing operations, when necessary (Art. 35, §2 of the LGPD).
The ANPD may designate certification bodies, which will remain under its supervision under the terms defined in the regulation and the acts carried out by them may be reviewed by the national authority and, if not in conformity with the LGPD, submitted to revision or annulled (Art. 35, § 3 AND 4, of the LGPD).
In addition, the ANPD may lay down minimum technical standards, taking into account the nature of the information processed, the specific characteristics of the processing and the current state of the technology, especially in the case of sensitive personal data, as well as the principles of personal data protection (provided for in the head of Art. 6 of the LGPD).
Furthermore, the measures must be observed from the design phase of the product or service to its execution. Any changes to the guarantees presented as sufficient compliance with the general principles of protection and the rights of the data subject must be communicated to the national authority (Art. 36 of the LGPD).
How can you get an idea of the level of protection in each country?
Considering that CAST and its sponsor, for example, may have offices abroad and carry out a series of agreements and partnerships with foreign institutions, it is important that, when these instruments are signed, they have an idea of the level of protection of personal data in the country of origin or destination of the international data transfer, so that they can analyze, in the specific case, which legal authorization or compensatory measure is applicable to each situation.
However, as the ANPD will be responsible for this assessment and has not yet done so, it is suggested that, for the time being, in order to have more concrete parameters and a clearer idea of the degree of protection of personal data in a given country, the adequacy decisions of the European Commission should be consulted.
INTERNATIONAL DATA TRANSFER INVOLVING FOREIGN INSTITUTIONS AND OFFICES LOCATED OUTSIDE THE LOCAL JURISDICTION
EXAMPLE:
Suppose a Brazilian CAST has an office outside its home jurisdiction, in France. And this office needs to carry out an international data transfer to Germany. In this case, the data flow will not be restricted or prohibited by local law in Germany, since they are both countries located in the EEA, which fall under the scope of the GDPR. However, if the firm wishes to transfer the same data to a country outside the EEA, for which the European Commission has not issued an adequacy decision, the rules of Chapter V of the GDPR must be applied, as these rules are intended to protect the personal data of data subjects subject to EU jurisdiction.
Also, within the same economic group, the transfer can be carried out via an Intragroup Agreement (IGA) - based on standard clauses, the Binding Corporate Rules (BCR), subject to the approval of the authorities of the corresponding countries.
A transfer by CAST (fulfilling all its requirements) to Germany, then to France, and then to the US, for example - a country in which the Commission's adequacy decision was limited to the bilateral EU-US Privacy Shield agreement - is also possible. With the bilateral agreement, it will be possible to transfer from the EU to the US, following its provisions.
However, if the transfer involves Brazil and the USA, the applicable rules must be considered when analyzing the specific case, including, as mentioned above, depending on the data flow, it is necessary to pay attention to the rules of the American state in which the processing agent is located in the USA, assuming, for example, that the transfer covers data from North American data subjects in that state.
In other words, each data flow must be analyzed according to its peculiarities. Furthermore, if the object of a given contract involves transfer to more than one country, each of the flows must be considered in terms of its specific characteristics. Of course, this analysis will be facilitated if it involves an international transfer, for example, from the USA to an EEA country, where the Privacy Shield bilateral agreement applies, and then to a country such as Japan, where the European Commission has decided that it is appropriate.
FINAL CONSIDERATIONS
When entering into agreements and partnerships with foreign institutions involving the international transfer of data, care must always be taken to consider the purpose of the operation, its relationship with the contractual object and the position held by the Brazilian CAST.
It has been seen that, if CAST is only an Operator, its responsibility in the data protection chain will be in relation to the lawfulness of the order issued by the Controller, while if it is a Controller, its responsibilities will be greater, since it will make the decisions on how to carry out the processing.
In any case, it is worth checking whether the foreign institution is in compliance or is in the process of complying with the data protection laws and regulations applicable to it. In addition, all the requirements for carrying out the international transfer of personal data provided for in the LGPD, and detailed in this Policy, must be observed and complied with, including the cases in which it is permitted under the LGPD's data protection regime (Art. 33 et seq.) or even with the exception of cases in which the LGPD has safeguards (e.g. performance by a research body).
It is important to emphasize that the obligations to protect personal data will last as long as the data is still available to the parties involved, and will continue to apply even after the Agreements, Partnerships, etc. have expired.
This Policy is intended to provide some guidelines and good practices that, in carrying out their activities, may involve processing operations involving the international transfer of data.
The aim is to provide guidance on the interpretation of applicable legislation, with the exception of subsequent understandings by competent authorities or specific regulations. This Policy is subject to constant change and updating.