CHAPTER V
INTERNATIONAL TRANSFER OF DATA
Art. 33.
International transfer of personal data is only allowed in the
following cases:
I - to countries or international organizations that provide a level of
protection of personal data that is adequate to the provisions of this Law;
II – when the controller offers and proves guarantees of compliance with the
principles and the rights of the data subject and the regime of data
protection provided in this Law, in the form of:
a) specific contractual clauses for a given transfer;
b) standard contractual clauses;
c) binding corporate rules6;
d) regularly issued stamps, certificates and codes of conduct;
III – when the transfer is necessary for international legal cooperation
between public intelligence, investigative and prosecutorial agencies, in
accordance with the instruments of international law;
IV – when the transfer is necessary to protect the life or physical safety
of the data subject or of a third party;
V– when the national authority authorizes the transfer;
VI – when the transfer results in a commitment undertaken through
international cooperation;
VII – when the transfer is necessary for the execution of a public policy or
legal
attribution of public service, which shall be publicized pursuant to item I
of the lead sentence of Art. 23 of this Law;
VIII – when the data subject has given her/his specific and highlighted
consent for the transfer, with prior information about the international
nature of the operation, with this being clearly distinct from other
purposes; or
IX – when it is necessary to satisfy the situations provided in items II, V
and VI
of Art. 7 of this Law.
Sole paragraph. For purposes of item I of this article, the legal entities
of public law referred to in the sole paragraph of Art. 1 of Law No. 12,527,
of November 18, 2011 (the “Brazilian Access to Information Law”), within
their legal capabilities, and those parties accountable, within the scope of
their activities, may request the national authority to evaluate the level
of protection of personal data provided by a country or international
organization.
Art. 34.
The level of data protection in the foreign country or
international organization referred to in item I of the lead sentence of
Art. 33 of this Law shall be evaluated by the national authority, which
shall take into consideration:
I – the general and sectorial rules of legislation in force in the receiving
country or international organization;
II – the nature of the data;
III – the compliance with the general principles of personal data protection
and data subjects’ rights as provided in this Law;
IV – the adoption of security measures as provided in regulation;
V – the existence of judicial and institutional guarantees for respecting
the rights concerning personal data protection; and
VI – other specific circumstances relating to the transfer.
Art. 35.
The definition of the content of standard contractual clauses, as
well as the verification of specific contractual clauses for a particular
transfer, binding corporate rules or stamps, certificates and codes of
conduct, referred to in item II of the lead sentence of Art. 33 of this Law,
will be done by the national authority.
§1 To verify the provision of the lead sentence of this article, one must consider the
requirements, conditions and minimum guarantees for the transfer that are in accordance with the rights, guarantees and principles of this Law.
§2 Analysis of contractual clauses, documents or global corporate rules submitted to the national authority for approval, supplementary information or due diligences performed for verification of the processing operations may be required, when necessary.
§3 The national authority may designate certification entities to carry out the provisions of the lead sentence of this article, which shall remain under their inspection and subject to the terms defined in regulation.
§4 Acts carried out by certification entities may be reviewed by the national authority and, if they are not in compliance with this Law, submitted for revision or voided.
§5 Guarantees that are sufficient for compliance with the general principles of protection and data subject’s rights referred to in the lead sentence of this article shall also be analyzed in accordance with the technical and organizational measures adopted by the processor, according to the provisions of §§1 and 2 of Art. 46 of this Law.
Art. 36.
Changes to guarantees presented as sufficient for compliance with the general principles of protection and of the data subject’s rights referred to in item II of Art. 33 of this Law shall be communicated to the national authority.