Resolution No. 19/2024 of the National Data Protection Authority (ANPD), published in August 2024, regulated the mechanisms permitted for the international transfer of personal data.

Among the mechanisms established, the possibility of using Standard Contractual Clauses (SCCs) stands out as a legal basis for the transfer of data to countries that have not yet been recognized as adequate by the ANPD.

With the publication of the Resolution, the ANPD determined that companies already carrying out this type of operation should comply by incorporating the standard clauses approved by the authority into existing contracts. The deadline for compliance ended on August 23, 2025.

The adoption of the clauses must be carried out in full and without changes to the content established by the ANPD. Clauses that conflict with the provisions set out in the SCCs must also be reviewed to ensure their legal effectiveness.

The obligation applies, for example, to companies that share personal data with cloud service providers, international platforms, technology suppliers, or technical support providers located abroad. Even contracts already in force must be updated within the deadline.

In addition to contractual compliance, the Resolution requires greater transparency. Organizations must clearly and accessibly disclose the occurrence of international transfers in their privacy policies, indicating the countries involved, the legal basis used, the processing agents, and the protection mechanisms adopted.

Failure to comply with the requirements defined by the ANPD may result in administrative liability under the LGPD.

For companies operating in global technology ecosystems, compliance with the Resolution is not only a regulatory obligation but also an indicator of maturity in data governance and a commitment to security and trust.