In January 2026, the Brazilian National Data Protection Authority (ANPD) issued Resolution CD/ANPD No. 32, recognizing the European Union as an international organization that ensures an adequate level of protection for personal data under the Brazilian General Data Protection Law (LGPD).
This decision represents a significant step forward for Brazil, aligning it more closely with leading international data protection regimes and contributing to the reduction of regulatory complexity and compliance costs, particularly for companies with global operations or frequent data flows involving Europe.
What does this mean in practice?
From an objective standpoint, the resolution allows international transfers of personal data from Brazil to the European Union to rely directly on the adequacy mechanism provided for in Article 33, item I, of the LGPD. In certain operations, this means that the adoption of Standard Contractual Clauses (SCCs) established by the ANPD as an annex to Resolution CD/ANPD No. 19 of August 2024 is no longer legally required.
The recognition covers all Member States of the European Union, as well as Iceland, Liechtenstein, and Norway – countries that are part of the European Economic Area – along with the institutions, bodies, and agencies of the European Union itself.
However, this decision does not apply to transfers carried out exclusively for purposes of public security, national defense, state security, or criminal investigation and prosecution. In such cases, other international data transfer mechanisms remain necessary.
Furthermore, the adequacy decision does not eliminate the obligation to comply with the other requirements set forth in the LGPD. Companies remain responsible for ensuring that personal data processing is based on valid legal grounds, in compliance with the principles of the law, information security obligations, and data subjects’ rights.
Despite the benefits brought by the decision, the ANPD itself has provided for the continuous monitoring of the European Union level of protection and the reassessment of adequacy within a period of up to four years. This requires companies to maintain ongoing attention to regulatory developments.
Finally, with respect to transfers of personal data to countries not covered by the adequacy decision, or in scenarios involving the absence of equivalent legislation, onward transfers, or governance and risk mitigation strategies, the adoption and maintenance of specific contractual clauses – such as SCCs – remain legally advisable.
An important point that still goes unnoticed by many companies
According to Cecília Freitas from Emerenciano, Baggio & Associados – Advogados, most companies are still unaware that cloud data storage, data transfers for hosting and storage on servers located abroad, as well as the use of international systems in which data processing and storage occur outside Brazil, constitute international transfers of personal data and are fully subject to Article 33 of the LGPD, with all applicable requirements and legal mechanisms.
The adoption of internal administrative measures to regularize these transfers is urgent, especially considering that the ANPD continues to supervise and monitor compliance with the LGPD by companies in Brazil, including with respect to international data flows.
In summary, Resolution CD/ANPD No. 32 represents a concrete opportunity to simplify international data transfers with the European Union, but it does not eliminate the need for a careful, case-by-case legal analysis. The regulatory benefit exists, provided it is properly classified, documented, and supported by an appropriate data protection governance strategy.
If your company engages in international data transfers as part of its activities, reviewing data flows, contracts, and internal policies in light of this new decision is essential to reduce regulatory risks and to take advantage of the positive effects of adequacy.
The Digital Law team at Emerenciano, Baggio & Associados – Advogados is available to support this assessment in a technical, secure manner aligned with best regulatory practices.
For more information or to clarify any doubts, please contact Emerenciano, Baggio & Associados – Advogados.
This content is for informational purposes only and does not constitute, nor should it be interpreted as, legal advice, a professional recommendation, or legal guidance for specific situations related to the topics addressed.
Cecília Freitas
Lawyer at Emerenciano, Baggio & Associados
