RESOLUTION CD/ANPD No. X, OF XX OF XXXXXXXXXXX OF 2023

Approves the Regulation on International Transfer of Personal Data and the Standard Contractual Clauses Model

THE BOARD OF DIRECTORS OF THE NATIONAL DATA PROTECTION AUTHORITY (ANPD), based on the competencies provided in Article 55-J, item XIII, of Law No. 13,709, of August 14, 2018, Article 2, item XIII, of Annex I of Decree No. 10,474, of August 26, 2020, Article 5, item I of the Internal Regulations of ANPD, and considering the deliberation taken in Deliberative Circuit No. XX/2022, and as per the information in process No. 00261.000968/2021-06, RESOLVES:

Article 1. Approve, in the manner of Annexes I and II, the Regulation on International Data Transfer to a foreign country or international organization of which the Country is a member, and the standard contractual clause models, as provided in Article 33, I and II, subparagraphs a, b, and c, Article 34, Article 35, heading and §§ 1, 2, and 5, and Article 36 of Law No. 13,709, of August 14, 2018 - General Law for the Protection of Personal Data (LGPD).

Article 2. This Resolution shall come into effect on the date of its publication.

Sole Paragraph. Data processing agents that perform international data transfers through standard contractual clauses must incorporate the clauses approved by ANPD into their respective contractual instruments within up to 180 (one hundred and eighty) days from the publication date of this Resolution.

WALDEMAR GONÇALVES ORTUNHO JUNIOR
Director-President

ANNEX I
REGULATION ON INTERNATIONAL TRANSFER OF PERSONAL DATA

CHAPTER I
GENERAL PROVISIONS

Article 1. This Regulation establishes the procedures and rules applicable to international data transfer operations carried out:

I  to countries or international organizations that provide an adequate level of protection for personal data, comparable to that provided for in the LGPD; and

II  in cases where the controller offers and proves guarantees of compliance with the principles, rights of the holder and the data protection regime provided for in the LGPD, in the form of:

a) specific contractual clauses for a given transfer;

b) standard contractual clauses; or

c) binding corporate rules;

Sole paragraph. The provisions in this Regulation do not exclude the possibility of carrying out an international data transfer based on the other modalities provided in article 33 of the LGPD, as long as the specificities of the particular case and the applicable legal requirements are met.

Article 2. The international data transfer shall be carried out in accordance with the provisions in LGPD and in this Regulation, subject to the following guidelines:

I  guarantee of compliance with the principles, the data subjects rights and level of protection equivalent to that provided in the national legislation, regardless the country where the personal data subject to the transfer are located, even after the end of the processing and in the cases of onward transfers;

II  adoption of procedures that are simple, interoperable and compatible with recognized international norms and good practices, which promote social and economic development and ensure the free cross-border flow of personal data with trust and respect for the data subjects rights;

III  adoption of responsibility and accountability measures by offering and proving guarantees of compliance with the principles, data subjects rights and the personal data protection regime provided in LGPD;

IV  implementation of effective transparency measures, which ensure the provision of clear, accurate and easily accessible information on the transfer to the data subjects; and

V  adoption of good practices and of prevention and security measures which are appropriate and compatible with the criticality of the data processed and with the risks involved in the operation.

CHAPTER II
DEFINITIONS

Article 3. For the purposes of this Regulation, the following definitions shall be adopted:

I  exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the importer;

II  importer: processing agent, located in a foreign country or which is an international organization, who receives personal data from the exporter;

III  transfer: processing operation through which a processing agent transmits, shares or provides access to personal data to another processing agent;

IV  international data transfer: transfer of personal data to a foreign country or to an international organization of which the country is a member;

V  international collection of data: collection of the data subjects personal data carried out directly by the processing agent located abroad;

VI  business group or conglomerate: a group of companies, de facto or de jure, with their own legal personality, under the direction, control or administration of a natural person, a legal entity, or even a group of people, who hold, jointly or separately, power of control over the others, with proof of integrated interest, effective communion of interests and joint action of the companies that are comprised in the group;

VII  responsible entity: business company, headquartered in Brazil, which is liable for any breach of a binding corporate rule, even if resulting from an act by a member of the economic group headquartered in another country;

VIII  modality of international data transfer: hypotheses provided in items I to IX of article 33 of the LGPD authorizing an international data transfer; and

IX  international organization: organization governed by public international law, including its subordinate bodies or any other body created through an agreement signed between two or more countries.

CHAPTER III
INTERNATIONAL DATA TRANSFER

Section I
General requirements

Article 4. For international transfer of personal data, processing agents shall present sufficient conditions and guarantees of compliance with the general principles of protection, the data subjects rights and the data protection regime provided in LGPD.

Sole paragraph. Sufficient guarantees of compliance with the general principles for protection and with the data subjects rights referred to in the head provision of this article shall also be analyzed in accordance with the technical and organizational measures adopted by the processing agent, according to the provisions in paragraphs 1 and 2 of article 46 of LGPD.

Article 5. The controller shall verify, under the terms of LGPD and of this Regulation, whether the processing operation:

I  characterizes international data transfer;

II  submits to the national legislation for the protection of personal data; and

III  is supported by a valid legal hypothesis and by a valid international transfer modality.

Paragraph 1. Processor shall assist to the controller by conveying information at its disposal and which are required to comply with the provisions of the head provision of this article.

Paragraph 2. Both controller and processor shall adopt effective measures capable of demonstrating observance of and compliance with personal data protection rules and the effectiveness of such measures, in a manner which is compatible with the level of risk of the processing and with the modality of international transfer used.

Section II
Characterization of the International Data Transfer

Article 6. The international data transfer shall be characterized when the exporter transfers personal data to the importer.

Article 7. International data collection does not characterize international data transfer.

Sole paragraph. The international data collection shall observe the provisions of LGPD when any of the hypotheses indicated in article 3 of the Law is identified.

Section III
Application of the National Legislation for the Protection of Personal Data

Article 8. The international data transfer shall be carried out in accordance with the provisions of LGPD and this Regulation, whenever:

I  the processing operation takes place within the Brazilian territory, except for the provisions of item IV of the head provision of article 4 of LGPD;

II  the processing activity aims offering or supplying goods or services, or at the processing of data of individuals located in the Brazilian territory; or

III  the personal data being processed have been collected within the Brazilian territory.

Sole paragraph. The application of national legislation to international data transfer is independent of the means used to carry it out and of the country in which the processing agents are based or where the data are located.

Section IV
Legal Hypothesis and Modality of Transfer

Article 9. The international data transfer shall only be carried out for legitimate, specific and explicit purposes informed to the data subject, with no possibility of subsequent processing incompatible with such purposes, and provided that it is supported by:

I  one of the legal hypotheses provided in articles 7 or in article 11 of LGPD; and

II  one of the following valid modalities of carrying out the international transfer:

a) for countries or international organizations that provide a degree of protection of personal data equivalent to that provided in the LGPD and in complementary rules, as recognized by an adequacy decision of the ANPD;

b) standard contractual clauses, binding corporate rules or specific contractual clauses, in the form of this Regulation; or

c) in the hypotheses provided in items II(d), and III to IX of article 33 of LGPD.

Sole paragraph. The international data transfer shall be limited to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non-excessive data in relation to the data processing purposes.

CHAPTER IV
ADEQUACY DECISION

Article 10. ANPD may recognize, by means of an adequacy decision, the equivalence of the level of personal data protection of a foreign country or an international organization with that provided for in national data protection legislation, in accordance with the provisions set forth in the LGPD and in this Regulation.

Article 11. The assessment of the level of personal data protection of a foreign country or an international organization shall take into account:

I the general and sectoral rules and regulations in force in the destination country or in the international organization;

II the nature of the data;

III compliance with the general principles of personal data protection and the rights of data subjects provided for in the LGPD;

IV the adoption of adequate security measures to minimize impacts on civil liberties and fundamental rights of data subjects;

V the existence of judicial and institutional guarantees to ensure observance of personal data protection rights; and

VI other specific circumstances relating to the transfer of personal data.

§ 1 The assessment of the rules and regulations referred to in item I of the head provision of this article will be limited to the legislation that directly applies to or generates relevant impacts on the processing of personal data and the rights of data subjects, and may encompass, if necessary, the review of supplementary rules and regulations.

§ 2 For the purposes of the provisions set forth in item III of the head provision of this article, the assessment shall determine whether the local legislation establishes obligations for processing agents to implement adequate security measures, considering the nature of the data and the associated processing risks, in addition to other relevant factors, in conformity with the parameters established in the LGPD.

§ 3 For the purposes of item V of this article, the assessment shall take into consideration, in addition to other relevant institutional guarantees, the existence and effective operation of an independent regulatory body, with powers to enforce data protection rules and regulations and to ensure observance of data subjects rights.

§ 4 ANPD may determine, through the issuance of guidelines or supplementary rules and regulations, the criteria for assessing the level of personal data protection, as established in the head provision of this article.

§ 5 The guidelines and supplementary rules and regulations referred to in § 4 shall be formulated with the purpose of providing technical, legal, and organizational directions that support the correct application of adequacy criteria to protect the rights and guarantees of data subjects.

Article 12. The assessment of the level of protection of personal data shall address the risks and benefits provided by the adequacy decision, acknowledging, inter alia, the guarantee of the principles, the rights of data subjects, and the regime of data protection provided for in the LGPD in addition to the impacts on the international flow of data, diplomatic relations and international cooperation between Brazil and other countries and international organizations.

Sole paragraph. ANPD shall prioritize the assessment of the level of data protection of foreign countries or international organizations that ensure reciprocal treatment to Brazil, and whose recognition of an adequate level of data protection provides for an increase in the free flow of cross border transfers of personal data between both countries.

Article 13. The procedure for the issuance of an adequacy decision shall:

I  commence after a decision of the Board of Directors, entered by the Boards own initiative or upon the request of the legal entities governed by public law referred to in Sole paragraph of Article 1 of Law No. 12,527, of November 18, 2011;

II  be supported by evidence produced by the responsible technical area, as established in ANPDs Internal Regulations, which shall make a statement regarding the merits of the decision, indicating, if applicable, the conditions that must be observed; and
III  be subject to a final decision of the Board of Directors after the issuance of a statement of the Prosecutors Office, as established in ANPDs Internal Regulations.

Paragraph 1. The Ministry of Foreign Affairs shall be notified of the outset of the case, being allowed to present a statement in the records, within the scope of its legal powers.

Paragraph 2. The adequacy decision shall be entered in a Resolution of the Board of Directors and published in ANPDs website.

Paragraph 3. The Board of Directors may issue supplementary regulations regarding the procedures for the issuance of an adequacy decision, the procedures of periodic reassessment of protection levels, and of the review of adequacy decisions.

CHAPTER V

STANDARD CONTRACTUAL CLAUSES

Section I
General Provisions

Article 14. The standard contractual clauses, prepared and approved by ANPD in the form of Annex II, establish minimum guarantees and valid conditions for carrying out an international data transfer based on item II(b) of article 33 of LGPD.

Sole paragraph. The standard contractual clauses aim to guarantee the adoption of adequate safeguards for compliance with the principles, the data subjects rights and the data protection regime provided in LGPD, including the determinations of ANPD.

Article 15. The validity of the international data transfer presupposes the full adoption of the text of the standard contractual clauses available in Annex II, with no alterations whatsoever, through a contractual instrument signed between the exporter and the importer.

Paragraph 1. The standard contractual clauses may be:

I used as part of a specific agreement to govern the international data transfer; or

II included into a broader object agreement.

Paragraph 2. In the events of items I and II of paragraph 1 of this article, any additional clauses and other provisions set forth in the contractual instrument or in related contracts signed between the Parties may not exclude, modify or contradict, directly or indirectly, the provisions of the standard contractual clauses.

Paragraph 3. In the event of item II of paragraph 1 of this article, Sections I, II and III of the standard contractual clauses provided in Annex II shall be completed and included into the annexes of the contract signed by the exporter and the importer.

Article 16. The processing agent designated in the standard contractual clauses shall make available to the data subject, upon request, the contractual instrument used to carry out the international data transfer, complying with trade and industrial secrets.

Paragraph 1. The processing agent referred to in the head provision shall also publish, on its website, a document containing information written in Portuguese, in plain, clear, accurate and accessible language on the conduction of the international data transfer, including at least information on:

I the form, duration and specific purpose of the international transfer;

II the destination country of the transferred data;

III the controllers identification and contact details;

IV the shared use of data by the controller and its purpose;

V the responsibilities of the agents who shall conduct the processing; and

VI the data subjects rights and the means for exercising them, including an easily accessible channel and the right to file a petition against the controller before ANPD.

Paragraph 2. The document referred to in paragraph 1 may be made available on a specific website page or integrated, in a distinguishable and easily accessible format, to the Privacy Policy or equivalent instrument.

Section II
Equivalent Standard Contractual Clauses

Article 17. ANPD may recognize the equivalence of standard contractual clauses from other countries or international organizations with the clauses provided in Annex II.

Paragraph 1. The procedure referred to in the head provision:

I may be initiated ex officio or upon the request of the interested parties;

II shall be instructed by the competent technical area, under the terms of the Internal Regulations of the ANPD, which shall express their views on the merits of the equivalence proposal, indicating the conditions to be observed, if applicable; and

III shall be subject of deliberation by the Board of Directors, after the Prosecution Office express their views, in accordance with ANPDs Internal Regulations.

Paragraph 2. The Board of Directors may determine that a public consultation is carried out during the procedure provided for in Paragraph 1.

Paragraph 3. The request sent to ANPD shall be accompanied by the following documents and information:

I full content of the standard contractual clauses, translated into Portuguese;

II applicable relevant legislation or any relevant document, including guides and guidelines issued by the respective authority for the protection of personal data; and

III analysis of compatibility with the provisions of both the LGPD and this Regulation, which includes a comparison between the content of national clauses and those for which recognition of equivalence is requested.

Article 18. The decision on the equivalence proposal shall consider, among other relevant circumstances:

I whether the standard contractual clauses are compatible with the provisions of both LGPD and this Regulation, as well as whether they ensure a level of data protection equivalent to that guaranteed by the national standard contractual clauses; and

II the risks and benefits provided by the approval, considering, among other aspects, the guarantee of the principles, the data subjects rights and the data protection regime provided in LGPD, in addition to the impacts on the international flow of data, diplomatic relations and Brazils international cooperation with other countries and international organizations.

Sole paragraph. For the purposes of the provisions of item II of the head provision, ANPD shall prioritize the approval of clauses which could be used on scale by other processing agents which carry out international data transfers in similar circumstances.

Article 19. Standard contractual clauses recognized as equivalent shall be approved by a Resolution of the Board of Directors and published on ANPDs website on the Internet.

Sole paragraph. Standard contractual clauses recognized as equivalent constitute a valid modality for carrying out international data transfers, pursuant to article 33, II, b, of LGPD, subject to the conditions established in the decision of the Board of Directors.

CHAPTER VI
SPECIFIC CONTRACTUAL CLAUSES

Article 20. Due to the uniqueness of certain international data transfers, the controller may request ANPD to approve specific contractual clauses, which offer and prove guarantees of compliance with the principles, the data subjects rights and the data protection regime provided in LGPD and in this Regulation.

Paragraph 1. The specific contractual clauses shall only be approved for international data transfers which cannot be carried out based on the standard contractual clauses, due to de facto or de jure exceptional circumstances, duly proven by the controller.

Paragraph 2. In any case, the specific contractual clauses shall provide for the application of the national legislation for the protection of personal data to the international data transfer and its submission to the supervision of ANPD.

Article 21. The controller shall present the contractual instrument which shall govern the international data transfer, containing the specific clauses, for approval by ANPD.

Paragraph 1. ANPDs analysis shall consider, among other relevant circumstances:

I whether the specific clauses are compatible with the provisions of both LGPD and this Regulation, as well as whether they ensure a level of data protection equivalent to that guaranteed by national standard contractual clauses; and

II the risks and benefits provided by the approval, considering, among other aspects, the guarantee of the principles, the data subjects rights and the data protection regime provided in LGPD, in addition to the impacts regarding the international flow of data, diplomatic relations and Brazils international cooperation with other countries and international organizations.

Paragraph 2. For the purposes of the provisions of item II of Paragraph 1, ANPD shall prioritize the approval of specific clauses which could also be used by other processing agents who carry out international data transfers in similar circumstances.

Article 22. In the contractual instrument submitted for ANPDs approval, the controller shall:

I adopt, whenever possible, the wording of standard contractual clauses; and

II indicate the specific clauses adopted, with the corresponding justification, pursuant to article 20.

Article 23. Specific contractual clauses shall be submitted for ANPDs approval, under the terms of the process described in Chapter VII.

CHAPTER VII
BINDING CORPORATE RULES

Article 24. Binding corporate rules are intended for international data transfers between organizations of the same economic group, having a binding character upon all members of the group.

Article 25. Binding corporate rules shall be linked to the establishment and implementation of a privacy governance program which shall, at least:

I demonstrate the controllers commitment to adopt internal processes and policies which ensure broad compliance with rules and good practices concerning personal data protection;

II apply to the complete set of personal data under its control, regardless the way it was collected;

III be adapted to the structure, scale and volume of its operations, as well as to the sensitivity of the processed data;

IV establish appropriate policies and safeguards based on a process of systematic assessment of impacts and risks to the privacy and protection of personal data;

V intend to establish a relationship of trust with the data subject, by means of transparent actions which ensure mechanisms for the data subjects participation;

VI be integrated to the governance general structure and establish and apply internal and external supervision mechanisms;

VII have incident response plans and remediation; and

VIII be constantly updated based on information obtained from continuous monitoring and periodic assessments.

Article 26. In addition to complying with the provisions of article 25, binding corporate rules shall contain, at least:

I specification of the categories of international data transfers which the instrument applies to, including the categories of personal data, the processing operation and its purposes, the legal hypothesis and the types of data subjects;

II identification of the countries which the data are transferred to;

III structure of the business group or conglomerate, containing the list of bound entities, the role played by each one of them in the processing and the contact details of each organization which processes personal data;

IV determination of the binding nature of the binding corporate rule for all members of the economic group, including its employees;

V delimitation of the responsibilities for the processing, with the indication of the responsible entity;

VI indication of the applicable data subjects rights and the means for exercising them, including an easily accessible channel and the right to file a petition against the controller before ANPD, after the data subject has proven that a complaint to the controller that has not been solved within the period established in regulation;

VII rules on the process for the reviewing of binding corporate rules and provision for submission to ANPDs prior approval; and

VIII provision for communication to ANPD in case of changes in the guarantees presented as sufficient of compliance with the principles, the data subjects rights and the data protection regime provided in LGPD, especially in the event in which one of the group members is subject to a foreign legal determination which prevents compliance with binding corporate rules.

Paragraph 1. For the purposes of compliance with item VIII, the binding corporate rule shall provide for the obligation of immediate notification to the responsible entity whenever a member located in another country is subject to a legal determination which prevents compliance with binding corporate rules, except in the case of express legal prohibition to make such notification.

Paragraph 2. For the purposes of item VI, any request related to the compliance with the binding corporate rule shall be answered within the period provided in LGPD and in specific regulations.

Paragraph 3. Binding corporate rules constitute a valid modality for carrying out international transfers of personal data only for organizations or countries included by the binding corporate rules.

Article 27. Binding corporate rules shall be submitted for ANPDs approval, pursuant to the process described in Chapter VII.

CHAPTER VIII
APPROVAL PROCESS OF SPECIFIC CONTRACTUAL CLAUSES AND BINDING CORPORATE RULES

Article 28. The approval request of specific contractual clauses or binding corporate rules shall be instructed, as applicable, with:

I draft of the contract or of the corporate rule;

II constitutional documents of the processing agent or economic group; and

III demonstration of compliance with the requirements set forth in Chapters V or VI of this Regulation.

Article 29. The approval request of specific contractual clauses or binding corporate rules:

I shall be analyzed by the competent technical area, under the terms of the Internal Regulations of the ANPD, which shall express their views on the merits of the request, indicating the conditions to be observed, if applicable; and

II shall be subject of deliberation by the Board of Directors, after the Prosecution Office express their views, in accordance with ANPDs Internal Regulations.

Paragraph 1. In the analysis of specific contractual clauses or binding corporate rules submitted for ANPDs approval, presentation of other documents and supplementary information may be requested, or procedures of verification of the processing operations may be carried out, whenever necessary.

Paragraph 2. In case the documents and supplementary information requested are not presented, the process shall be summarily archived, by decision of the competent technical area.

Article 30. A duly reasoned reconsideration request may be presented, within 10 (ten) business days, by virtue of the Board of Directors decision which deny the approval of specific contractual clauses or binding corporate rules.

Sole paragraph. The reconsideration request will be distributed and processed in accordance with ANPDs Internal Regulations.

Article 31. ANPD shall publish the list of approved specific contractual clauses and binding corporate rules on its website.

Sole paragraph. ANPD may publish the full text of specific contractual clauses in cases where these clauses may be used by other processing agents, complying with trade and industrial secrets.

Article 32. The processing agent shall make the specific contractual clauses and binding corporate rules available to the data subject, upon request, and publish on its website a document written in plain language on the conduction of the international data transfer, as provided in article 12 of this Regulation, subject to the conditions established in the approval decision.

Article 33. Changes to specific contractual clauses and binding corporate rules depend on ANPDs prior approval, observing the procedure described in this Chapter.

Sole paragraph. The Board of Directors may establish a simplified procedure for approving changes which do not affect the guarantees presented as sufficient of compliance with of the principles, the data subjects rights and the data protection regime provided in LGPD.

CHAPTER IX
FINAL PROVISIONS

Article 34. The international data transfer processes referred to in this Regulation may be analyzed in an aggregate form, and any measures arising therefrom may be adopted in a standardized format.

ANNEX II
STANDARD CONTRACTUAL CLAUSES

(Note: As provided in the Annex I International Data Transfer Regulation, the Clauses in this Annex may be used as part of a specific agreement to govern the international transfer of personal data or included into a broader agreement).

SECTION I GENERAL INFORMATION

(NOTE: This Section contains Clauses that may be supplemented by the Parties, exclusively in the spaces indicated and in accordance with the guidelines presented. The definitions of the terms used in these Clauses are detailed in CLAUSE 6).

CLAUSE 1. Identification of the Parties

1.1. By this agreement, the Exporter and the Importer (hereinafter, Parties), identified below, have agreed to these standard contractual clauses (hereinafter, Clauses) approved by the National Data Protection Authority ANPD, to govern the International Data Transfer described in CLAUSE 2, in accordance with the provisions of the National Legislation.

 Exporter (Controller)            Exporter (Processor) 

(NOTE: check the option corresponding to Controller or Processor and fill in the identification information, as indicated in the table.)

  Importer (Controller)                   Importer (Processor)

(NOTE: check the option corresponding to Controller or Processor and fill in the identification information, as indicated in the table.)

CLAUSE 2. Object and Scope of application

2.1 This agreement shall apply to International Transfers of Personal Data between Data Exporters and Data Importers, as described below.

Description of the international transfer

(NOTE: fill in as much detail as possible with the information regarding the international transfer)

CLAUSE 3. Onward Transfers

(NOTE: choose between OPTION A and OPTION B, as appropriate.)

 OPTION A. 3.1. The Importer may not carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses.

 OPTION B. 3.1. The Importer may carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, in the cases and according to the conditions described below and the provisions of CLAUSE 18.

(NOTE: fill in as much detail as possible with information regarding authorized onward transfers)

CLAUSE 4. Designated Party

(NOTE: choose between OPTION A and OPTION B, as appropriate.)

 OPTION A. 4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below shall be primarily responsible for complying with the following obligations set forth in these Clauses:

(NOTE: in items a, b and c mark the option corresponding to Exporter, Importer or both, as appropriate.)

a) Responsible for publishing the document provided in CLAUSE 14;

 Exporter       Importer

b) Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15:

 Exporter       Importer

c) Responsible for notifying the security incident provided in CLAUSE 16:

 Exporter       Importer

4.2. For the purposes of these Clauses, if the Designated Party pursuant to item 4.1. is the Processor, the Controller remains responsible for:

a) the compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or non compliance with the obligations by the Designated Party;

b) complying with ANPD determinations; and

c) the guarantee of the Data Subjects rights and the repairing of the damage caused.

 OPTION B. (NOTE: Option B is exclusive for international data transfers carried out between processors and shall only be valid upon the authorization and the signature of the Clauses by the Third Party Controller, in the form of item 4.2)

4.1. Considering that both Parties act exclusively as Processors within the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out with the authorization and in accordance with the written instructions provided by the Third Party Controller

(NOTE: fill in as much detail as possible with the identification and contact information of the Third Party Controller and, if applicable, of the Related Contract).

4.2. The undersigned Third Party Controller authorizes the carrying out of the international transfer according to their instructions, in accordance with the provisions of these Clauses and of any Related Agreement signed with the Exporter.

4.3. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below shall be primarily responsible for complying with the following obligations set forth in these Clauses:

(NOTE: in items a, b and c mark the option corresponding to Exporter, Third Party Controller or both, as appropriate.)

a) Responsible for publishing the document provided in CLAUSE 14;

 Exporter        Third Party Controller

b) Responsible for responding to requests from Data Subjects dealt with in CLAUSE 15:

 Exporter        Third Party Controller

c) Responsible for notifying the security incident provided in CLAUSE 16:

 Exporter        Third Party Controller

4.4 The Importer shall provide all the information at their disposal and which prove necessary so that the Exporter or the Third Party Controller, as appropriate, can properly comply with the obligations set forth in item 4.3.

4.5. Even if the Designated Party in the form of item 4.3. is the Exporter, the undersigned Third Party Controller shall remain responsible for:

a) the compliance with the obligations provided in CLAUSES 14, 15 and 16 and other provisions established in the National Legislation, especially in case of omission or non compliance with the obligations by the Designated Party;

b) complying with ANPD determinations; and

c) the guarantee of the Data Subjects rights and the repairing of the damage caused.

SECTION II MANDATORY CLAUSES

(NOTE: This Section contains Clauses which shall be adopted in full and without any change in their text to ensure the validity of the international data transfer).

CLAUSE 5. Purpose

5.1 These Clauses are presented as a mechanism which enables a safe international flow of personal data, establish minimum guarantees and valid conditions for carrying out an International Data Transfer and aim at guaranteeing the adoption of adequate safeguards for compliance with the principles, the Data Subjects rights and the data protection regime provided in the National Legislation.

CLAUSE 6. Definitions

6.1. For the purposes of these Clauses, the definitions of article 5 of the LGPD, of the Regulation on the International Transfer of Personal Data and of other normative acts issued by the ANPD shall be considered. The Parties further agree to consider the terms and their respective meanings, as set out below:

a) Processing agents: the controller and the processor;

b) ANPD: National Data Protection Authority;

c) Clauses: the standard contractual clauses approved by the ANPD, which are part of SECTIONS I, II and III;

d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third party, including a Third Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;

e) Controller: Party or third party (Third Controller) responsible for decisions regarding the processing of Personal Data;

f) Personal Data: information related to an identified or identifiable natural person;

g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or to a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;

h) deletion: exclusion of data or dataset from a database, regardless of the procedure used;

i) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;

j) Importer: processing agent, located in a foreign country, who receives personal data from the Exporter;

k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by the ANPD;

l) Arbitration Law: Law No. 9,307, of September 23, 1996;

m) LGPD: General Data Protection Law (Brazilian Federal Law No. 13,709, of August 14, 2018);

n) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;

o) Research Body: body or entity of the government bodies or associated entities or a non profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;

p) Processor: Party or third party, including a Sub processor, which processes Personal Data on behalf of the Controller;

q) Designated Party: Party or a Third Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency, Data Subjects rights and notifying security incidents;

r) Parties: Exporter and Importer;

s) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;

t) Sub processor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer;

u) Third Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4 (Option B);

v) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;

w) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;

x) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and

y) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third party, including a Sub processor, provided that it does not constitute an Access Request.

CLAUSE 7. Applicable legislation and ANPD supervision

7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of the ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Agreement.

CLAUSE 8. Interpretation

8.1. Any application of these Clauses shall occur in accordance with the following terms:

a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;

b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;

c) no item in these Clauses, including a Related Agreement and the provisions set forth in SECTION IV, shall be interpreted as limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and

d) provisions of SECTIONS I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in SECTIONS III and IV of this agreement or in Related Agreements.

CLAUSE 9. Docking Clause

9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.

9.2. On and after the Accession Date, the adhering party shall have the same rights and obligations as the originating Parties, depending on the assumed role of a Data Exporter or a Data Importer, and according to the corresponding category of processing agent.

CLAUSE 10. General obligations of the Parties

10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures and, in particular:

a) use the Personal Data only for the specific purposes described in CLAUSE 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;

b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;

c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non excessive data in relation to the Personal Data processing purposes;

d) guarantee to the Data Subjects, subject to the provisions of CLAUSE 4:

(d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, complying with trade and industrial secrets;

(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and

(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;

e) use appropriate technical and administrative measures to prevent the occurrence of damage due to the processing of Personal Data and able to protect the Personal Data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or dissemination;

f) not to process Personal Data for unlawful or abusive discriminatory purposes;

g) ensure that any person acting under their authority, including sub processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses;

h) keep record of the Personal Data processing operations object of the International Data Transfer governed by these Clauses, and submit the relevant documentation to the ANPD, when requested.

CLAUSE 11. Sensitive personal data

11.1. In case the international transfer of personal data involves sensitive data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in SECTION III.

CLAUSE 12. Data on children and adolescents

12.1. In case the International Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.

CLAUSE 13. Legal use of data

13.1. The Exporter guarantees that the Personal Data have been collected, processed and transferred to the Importer in accordance with the National Legislation.

CLAUSE 14. Transparency

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:

a) the form, duration and specific purpose of the international transfer;

b) the destination country of the transferred data;

c) the Designated Partys identification and contact details;

d) the shared use of data by the Parties and its purpose;

e) the responsibilities of the agents who shall conduct the processing;

f) the Data Subjects rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before the ANPD; and

g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.

14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a distinguishable and easily accessible format, to the Privacy Policy or equivalent document.

14.3. Upon request, the Parties shall make a free of charge copy of these Clauses available to the Data Subject, complying with trade and industrial secrets.

14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.

CLAUSE 15. Data subjects rights

15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:

a) confirmation of the existence of processing;

b) access to data;

c) correction of incomplete, inaccurate or outdated data;

d) anonymization, blocking or deletion of data which are unnecessary, excessive or processed in noncompliance with these Clauses and with the provisions of the National Legislation;

e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrets;

f) deletion of Personal Data processed under the Data Subjects consent, except for the events provided in CLAUSE 20;

g) information on public and private organizations with which the Parties have shared data;

h) information on the possibility of not providing consent and on the consequences of the denial;

i) revocation of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;

j) review of decisions made solely based on automated processing of Personal Data which affects the Data Subjects interests; and

k) information on the criteria and procedures adopted for the automated decision.

15.2. The deadline for responding the requests provided in this Clause and in item 14.3. is 15 (fifteen) calendar days, except for events in which a different period is established in specific regulations of the ANPD.

15.3. In case the Data Subjects request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:

a) inform the Data Subject of the service channel made available by the Designated Party; or

b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.2.

15.4. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure.

15.5. The Parties shall promote mutual assistance to respond to the Data Subjects requests.

CLAUSE 16. Security Incident Reporting

16.1. In the event of a security incident which may entail significant risk or damage to the Data Subjects, the Designated Party shall notify both the ANPD and the Data Subjects, as provided in National Legislation.

16.2. The notification provided in item 16.1. shall be sent as soon as reasonably feasible, as defined in specific regulations of the ANPD, and shall mention, complying with the regulations and guidelines issued by the ANPD, at least:

a) the description of the nature of the affected Personal Data;

b) information on the Data Subjects involved;

c) indication of the technical and security measures taken for data protection, complying with trade and industrial secrets;

d) the risks related to the incident;

e) the reasons for the delay, in case communication has not been immediate; and

f) the measures which have been or shall be implemented to reverse or mitigate the effects of the damage.

16.3. The Importer shall keep a record of security incidents under the terms of the National Legislation.

CLAUSE 17. Liability and damages compensation

17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.

17.2. Data Subject may claim for compensation for damage caused by any of the Parties as a result of a breach of these Clauses.

17.3. The defense of Data Subjects interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.

17.4. The Party acting as Operator shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions in item 17.6.

17.5. Controllers directly involved in the processing activities which resulted in damages to the Data Subject shall be jointly and severally liable for these damages, except for the provisions in item 17.6.

17.6. Parties shall not be held liable if they have proven that:

a) they have not carried out the processing of Personal Data attributed to them;

b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses; or

c) the damage results from the sole fault of the Data Subject or of a third party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.

17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in the judges opinion, the allegation is credible, there is an economic disadvantage for the purposes of producing evidence or when the production of evidence by the Data Subject is overly burdensome.

17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.

17.9. The Party which pays compensation for the damage to the Data Subject shall be entitled to claim back from the other liable parties to the extent of their participation in the damaging event.

CLAUSE 18. Safeguards for Onward Transfer

18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in CLAUSE 3.

18.2. In any case, the Importer:

a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in CLAUSE 2;

b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third party recipient of the Onward Transfer; and

c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third party recipient of the Onward Transfer.

18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation.

CLAUSE 19. Access Request Notification

19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data transferred pursuant to these Clauses unless the law of the country where the data is processed prohibits them to do so.

19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.

19.3. To comply with both the ANPDs and the Exporters requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received and legal measures implemented.

CLAUSE 20. Ending of processing and deletion of data

20.1. Parties shall delete the personal data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:

a) compliance with a legal or regulatory obligation by the Controller;

b) study by a Research Body, guaranteeing, whenever possible, the anonymization of personal data;

c) transfer to a third party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and

d) exclusive use of the Controller, being the access by a third party prohibited, and provided data have been anonymized.

20.2. For the purposes of this Clause, processing of personal data shall cease when:

a) the purpose set forth in these Clauses has been achieved;

b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;

c) the agreed data processing period has expired, even after the termination of this contract;

d) Data Subjects request is met; and

e) demanded by the ANPD.

CLAUSE 21. Data processing security

21.1. Parties shall implement Security Measures which guarantee sufficient protection of confidentiality, integrity and availability of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its conclusion.

21.2. Parties shall inform, in SECTION III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects rights, especially in the case of sensitive personal data.

21.3. Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.

CLAUSE 22. Legislation of country of destination

22.1. Parties declare that they have assessed the legislation of the country of destination and have not identified laws or administrative practices which prevent the Importer from complying with the obligations under these Clauses.

22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.

CLAUSE 23. Non compliance with the Clauses by the Importer

23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.

23.2. Upon receipt of the communication referred to in item 23.1 or upon verification of non compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:

a) suspend the International Data Transfer;

b) request the return of Personal Data, their transfer to a third party, or their deletion; and

c) terminate the contract.

CLAUSE 24. Choice of forum and jurisdiction

24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of habitual residence.

24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.

SECTION III SECURITY MEASURES

(NOTE: This Section should include details of the security measures implemented, including specific measures for the protection of sensitive data. The measures may include the following aspects, among others, as indicated in the table below).

SECTION IV ADDITIONAL CLAUSES AND ANNEXES

(NOTE: Additional Clauses and Annexes may be included in this Section, at the discretion of the Parties, to govern issues such as commercial nature, contractual termination, term of validity and choice of forum in Brazil, among others. As provided in the Regulation for the International Transfer of Data, clauses established in this Section or in Related Contracts may not exclude, modify or contradict, directly or indirectly, the Clauses provided in Sections I, II and III).

Place and date.

EXPORTER                             IMPORTER

THIRD CONTROLLER

(NOTE: the signature of the Third Party Controller is only required in case Option B of Clause 4 is chosen, applicable exclusively for international data transfers carried out between operators)