Cross-border data transfers are the LGPD compliance area most likely to be completely unaddressed in PE-backed companies with Brazil operations. The reason is structural: cross-border transfers happen automatically when a company uses US-hosted SaaS tools, and most companies never think of tool selection as a data transfer decision. But under LGPD Article 33, it is.
The Legal Framework for International Transfers
LGPD Article 33 permits international data transfers only under specific conditions. The permitted mechanisms are: transfer to countries or organizations that ANPD has determined provide an adequate level of data protection; standard contractual clauses approved by ANPD; binding corporate rules; specific and prominent consent from the data subject; compliance with international cooperation obligations; transfers required for international judicial cooperation; transfers necessary to protect the life or physical safety of the data subject; and transfers authorized by ANPD based on regulatory commitments.
The practical reality is that ANPD has not issued adequacy decisions for any country. That eliminates the simplest transfer mechanism. Binding corporate rules require ANPD approval, which is not yet available as a practical path. Consent must be specific and prominent, which means it cannot be buried in a privacy policy. For most PE-backed companies, standard contractual clauses are the only viable transfer mechanism.
ANPD published its regulation on international data transfers (Resolution CD/ANPD No. 19) in August 2024, establishing the framework for standard contractual clauses. Companies that have not adopted SCCs compliant with this resolution are operating cross-border transfers without a legal basis. That is an enforceable violation.
Where Cross-Border Transfers Hide in MarTech Stacks
The typical mid-market company operating in Brazil has 15 to 30 distinct cross-border data flows that its team has never mapped. Every ESP (HubSpot, Klaviyo, Mailchimp), every CRM (Salesforce, HubSpot), every analytics platform (Google Analytics, Mixpanel, Amplitude), every advertising platform (Meta, Google Ads, TikTok), every customer support tool (Zendesk, Intercom), and every data warehouse (Snowflake, BigQuery) hosted outside Brazil represents a cross-border transfer.
The transfer is not limited to primary customer data. It includes website visitor data collected through tracking pixels. It includes employee data if HR tools are US-hosted. It includes support ticket content, chat transcripts, and behavioral analytics. The scope of cross-border transfers in a modern SaaS-dependent company is far broader than most teams recognize.
Standard Contractual Clauses Under ANPD Resolution 19
ANPD Resolution CD/ANPD No. 19 established the requirements for standard contractual clauses as a transfer mechanism. The resolution specifies that SCCs must include: the identification of the parties, the purpose and duration of the transfer, the categories of personal data and data subjects, the technical and organizational security measures, the rights of data subjects, and the obligations of both the exporter and the importer.
The resolution draws heavily from the EU's SCC model but includes Brazil-specific requirements. The data importer must comply with LGPD principles even when processing data outside Brazil. The data exporter remains responsible for verifying that the importer's data protection standards are adequate. And the SCC must include a clause permitting ANPD to conduct audits of the data importer's practices.
For PE-backed companies, the operational challenge is executing SCCs with every vendor that processes Brazil-originating personal data. Some large vendors (Salesforce, Google, Microsoft) have updated their data processing agreements to include LGPD-compliant transfer clauses. Smaller vendors have not. The gap analysis requires reviewing every vendor DPA against ANPD Resolution 19 requirements and negotiating amendments where the DPA falls short.
Remediation Strategy for PE Portfolio Companies
Cross-border transfer remediation follows a four-step process. First, map every data flow that moves personal data from the Brazil entity to a processor or controller outside Brazil. This requires access to the tag manager, the infrastructure diagram, the vendor list, and the data warehouse schema. It cannot be done from a vendor spreadsheet alone.
Second, classify each flow by available transfer mechanism. Flows to vendors with LGPD-compliant DPAs require only documentation. Flows to vendors without compliant DPAs require SCC negotiation. Flows that cannot be remediated through SCCs (typically small or custom vendors unwilling to negotiate) require either migration to a Brazil-hosted alternative or discontinuation.
Third, execute the remediation. Negotiate SCC addenda with vendors. Update the ROPA to document each transfer mechanism. Implement technical controls where needed, such as data residency configurations in SaaS tools that offer Brazil-region hosting.
Fourth, establish ongoing monitoring. New vendor procurement must include cross-border transfer assessment as a standard step. Quarterly audits of the data flow map catch new transfers introduced through marketing tool adoption or engineering integrations. The cross-border transfer register becomes a living document, not a one-time compliance exercise.
RELATED ANALYSIS