Brazil LGPD International Transfers

Start by deciding whether the transfer can rely on one of the Article 33 bases: an adequacy decision for the destination country or international organization; contractual safeguards such as specific contractual clauses, standard contractual clauses, or binding corporate rules; one of the other Article 33 hypotheses such as legal cooperation, protection of life, ANPD authorization, international cooperation agreement, public policy execution, specific consent with clear notice of the international character, or another legal basis from Articles 7 or 11.

Then choose the narrowest basis that fits the facts. If the destination already has an adequacy decision, use that route. If not, use contractual safeguards when the controller can prove they are in place and operational. If neither fits, check whether one of the other Article 33 hypotheses or a separate legal basis applies before approving the transfer.

Keep the LGPD source, role map, lawful-basis analysis, transfer basis, and ANPD-facing evidence together so the decision shows why the transfer is allowed and what controls support it.

Ownership should sit with the team that controls the processing purpose, data-subject channel, vendor relationship, transfer mechanism, security incident response, or ANPD communication.

Evidence should show controller/operator mapping, lawful basis, transparency notice, rights response, transfer analysis, incident decision, DPO involvement, and ANPD remediation record where applicable.

Most LGPD mistakes happen at the boundary between controller and operator duties, consent and other lawful bases, academic or public-interest processing, International Transfers, and incident notification thresholds.

Apply this section before approving a processing activity, vendor arrangement, transfer, rights workflow, child-data handling, or incident response under LGPD. If evidence is missing, block progression and raise a review task.

Use an LGPD workflow that captures role, purpose, lawful basis, data category, data-subject right, transfer or incident trigger, DPO review, evidence, and review date.

The output should be a lawful-basis memo, role map, privacy notice update, DSAR record, transfer note, incident assessment, or ANPD response pack.