What is the LGPD applicable to?
What are the legal bases for processing personal data?
What are the requirements for consent?
When can the legitimate interest be used as a basis for data processing?
What types of information must be provided to the data subjects?
When must the processing of personal data stop?
Should employers use consent as the legal basis for processing employees' personal data?
How to provide information to employees about the processing of their data?
For how long must employers keep employees' personal data?
What about the personal data of job candidates?
Can unions request employers to provide their employees' personal data?
This article answers key questions relating to the impact of the Brazilian General Data Protection Law (LGPD) on employment relations.
What is the LGPD applicable to?
The LGPD applies to:
- data processing activities in Brazil;
- processing of data collected in Brazil or concerning individuals located in Brazil; and
- data processing activities to offer goods and services to individuals in Brazil.
What are the legal bases for processing personal data?
The LGPD establishes that the processing of personal data may occur only in the following cases:
- upon the data subject's consent;
- for compliance with legal or regulatory obligations by the controller;
- for the enforcement of public policies by the public administration;
- for studies conducted by research organisations;
- when necessary for the performance of contracts or steps prior to a contract to which the data subject is a party, on their request;
- for the regular exercise of rights in judicial, administrative or arbitration proceedings;
- for the protection of life or the personal safety of the data subject or a third party;
- for safeguarding health in procedures performed by health practitioners, services or agencies;
- when necessary to attain legitimate interests of the data controller or of a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject that require protection of personal data; and
- for the protection of credit.
The requirements are stricter if the processing involves sensitive data related to an individual, such as those regarding:
- racial or ethnic origin;
- religion;
- political opinions;
- membership of trade union or of religious, philosophical or political organisations;
- health and sexual data; and
- genetic and/or biometric data.
In particular, the legal bases relating to the performance of contracts and legitimate interests do not apply to sensitive data. Still, the law specifies that sensitive data may be processed to prevent fraud or ensure the data subject's safety in identification and authentication activities in electronic systems.
What are the requirements for consent?
Consent must be freely given, specific, informed and unambiguous, either in writing or by a clear affirmative action. If given in the context of a written declaration that also concerns other matters, the consent must be presented in a clearly distinguishable manner from the other matters. The data subject must have the right to withdraw their consent at any time. Also, the controller who has obtained the consent and needs to communicate or transfer personal data to other controllers must obtain the specific consent of the data subject.
When can the legitimate interest be used as a basis for data processing?
The controller's legitimate interest must be used only to justify data processing activities for legitimate purposes, considered in specific situations, such as supporting and promoting the controller's activities and/or protecting the rights of the data subject or providing services in their benefit. Only the minimum data required for the pursued purpose can be processed, and the National Data Protection Authority (ANPD) may require the issuance of a data protection impact assessment.
What types of information must be provided to the data subjects?
The data subject must be provided easy access to information on the processing of their data, in a clear, appropriate and visible manner. At least the following information must be provided:
- the specific purpose of the processing;
- its form and duration;
- identification and contact information of the controller;
- information regarding the shared use of data by the controller and its purpose;
- responsibilities of the controllers and processors; and
- the rights of the data subject, with express reference to the rights listed in article 18 of the LGPD.
When must the processing of personal data stop?
The processing of personal data must terminate:
- whenever the purpose of such processing has been achieved or the data is no longer necessary for such purpose;
- when the processing period has ended;
- upon the data subject's request; or
- upon order of the ANPD.
The data must be erased upon conclusion of the processing activities, but the LGPD allows the data to be kept for purposes of:
- compliance with legal or regulatory obligations by the controller;
- studies by research organisations;
- transfer of data to third parties (provided that the requirements of the law are fulfilled); or
- exclusive use by the controller, provided that the data has been anonymised.
Should employers use consent as the legal basis for processing employees' personal data?
Consent can be withdrawn at any time. There could be discussions about the freedom for the employee to withhold such consent while employed, so consent should be used as the legal basis only when strictly necessary or when no other legal basis is applicable.
The legal basis for the processing must be assessed on a case-by-case basis.
Most frequently, employee personal data will be processed for:
- compliance with legal or regulatory obligations by the controller (labour, tax and social security obligations);
- the performance of contracts (employment agreement);
- the regular exercise of rights (labour claims); and/or
- protection of life or personal safety (occupational safety).
In certain circumstances, the legitimate interest can also be used, provided that the requirements mentioned above regarding such legal basis are fulfilled.
How to provide information to employees about the processing of their data?
The disclosure of information on the processing of employees' personal data is usually done using a privacy policy, a privacy notice and/or an information security policy.
Such documents may also set out rules and guidance on the processing activities to be carried out by the employees. In this regard, the labour courts have recently decided that an employment agreement can be terminated with cause in case the employee fails to comply with the applicable privacy/information security policy (for further details please see "Violation of data protection rules warrants termination for cause").
In such cases, the employer must have evidence that the employee was aware of the policies – for instance, by collecting employees' signatures or another form of acknowledgement.
For how long must employers keep employees' personal data?
The period for storing employees' personal data is also defined on a case-by-case basis.
Different types of personal data related to employees and former employees are subject to different statutes of limitations according to the labour and social security laws.
It is crucial to have a data retention policy that indicates for how long the employer must retain each kind of document or personal data and sets out the disposal procedures once the retention period is over.
Finally, the golden tip for employers is to have detailed policies on the matter and file evidence that the employees acknowledged such rules and proceedings.
What about the personal data of job candidates?
In general, the same rules applicable to employees' personal data also apply to job candidates' personal data. Some companies adopt specific privacy policies or notices to candidates, including a specific chapter for this category of data subjects in the general privacy policy or notice, which is also standard practice.
The legal basis for processing candidates' personal data must also be assessed on a case-by-case basis. Most frequently the data will be processed for the performance of steps prior to a contract (in this case, an employment agreement). Depending on the type of personal data involved in the recruitment process (eg, racial or ethnic origin), consent may be necessary.
In Brazil, delivering CVs in hard copy is a common practice depending on the industry sector and region of the country. The personal data included in printed documents is also subject to the LGPD, and, therefore, such candidates are entitled to the same rights in connection with their personal data.
Whenever possible, it is recommended to avoid receiving CVs in hard copy as it is more complex to ensure the appropriate disclosures to the candidate and keep track of the CVs. Still, specific actions may be taken to ensure compliance with the LGPD when receiving CVs in hard copy (eg, obtaining the candidate's confirmation of their awareness of the company's data protection and privacy policies and practices).
Can unions request employers to provide their employees' personal data?
Depending on the industry sector and region, it is common that employees' unions request employers to provide information such as:
- lists of employees;
- employee contact information; and
- employee remuneration details.
The LGPD does not require employers to provide employees' unions with employees' documents or information.
Unless there is an applicable collective bargaining agreement or collective agreement that provides for such an obligation, or if it is a requirement during a vote to approve a negotiation with the employees' union, for example, it is advisable to consult legal counsel before providing employees' personal data to unions.
For further information on this topic please contact Patricia Barboza, Marcia Mandelbaum or Marcelo Rosa at CGM Advogados by telephone (+55 11 2394 8900) or email ([email protected], [email protected] or [email protected]). The CGM Advogados website can be accessed at cgmlaw.com.br.
Poliana César assisted in the preparation of this article.