Personal data has become an essential resource for businesses. Therefore, having and enforcing internal rules for personal data protection is crucial, especially as companies that use such information are responsible for violations of data rights and any other applicable laws.
São Paulo's Regional Employment Court has recently granted a decision that has made the Brazilian General Law effective within the General Personal Data Protection Law (the Data Protection Law) in employment matters. The decision is still subject to appeal, but it is the first decision of this Court that concerns the Data Protection Law and it indicates the seriousness with which Brazilian employment courts will treat the matter.
In the case at hand, an employee, who worked for a telemarketing company and had been hired by a meal card company, emailed a spreadsheet with a significant amount of the service provider's personal data to his personal email account, including taxpayers' identity documents, credit card numbers and financial transaction records.
The employer detected the transmission of this information through their monitoring system and carried out an investigation that resulted in the termination of the employee's contract for cause, for which he received the minimum statutory severance payment.
The Court concluded that the termination for cause was duly applied because the spreadsheet was sent to the employee's personal email account, which constituted a violation of the internal rules of his employer and of the client. In its decision-making, the Court did not recognise claims that the information had not been shared with third parties or that the employee had no harmful intention in his actions. Therefore, the mere act of having sent the information in question was serious enough to warrant the termination for cause.
This decision demonstrates the importance for companies when complying with data protection rules to implement:
- confidentiality agreements with their employees and service providers;
- privacy and information security policies; and
- additional processes for employees who work with personal data.
Further, the Court's decision also reinforces that, in order to avoid future litigation, employers must have means of proving that employees were aware of data protection rules and agreed to adhere to internal policies and regulations regarding such matters.
For further information on this topic please contact Patricia Barboza or Beatriz Guimarães at CGM Advogados by telephone (+55 11 2394 8900) or email ([email protected] or [email protected]). The CGM Advogados website can be accessed at cgmlaw.com.br.
Poliana César assisted in the preparation of this article.