HR Tech Privacy

Brazilian ANDP: Standard Contractual Clauses

Section I – General Information 

(Note: This Section contains Clauses that may be completed by the Parties solely in the indicated spaces and following the provided guidelines. The definitions of the terms used in these Clauses are detailed in CLAUSE 6). 

CLAUSE 1. Identification of the Parties 1.

1. By this contractual instrument, the Exporter and the Importer (hereinafter referred to as the “Parties”), identified below, agree to adopt the Standard Contractual Clauses (hereinafter referred to as “Clauses”) approved by the Brazilian Data Protection Authority (ANPD) to govern the International Data Transfer described in Clause 2, in accordance with the provisions of the Brazilian Legislation. 

Name: 

Qualification: 

Main address: 

Email address: 

Contact for the Data Subject: 

Other information: 

( ) Exporter/Controller ( ) Exporter/Processor 

(Note: Mark the corresponding option for “Controller” or “Processor” and fill in the identification information as indicated in the table). 

Name: 

Qualification: 

Main address: 

Email address: 

Contact for the Data Subject: 

Other information: 

( ) Importer/Controller ( ) Importer/Processor 

(Note: Mark the corresponding option for “Controller” or “Processor” and fill in the identification information as indicated in the table). 

CLAUSE 2. Object

2.1. These Clauses apply to the International Data Transfers from the Exporter to the Importer, as described below. Description of the international data transfer: Main purposes of the transfer: Categories of personal data transferred: Data retention period: Other information: 

(Note: Fill out as detailed as possible with information related to the international transfer.) 

CLAUSE 3. Onward Transfers 

(Note: Choose “OPTION A” or “OPTION B,” as applicable.) 

OPTION A. 3.1. The Importer may not carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses, except in the cases provided for in item 18.3.

OPTION B.*3.1. The Importer may carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses under the conditions described below and provided that the provisions of Clause 18 are observed. 

Main purposes of the transfer: 

Categories of personal data transferred: 

Data retention period: 

Other information: 

(Note: Fill out as detailed as possible with information related to authorized onward transfers.) 

CLAUSE 4. Responsibilities of the Parties

(Note: Choose “OPTION A” or “OPTION B,” as applicable) 

OPTION A. (Option A is exclusive for international data transfers where at least one of the Parties acts as a Controller) 

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, as the Controller, is responsible for fulfilling the following obligations provided for in these Clauses: 

a) Responsible for publishing the document provided for in Clause 14; 

( ) Exporter ( ) Importer 

b) Responsible for responding to data subject requests referred to in CLAUSE 15: 

( ) Exporter ( ) Importer 

c) Responsible for notifying a data breach as provided for in Clause 16: 

( ) Exporter ( ) Importer 

(Note: In items “a,” “b,” and “c,” mark the corresponding option to: (i) “Exporter” or “Importer,” in cases where only one of the Parties acts as a Controller; or (ii) mark both options, in cases where both Parties act as Controllers. The responsibility for fulfilling the obligations referred to in Clauses 14 to 16 cannot be attributed to the Party acting as the Processor. If it is later verified that the Designated Party acts as a Processor, the provisions of item 4.2 shall apply.) 

4.2. For the purposes of these Clauses, if it is later verified that the Designated Party under item 4.1 acts as a Processor, the Controller shall remain responsible: 

a) for fulfilling the obligations provided for in Clauses 14, 15, and 16 and other provisions established in the Brazilian Legislation, especially in the event of omission or non-compliance by the Designated Party; 

b) for complying with the determinations of the ANPD; and 

c) for ensuring the rights of the Data Subjects and for compensating for damages caused, in accordance with the provisions of Clause 17. 

OPTION B. (Note: Option B is exclusive for international data transfers carried out between processors) 

4.1. Considering that both Parties act exclusively as Processors in the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out in accordance with the written instructions provided by the Third-Party Controller identified in the table below. 

Identification information of the Third-Party Controller: 

Name: 

Qualification: 

Main address: 

Email address: 

Contact for the Data Subject: 

Information about Linked Contract: 

(Note: Fill out as detailed as possible with the identification and contact information of the Third-Party Controller and, if applicable, of the Linked Contract). 

4.2. The Exporter shall be jointly liable for any damages caused by the International Data Transfer if it is carried out in non-compliance with the obligations of the Brazilian Legislation or with the lawful instructions of the Third-Party Controller, in which case the Exporter shall be deemed a Controller, in accordance with the provisions of Clause 17. 

4.3. If the Exporter is deemed a Controller as provided in item 4.2, it shall be responsible for fulfilling the obligations provided for in Clauses 14, 15, and 16. 

4.4. Except as provided in items 4.2 and 4.3, the provisions of Clauses 14, 15, and 16 shall not apply to the Parties acting as Processors. 

4.5. The Parties shall provide, in any case, all the information they have and that is necessary for the Third-Party Controller to comply with the determinations of the ANPD and to fulfill adequately the obligations provided in the Brazilian Legislation related to transparency, the exercise of data subjects’ rights, and notification of data breaches to the ANPD. 

4.6. The Parties shall promote mutual assistance to respond to Data Subjects’ requests. 

4.7. In case of receipt of a Data Subject request, the Party shall: 

a) respond to the request if it has the necessary information; 

b) inform the Data Subject of the contact channel provided by the Third-Party Controller; or 

c) forward the request to the Third-Party Controller as soon as possible to enable a response within the period provided in the Brazilian Legislation. 

4.8. The Parties shall keep a record of data breaches involving personal data, in accordance with the Brazilian Legislation. 

Section II – Mandatory Clauses 

(Note: This Section contains Clauses that must be adopted in full and without any alteration in their text to ensure the validity of the international data transfer). 

CLAUSE 5. Purpose

5.1. These Clauses serve as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for the execution of International Data Transfers, and aim to ensure the adoption of appropriate safeguards for compliance with the principles, rights of the Data Subject, and the data protection regime provided in the Brazilian Legislation. 

CLAUSE 6. Definitions 

6.1. For the purposes of these Clauses, the definitions in Article 5 of Law No. 13,709 of August 14, 2018, and Article 3 of the International Data Transfer Regulation, without prejudice to other normative acts issued by the ANPD, shall apply. The Parties also agree to consider the terms and their respective meanings as set forth below: 

a) Processing agents: the controller and the processor; 

b) ANPD: Brazilian Data Protection Authority; 

c) Clauses: the Standard Contractual Clauses approved by the ANPD, which comprise Sections I, II, and III; 

d) Linked Agreement: a contractual instrument entered into between the Parties or, at least, between one of them and a third party, including a Third-Party Controller, that has a common purpose, linkage, or dependency relationship with the Agreement governing the International Data Transfer; 

e) Controller: a Party or third party (“Third-Party Controller”) responsible for decisions regarding the processing of Personal Data; 

f) Personal Data: information related to an identified or identifiable natural person; 

g) Sensitive Personal Data: personal data concerning racial or ethnic origin, religious belief, political opinion, membership of a trade union or a religious, philosophical, or political organization, data concerning health or sexual life, genetic or biometric data when linked to a natural person; 

h) Deletion: the exclusion of data or a set of data stored in a database, regardless of the method used; 

i) Exporter: a processing agent located in the Brazilian territory or in a foreign country that transfers personal data to an Importer; 

j) Importer: a processing agent located in a foreign country or an international organization that receives personal data transferred by an Exporter; 

k) Brazilian Legislation: the set of Brazilian constitutional, legal, and regulatory provisions regarding personal data protection, including Law No. 13,709 of August 14, 2018, the International Data Transfer Regulation, and other normative acts issued by the ANPD; 

l) Arbitration Law: Law No. 9,307 of September 23, 1996; 

m) Security Measures: technical and administrative measures adopted to protect personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination; 

n) Research Body: a body or entity of the direct or indirect public administration or a non-profit private legal entity legally constituted under Brazilian law, headquartered in the country, whose institutional mission or social/statutory purpose includes basic or applied research of a historical, scientific, technological, or statistical nature; 

o) Processor: a Party or third party, including a Subcontractor, that processes Personal Data on behalf of the Controller; 

p) Designated Party: the Party designated, according to Clause 4 (“Option A”), to fulfill specific obligations as a Controller concerning transparency, Data Subject rights, and notification of data breaches; 

q) Parties: Exporter and Importer; 

r) Access Request: a mandatory request, by law, regulation, or public authority determination, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses; 

s) Subcontractor: a processing agent contracted by the Importer, with no link to the Exporter, to process Personal Data after an International Data Transfer; 

t) Third-Party Controller: the Controller of the Personal Data who provides written instructions for the execution, on its behalf, of the International Data Transfer between Processors governed by these Clauses, under Clause 4 (“Option B”); 

u) Data Subject: the natural person to whom the Personal Data subject to the International Data Transfer governed by these Clauses relate; 

v) Transfer: a processing method through which one processing agent transmits, shares, or provides access to Personal Data to another processing agent; 

w) International Data Transfer: the transfer of Personal Data to a foreign country or an international organization of which the country is a member; and 

x) Onward Transfer: the International Data Transfer, originating from an Importer, and intended for a third party, including a Subcontractor, provided that it does not constitute an Access Request. 

CLAUSE 7. Applicable Legislation and ANPD Supervision 

7.1. The International Data Transfer subject to these Clauses is governed by the Brazilian Legislation and the supervision of the ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as the case may be, as well as to limit, suspend, or prohibit international transfers arising from these Clauses or a Linked Contract. 

CLAUSE 8. Interpretation 

8.1. Any application of these Clauses must be in accordance with the following terms: 

a) These Clauses must always be interpreted in the most favorable way to the Data Subject and in accordance with the provisions of the Brazilian Legislation;

b) In case of doubt about the meaning of terms in these Clauses, the meaning that aligns most closely with the Brazilian Legislation applies; 

c) No item in these Clauses, including a Linked Agreement and the provisions of Section IV, may be interpreted with the aim of limiting or excluding the liability of any of the Parties concerning obligations provided for in the Brazilian Legislation; and 

d) The provisions of Sections I and II shall prevail in the event of a conflict of interpretation with additional Clauses and other provisions set forth in Sections III and IV of this instrument or in Linked Agreement. 

CLAUSE 9. Third-Party Accession 

9.1. By mutual agreement between the Parties, a processing agent may accede to these Clauses as an Exporter or Importer by completing and signing a written document that will become part of this instrument. 

9.2. The acceding party shall have the same rights and obligations as the original Parties, according to the assumed position of Exporter or Importer and the corresponding category of processing agent. 

CLAUSE 10. General Obligations of the Parties 

10.1. The Parties commit to adopting and, when necessary, demonstrating the adoption of effective measures capable of proving compliance with the provisions of these Clauses and the Brazilian Legislation and, in particular: 

a) Use Personal Data only for the specific purposes described in Clause 2, with no possibility of subsequent processing in a manner incompatible with those purposes, subject, in any case, to the limitations, guarantees, and safeguards provided in these Clauses; 

b) Ensure that the processing is compatible with the purposes informed to the Data Subject, according to the context of the processing; 

c) Limit the processing to the minimum necessary for achieving its purposes, including relevant, proportional, and not excessive data concerning the purposes of Personal Data processing; 

d) Ensure that Data Subjects, subject to the provisions of Clause 4, 

(d.1.) have access to clear, precise, and easily accessible information about the processing and the respective processing agents, subject to commercial and industrial secrets; 

(d.2.) have facilitated and free consultation on the form and duration of the processing, as well as on the entirety of their Personal Data; and 

(d.3.) have accurate, clear, relevant, and up-to-date Personal Data, according to the necessity and for fulfilling the purpose of its processing; 

e) Adopt appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses; 

f) Not process Personal Data for discriminatory, unlawful, or abusive purposes; 

g) Ensure that any person acting under their authority, including subcontractors or any agent cooperating with them, free of charge or for a fee, processes data only in accordance with their instructions and the provisions of these Clauses; and 

h) Maintain a record of the Personal Data processing operations subject to the International Data Transfer governed by these Clauses and present the relevant documentation to the ANPD when requested. 

CLAUSE 11. Sensitive Personal Data 

11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific security measures proportional to the risks of the processing activity, the specific nature of the data, and the interests, rights, and guarantees to be protected, as described in Section III. 

CLAUSE 12. Personal Data of Children and Adolescents 

12.1. If the International Data Transfer involves Personal Data of children and adolescents, the Parties shall apply additional safeguards, including measures to ensure that the processing is carried out in their best interest, in accordance with the Brazilian Legislation and relevant international legal instruments. 

CLAUSE 13. Legal Use of Data 

13.1. The Exporter guarantees that the Personal Data were collected, processed, and transferred to the Importer in accordance with the Brazilian Legislation. 

CLAUSE 14. Transparency 

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear, and precise language about the execution of the International Data Transfer, including at least the following information: a) The form, duration, and specific purpose of the international transfer; 

b) The destination country of the transferred data; 

c) The identification and contact details of the Designated Party; 

d) The data sharing by the Parties and the purpose; 

e) The responsibilities of the processing agents; 

f) The Data Subject’s rights and the means for exercising them, including an easily accessible channel for addressing requests and the right to petition against the Controller before the ANPD; and 

g) Onward Transfers, including information about the recipients and the purpose of the transfer. 

14.2. The document referred to in item 14.1 may be made available on a specific page or integrated in a prominent and easily accessible manner into the Privacy Policy or equivalent document. 

14.3. Upon request, the Parties shall provide the Data Subject with a free copy of these Clauses, subject to commercial and industrial secrets. 

14.4. All information made available to the data subjects, as required by these Clauses, must be written in Portuguese. 

CLAUSE 15. Data Subject’s Rights 

15.1. The Data Subject has the right to obtain from the Designated Party, concerning the Personal Data subject to the International Data Transfer governed by these Clauses, at any time and upon request, under the terms of the Brazilian Legislation: 

a) Confirmation of the existence of processing; 

b) Access to the data; 

c) Correction of incomplete, inaccurate, or outdated data; 

d) Anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data, in non-compliance with these Clauses and the provisions of the Brazilian Legislation; 

e) Data portability to another service or product provider, upon express request, in accordance with ANPD regulations, subject to commercial and industrial secrets; 

f) Deletion of Personal Data processed with the Data Subject’s consent, except in the cases provided for in Clause 20; 

g) Information about the public and private entities with whom the Parties have shared data; 

h) Information about the possibility of not providing consent and the consequences of denial; 

i) Withdrawal of consent through a free and facilitated procedure, with ratification of the processing carried out before the deletion request; 

j) Review of decisions made solely based on automated processing of personal data that affect their interests, including decisions aimed at defining their personal, professional, consumption, and credit profile or aspects of their personality; and 

k) Information about the criteria and procedures used for automated decisionmaking, subject to commercial and industrial secrets. 

15.2. The Data Subject may object to processing carried out based on one of the grounds for exemption from consent, in case of non-compliance with these Clauses or the Brazilian Legislation. 

15.3. The deadline for responding to requests provided for in this Clause and in item 14.3 is 15 (fifteen) days from the date of the Data Subject’s request, except in cases where a different deadline is established by specific ANPD regulations. 

15.4. If the Data Subject’s request is directed to the Party not designated as responsible for the obligations provided for in this Clause or item 14.3, the Party shall: a) Inform the Data Subject of the contact channel provided by the Designated Party; or b) Forward the request to the Designated Party as soon as possible, to enable a response within the period provided by the Brazilian Legislation. 

15.5. The Parties shall immediately inform the Processing Agents with whom they have shared data of any correction, deletion, anonymization, or blocking of data, so that they may take the same action, except in cases where this communication is demonstrably impossible or involves disproportionate effort. 

15.6. The Parties must promote mutual assistance to respond to Data Subjects’ requests. 

CLAUSE 16. Data Breach Notification 

16.1. The Designated Party shall notify the ANPD and the Data Subjects, within 3 (three) business days, of the occurrence of a data breach that may result in significant risk or damage to the Data Subjects, in accordance with the provisions of the Brazilian Legislation. 

16.2. The Importer must keep a record of data breaches in accordance with the Brazilian Legislation. 

CLAUSE 17. Liability and Damage Compensation 

17.1. The Party that, as a result of its Personal Data processing activities, causes material, moral, individual, or collective damage, in violation of the provisions of these Clauses and the Brazilian Legislation, is obliged to compensate for such damage. 

17.2. The Data Subject may seek compensation for damages caused by any of the Parties due to the violation of these Clauses. 

17.3. The defense of the Data Subjects’ interests and rights may be sought in court, individually or collectively, in accordance with the relevant legislation regarding individual and collective legal protection instruments. 

17.4. The Party acting as a Processor is jointly liable for damages caused by the processing when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, subject to the provisions of item 17.6. 

17.5. The Controllers directly involved in the processing that caused damage to the Data Subject are jointly liable for such damages, subject to the provisions of item 17.6. 

17.6. The Parties shall not be held liable if it is proven that: 

a) They did not perform the Personal Data processing attributed to them; 

b) Although they performed the Personal Data processing attributed to them, there was no violation of these Clauses or the Brazilian Legislation; or 

c) The damage resulted solely from the Data Subject’s or a third party’s fault, not being a recipient of Onward Transfer or a subcontractor of the Parties. 

17.7. Under the Brazilian Legislation, the judge may reverse the burden of proof in favor of the Data Subject when the claim is credible, there is insufficiency for evidence production, or when the production of evidence by the Data Subject would be excessively burdensome. 

17.8. Collective actions for damage compensation aimed at liability under this Clause may be brought collectively in court, in accordance with the relevant legislation. 

17.9. The Party that compensates the Data Subject for damages has the right of recourse against the other responsible Parties, to the extent of their involvement in the harmful event. 

CLAUSE 18. Safeguards for Onward Transfer 

18.1. The Importer may only carry out Onward Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, under the conditions described in Clause 3. 

18.2. In any case, the Importer: a) Must ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in Clause 2; b) Must ensure, through a written contractual instrument, that the safeguards provided in these Clauses are observed by the third-party recipient of the Onward Transfer; and c) For the purposes of these Clauses, and in relation to the transferred Personal Data, shall be considered responsible for any irregularities committed by the third-party recipient of the Onward Transfer. 

18.3. Onward Transfers may also be carried out based on another valid mechanism of International Data Transfer provided for in the Brazilian Legislation, regardless of the authorization mentioned in Clause 3. 

CLAUSE 19. Notification of Access Request 

19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except where notification is prohibited by the law of the data processing country. 

19.2. The Importer shall take the appropriate legal measures, including legal actions, to protect the Data Subjects’ rights whenever there is a legal basis to challenge the legality of the Access Request and, if applicable, the prohibition to notify as referred to in item 19.1. 1

9.3. To comply with requests from the ANPD and the Exporter, the Importer must keep a record of Access Requests, including the date, requester, purpose of the request, type of data requested, number of requests received, and legal measures taken. 

CLAUSE 20. Termination of Processing and Data Erasure 

20.1. The Parties shall delete the Personal Data subject to the International Data Transfer governed by these Clauses after the processing ends, within the technical scope and limits of the activities, with retention permitted only for the following purposes: 

a) Compliance with a legal or regulatory obligation by the Controller; 

b) Research by a Research Body, ensuring, whenever possible, the anonymization of Personal Data; 

c) Transfer to a third party, provided that the requirements set out in these Clauses and in the Brazilian Legislation are respected; and 

d) Exclusive use by the Controller, preventing third-party access, and provided that the data is anonymized. 

20.2. For the purposes of this Clause, the termination of processing shall occur when: 

a) The purpose provided in these Clauses is achieved; 

b) The Personal Data is no longer necessary or relevant to achieve the specific purpose provided in these Clauses; 

c) The processing period ends; 

d) A Data Subject’s request is fulfilled; and

 e) Determined by the ANPD, in the event of a violation of these Clauses or the Brazilian Legislation. 

CLAUSE 21. Data Processing Security 

21.1. The Parties shall adopt security measures that ensure the protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination. 

21.2. The Parties shall specify the Security Measures adopted in Section III, considering the nature of the processed information, the specific characteristics and purpose of the processing, the current state of technology, and the risks to Data Subjects’ rights, especially in the case of sensitive personal data and data of children and adolescents. 

21.3. The Parties shall make the necessary efforts to adopt periodic evaluation and review measures to maintain an adequate security level according to the characteristics of data processing. 

CLAUSE 22. Legislation of the Data Recipient Country 

22.1. The Importer declares that it has not identified any laws or administrative practices of the data recipient country that prevent it from fulfilling the obligations assumed in these Clauses. 

22.2. If any normative change occurs that alters this situation, the Importer shall immediately notify the Exporter for an evaluation of the continuity of the contract. 

CLAUSE 23. Non-Compliance with the Clauses by the Importer 

23.1. In case of a breach of the safeguards and guarantees provided in these Clauses or the Importer’s inability to comply with them, the Exporter shall be notified immediately, subject to the provisions of item 19.1. 

23.2. Upon receipt of the notification referred to in item 23.1 or verification of non-compliance with these Clauses by the Importer, the Exporter shall take the necessary measures to ensure the protection of the Data Subjects’ rights and the compliance of the International Data Transfer with the Brazilian Legislation and these Clauses, which may include: 

a) Suspension of the International Data Transfer; 

b) Requesting the return of the Personal Data, its transfer to a third party, or its deletion; and 

c) Termination of the contract. 

CLAUSE 24. Choice of Forum and Jurisdiction 

24.1. These Clauses are governed by Brazilian law, and any dispute between the Parties arising from these Clauses shall be resolved before the competent courts of Brazil, subject to the forum chosen by the Parties in Section IV, if applicable. 

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, at their discretion, before the competent courts in Brazil, including those located in their place of residence. 

24.3. The Parties may mutually agree to use arbitration to resolve disputes arising from these Clauses, provided that it takes place in Brazil and in accordance with the provisions of the Arbitration Law. 

Section III – Security Measures 

(Note: This Section should include a detailed description of the security measures adopted, including specific measures for the protection of sensitive data and data of children and adolescents. The measures may cover, among other things, the following aspects as indicated in the table below). 

(i) Governance and supervision of internal processes: 

(ii) Technical and administrative security measures, including measures to ensure the security of operations such as data collection, transmission, and storage: 

Section IV – Additional Clauses and Annexes 

(Note: In this Section, which is optional for completion and disclosure, Additional Clauses and Annexes may be included at the Parties’ discretion to address, among other things, commercial issues, contract termination, duration, and choice of forum in Brazil. As provided in the International Data Transfer Regulation, the Clauses established in this Section or in Linked Contracts may not exclude, modify, or contradict, directly or indirectly, the Clauses set forth in Sections I, II, and III). 

Location, date. 

Signatures.