Data protectioni Requirements for registration
In addition to the LGPD, which was enacted in 2018 and will come into force in 2020, a principle in the Federal Constitution already protects employees' intimacy and privacy.
Employee personal data that can be requested by the employer is that which is inherent to the hiring of an employee (in order to fulfil the employment agreement), as well as that which is required by labour legislation. Such personal data does not include sensitive data.
Employee personal medical data may not be disclosed to third parties, and it is certain that only the employee, his or her private physician, or the company's physician may have access to such information. If it should be necessary to use the medical data, the employee must provide his or her express consent.
Employee data that may be required by the government includes that which relates to the federal government through the annual report on social information, the general report on employment and unemployment, and the severance fund payment receipt and social security information. It is also advisable to inform the Federal Savings Bank regarding the transfer, so that the employees' severance fund accounts will not be split. This is done by means of a special form requesting the transfer of accounts, where employer is required to provide employee data.
On account of the constitutional principle of the right to privacy, information on employees cannot be made available to third parties, unless the employee provides his or her express consent.
Brazilian law provides that the business group is the sole employer, which is why the transfer of information about employees of a Brazilian subsidiary to its headquarters is possible, provided that access to such information is limited to the headquarters (i.e., not made available to third parties) and the transfer can be justified for purposes of fulfilling the obligations in the employment agreement.
It is recommended that the use of data, and the transfer and maintenance of information in a database handled by third parties, be preceded by express authorisation of the employee. In addition, the company should include such terms in employment contracts or even maintain a policy related to the protection of personal data, in the sense of stating what data will be used, transferred and maintained in databases used by third parties, together with the express agreement of the employee. Likewise, it is also recommended that the policy state that the company's systems are monitored and that any personal data entered by the employee on the company's system may be at risk of disclosure.ii Background checks
The CLT has no specific provisions on what types of background checks an employer may conduct to investigate a job applicant or an employee during the employment relationship, and there are also no provisions setting out limits on employers undertaking such investigations. Thus, background checks are reviewed according to the principles of the Federal Constitution related to the protection of employees' intimacy and privacy. Certain practices related to background checks can be adopted by employers, provided that they are reasonable and proportional to the work to be performed by the employee.
Background checks related to education, previous jobs (position, period of employment, salaries and benefits) and other information, such as registrations with professional class councils, can be conducted by the employer, as well as a background check requesting an employee's criminal record, as long as this can be reasonably justified. However, a criminal record check may only be conducted in connection with a position that merits such a check or a position in a financial area or that requires the handling of client funds. Checking the employee's financial condition with credit institutions is also permitted. Whenever a background check is conducted, the company must obtain the prior express consent of the employee (otherwise, if the employee is not hired or has his or her contract terminated, he or she may claim discrimination or invasion of privacy, or both, and seek monetary damages).