Yes. According to the Brazilian General Data Protection Law (Law 13,709/2018 — "LGPD"), international transfers are only permitted in specific circumstances, including the following:

• When the foreign country or international organization provides an adequate level of data protection, as assessed by the Brazilian Data Protection Authority (“BDPA”).
• When the transfer is authorized by the BDPA
• When the data controller can show and guarantee that the conditions established by the LGPD are met, which can be accomplished through specific contractual clauses for the said transfer, standard contractual clauses (SCCs), binding corporate rules or third-party certification — all of which must be approved by the BDPA
• When the data subject has consented specifically and clearly to the international transfer, having been informed previously about the international nature of the transfer (The transfer of data must be separate from other purposes of processing personal data.)
• To comply with a legal obligation to which the original controller is subject

This is one of the areas of the LGPD that relies extensively on the regulations of the BDPA. However, the authority has not issued any guidance or regulations on this point yet.

As the LGPD is similar to the GDPR and follows the same principles, EU SCCs are likely to be acceptable, subject to minor amendments such as wording, definitions and references to the LGPD's equivalent legal provisions, instead of the GDPR's.

Additionally, there are obligations set forth in Brazilian National Monetary Council ("CMN") Resolution No. 4,893, effective as of 26 February 2021 ("Resolution 4,893"), and Brazilian Central Bank ("BCB") Resolution No. 85, effective as of 8 April 2021 ("Resolution 85").

Please refer to Q&A No. 2 for provisions regarding cloud services processing of data offshore contained in Resolution 4,893 and Resolution 85.