Brazil: Privacy Law Survey 2021 - Brazil

Consent

May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)

Yes. In theory and depending on the circumstances of the processing activity, consent could be used as a legal basis to process employee personal data.

However, the use of consent in employment relationships may be challenged, since the ""freely-given"" aspect may not be met due to the subordination status between employee and employer. As a result, employer may rely on other legal basis to process personal data in compliance with the LGPD, such as compliance with legal or regulatory obligations, performance of a contract , regular exercises of rights and legitimate interest.

Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)

No.

Nonetheless, there are some situations in which a prior consent would be the preferable legal basis for processing personal data and sensitive personal data (i.e. health data, biometric data, ethnicity, religion).

Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)

Yes. According to Brazilian General Data Protection Law ("LGPD") employers may process employees' personal data without their consent in the context of an employment relationship, as long as the employer may rely on other legal basis, such as compliance with legal or regulatory obligations, performance of a contract, regular exercises of rights and legitimate interest.

Privacy Notice

Is the company required to provide a privacy notice to workers? (Y/N)

Yes.

Does the worker privacy notice need to address security measures?

No, although is advisible to provide such information in attention to transparency principle.

Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?

Yes. Employee has the right to facilitated access to information concerning the processing of his/her data, which must be made available in a clear, adequate and ostensible manner, in compliance with the LGPD's Article 9 terms.

Data Subject Rights

Are there data subject rights for workers? (Y/N – if Y, please list)

Yes. Workers have the same rights as any data subject (i.e. confirmation of the existence of processing; correction of incomplete, inaccurate or outdated data; deletion of personal data processed with consent, etc).

What is the timeframe to respond to data subject requests from workers?

In case of worker's confirmation of processing or access to personal data request, the timeframe is 15 days (Article 19, I and II of the LGPD).

Are there exceptions to responding to data subject requests from workers?

Yes. Requests may be denied when the provision of information related to employees' personal data and its processing involves commercial and industrial secrets or when the employer is retaining the data in order to comply with legal obligations or for regular exercise of rights for a potential claim.

Special Rules for Worker Information

Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?

There are no specific employment rules on privacy-related discrimination.

However, Law N. 9029/95 presents a non-exhaustive list of examples of discriminatory termination, which can comprise privacy-related matters. If the termination is considered discriminatory, the employee can seek the reinstatement or a penalty of twice the compensation amount due in the period between the dismissal and the court award.

Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?

Yes. Generic rules about transfer of personal data to third parties are also applicable to employee information (i.e data controller must assess contractual measures to be adopted with vendors or companies from the same group, in order to preserve its and the data subjects' best interest regarding privacy and data protection). Also specific requirements may be adopted when engaging with international transfers of data (article 33 LGPD).

Are there rules about automated decision making involving workers (e.g., hiring decisions)?

Under LGPD (art. 20) , the data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting her/his interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality.

Whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy. If no information is provided to the data subject, based on commercial and industrial secrecy, ANPD may carry out an audit to verify
discriminatory aspects in automated processing of personal data.

If such automated processing of personal data is deemed illegal under LGPD, the data controller may be subject to face administrative procedures before ANPD and face administrative sanctions, pursuant to article 52, LGPD.

Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?

Yes. Such information is considered ""sensitive personal data"" under LGPD (article 5, II), and it can only be processed in accordance with LGPD's article 11 and its legal basis, such as consent, compliance with legal obligations, regular exercise of rights (including in contracts) etc.

Also, Brazilian Data Protection Authority (""ANPD"") may determine that the controller must prepare a data protection impact assessment (Art. 38) and provide minimum technical standards regarding information security measures that must be adopted by processing agents (Art. 46, §1º).

Are there specific security requirements for storing and processing worker information?

No. The general regime is also applicable for worker information.

Are there rules about using worker information for marketing?

Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing: (i) rely on a legal basis, (ii) comply with data protection principles, and (iii) provide information to the data subject via a privacy notice.

Also, employee's consent is needed when the employer uses the employee's written word, audio and/or image, based on Brazilian Civil Code.

Are there rules about surveillance of workers?

No. However, surveillance cannot exceed the acceptable standards (e.g. bathroom and locking rooms, or concealed cameras are not allowed).

Also, depending of the type of surveillance implemented by the employer, it may be necessary to comply with certain requirements imposed by LGPD, such as: rely on a legal basis, follow data protection principles (i.e. purpose, necessity, transparency), provide adequate disclosure in a privacy notice, among others.

Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?

Without specific legal regulation on this particular topic, in order to monitor its employees, the employer should disclose to them, previously, specific information regarding privacy and data protection via a notice, policies or procedures, especially when providing them equipments and resources.

Also, employer should carry a data protection impact assessment and shall put in place certain organizational and technical measures for information security and data protection purposes.

Government and Recourse

Is there a legislative body or government entity that regulates employment-related privacy matters?

No.

In the event of a violation, is the recourse regulatory, a private right of action, or other?

Both.

Data subjects may file a complaint before ANPD and/or file a claim before a Brazilian Court with jurisdiction.

Expected Changes to Worker Privacy Laws:

No, although ANPD was created recently and may still enact regulations impacting data protection aspects in employment relationships.

B2B Data

Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).

Yes.

If the business-to-business (B2B) relationship involves the transfer of personal data between the parties, the data protection requirements set forth by LGPD will be triggered. Thus, the parties will be obliged to comply with legal requirements imposed by LGPD to protect the data subjects (which may be clients, employees or even legal representatives of the parties).

When the B2B relationship does not involve the processing of personal data, LGPD will not apply. Notwithstanding the foregoing, the parties may still be obliged to adopt certain measures to protect data received from the other party, based on confidentiality clauses, general legal principles, bank secrecy obligations (when applicable), etc.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.