ASAP

ASAP

Brazil Standard Contractual Clauses (SCCs) may be required starting August 23, 2025. Is your company ready?

By Renata Neeser

  • 4 minute read

Last August, Brazil’s Data Protection Agency—Autoridade Nacional de Proteção de Dados (ANPD)—issued the International Transfer Regulations, including the Standard Contractual Clauses (SCCs) template. The deadline for compliance is August 23, 2025. The SCCs are currently the only immediately viable mechanism—aside from individual consent—for legally transferring personal data of Brazilian employees, clients, and vendors to entities abroad. 

While the regulations outline five legal mechanisms (Adequacy Decisions, Binding Corporate Rules (BCRs), SCCs, Specific Contractual Clauses, and Equivalent Contractual Clauses), only the Brazilian SCCs are available for immediate use. 

Similar to the General Data Protection Regulation (GDPR), Brazil Data Protection Law (LGPD) permits the transfer of personal data only to countries recognized as having a level of data protection equivalent to that required by the LGPD. The ANPD is responsible for making the adequacy decision and as of this date, the ANPD has not named any country as meeting the adequacy level required, so this mechanism is still not available. 

The BCRs and Specific Contractual Clauses are technically available mechanisms but they require specific approval for their use and thus far none has been approved. BCRs and Specific Contractual Clauses must be submitted by the interested party to the ANPD and after a detailed analysis by the internal International Affairs Coordination (CAI), the General Coordination of Institutional and International Relations (CGRII), and the Specialize Federal Prosecutor’s Office, their approval may be granted. We expect that any such processes will take several months. 

Also, no Equivalent Contractual Clauses, such as the EU SCCs, have yet been approved by the ANPD to be used in lieu of the Brazilian SCCs, so companies cannot rely on them to cover Brazil as well. Therefore, the Brazilian SCCs provide the only mechanism available that can be immediately implemented by companies.  

The Brazilian SCCs are a set of predefined contractual provisions that provide minimum guarantees and conditions for the international transfer of personal data. They include a description of the parties, the purpose(s) of the transfer, categories of personal data to be transferred, the retention period for the data, onward transfers, responsibility and general obligations of the parties, transparency, rights of the data subjects, security measures and safeguards, dispute mechanisms and applicable law (i.e., Brazilian law). These clauses must be included in full—unaltered and in both English and Portuguese—in contracts between Brazilian entities and foreign parties, including intercompany agreements and vendor contracts. The Brazilian SCCs can be complemented but not modified.  

Companies in Brazil, as the exporter of the personal data, must make sure that all transfers, including to companies of the same economic group, are done under valid SCCs to avoid possible audits and penalties from the ANPD. 

Employers are not exempt. Employee personal data that is transferred outside Brazil must be transferred using an intercompany contract with the SCCs. Some employers may want to rely on individual consent from employees, but that may not be feasible due to the volume of data or because consent can be withdrawn at any moment. The SCCs are likely the best mechanism available at the moment.

Companies headquartered in the United States must also be careful about the use of service providers that are not based in Brazil, as the SCCs with their subsidiaries need to indicate details of the onward transfers. Even if the service provider has a subsidiary in Brazil, if it will also share the data with its parent or other subsidiaries abroad, companies engaging the provider should make sure that their service agreement for Brazil includes provisions requiring the provider to have a contractual agreement with SCCs with their parent company or subcontractors outside Brazil. 

Notably, the regulations exclude direct data collection by foreign entities from the SCC requirement. The direct collection of personal data by a non-Brazilian entity from the data subject is not covered by the regulations. In that sense, a U.S. company that collects the personal data of an independent contractor directly does not need to adopt SCCs for such transfer, but it will still need to comply with the other provisions of the LGPD and may be subsequently required to have a data transfer agreement with a vendor if it will share the personal data with such vendor. 

In sum, the deadline for complying with the international transfer of personal data is upon us. Violators may be subject to audits and fines from the ANPD and, if non-compliant, may face higher damages awards in individual civil liability cases. Multinational employers should be concerned with the transfer and onward transfers that are typically used in the processing of payroll, benefits and data storage due to the volume of data and sensitivity of information. 

Related Insights

View All Insights
Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
© 2025 Littler Mendelson P.C.
Littler Mendelson is part of the international legal practice, Littler Global, which operates worldwide through a number of separate legal entities. Attorney Advertising.

Let us know how we can help you navigate your particular workplace legal issues.