Privacy Law Survey 2021
Brazil

Share on facebook
Share on twitter
Share on linkedin

Privacy Notice

Is the company required to provide a privacy notice to workers? (Y/N)

Yes.

Does the worker privacy notice need to address security measures?

No, although is advisible to provide such information in attention to transparency principle.

Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?

Yes. Employee has the right to facilitated access to information concerning the processing of his/her data, which must be made available in a clear, adequate and ostensible manner, in compliance with the LGPD’s Article 9 terms.

Data Subject Rights

Are there data subject rights for workers? (Y/N – if Y, please list)

Yes. Workers have the same rights as any data subject (i.e. confirmation of the existence of processing; correction of incomplete, inaccurate or outdated data; deletion of personal data processed with consent, etc).

What is the timeframe to respond to data subject requests from workers?

In case of worker’s confirmation of processing or access to personal data request, the timeframe is 15 days (Article 19, I and II of the LGPD).

Are there exceptions to responding to data subject requests from workers?

Yes. Requests may be denied when the provision of information related to employees’ personal data and its processing involves commercial and industrial secrets or when the employer is retaining the data in order to comply with legal obligations or for regular exercise of rights for a potential claim.

Special Rules for Worker Information

Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?

There are no specific employment rules on privacy-related discrimination.

However, Law N. 9029/95 presents a non-exhaustive list of examples of discriminatory termination, which can comprise privacy-related matters. If the termination is considered discriminatory, the employee can seek the reinstatement or a penalty of twice the compensation amount due in the period between the dismissal and the court award.

Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?

Yes. Generic rules about transfer of personal data to third parties are also applicable to employee information (i.e data controller must assess contractual measures to be adopted with vendors or companies from the same group, in order to preserve its and the data subjects’ best interest regarding privacy and data protection). Also specific requirements may be adopted when engaging with international transfers of data (article 33 LGPD).

Are there rules about automated decision making involving workers (e.g., hiring decisions)?

Under LGPD (art. 20) , the data subject has the right to request for the review of decisions made solely based on automated processing of personal data affecting her/his interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality.

Whenever requested to do so, the controller shall provide clear and adequate information regarding the criteria and procedures used for an automated decision, subject to commercial and industrial secrecy. If no information is provided to the data subject, based on commercial and industrial secrecy, ANPD may carry out an audit to verify
discriminatory aspects in automated processing of personal data.

If such automated processing of personal data is deemed illegal under LGPD, the data controller may be subject to face administrative procedures before ANPD and face administrative sanctions, pursuant to article 52, LGPD.

Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?

Yes. Such information is considered “”sensitive personal data”” under LGPD (article 5, II), and it can only be processed in accordance with LGPD’s article 11 and its legal basis, such as consent, compliance with legal obligations, regular exercise of rights (including in contracts) etc.

Also, Brazilian Data Protection Authority (“”ANPD””) may determine that the controller must prepare a data protection impact assessment (Art. 38) and provide minimum technical standards regarding information security measures that must be adopted by processing agents (Art. 46, §1º).

Are there specific security requirements for storing and processing worker information?

No. The general regime is also applicable for worker information.

Are there rules about using worker information for marketing?

Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing: (i) rely on a legal basis, (ii) comply with data protection principles, and (iii) provide information to the data subject via a privacy notice.

Also, employee’s consent is needed when the employer uses the employee’s written word, audio and/or image, based on Brazilian Civil Code.

Are there rules about surveillance of workers?

No. However, surveillance cannot exceed the acceptable standards (e.g. bathroom and locking rooms, or concealed cameras are not allowed).

Also, depending of the type of surveillance implemented by the employer, it may be necessary to comply with certain requirements imposed by LGPD, such as: rely on a legal basis, follow data protection principles (i.e. purpose, necessity, transparency), provide adequate disclosure in a privacy notice, among others.

Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?

Without specific legal regulation on this particular topic, in order to monitor its employees, the employer should disclose to them, previously, specific information regarding privacy and data protection via a notice, policies or procedures, especially when providing them equipments and resources.

Also, employer should carry a data protection impact assessment and shall put in place certain organizational and technical measures for information security and data protection purposes.

Government and Recourse

Is there a legislative body or government entity that regulates employment-related privacy matters?

No.

In the event of a violation, is the recourse regulatory, a private right of action, or other?

Both.

Data subjects may file a complaint before ANPD and/or file a claim before a Brazilian Court with jurisdiction.

Expected Changes to Worker Privacy Laws:

No, although ANPD was created recently and may still enact regulations impacting data protection aspects in employment relationships.

B2B Data

Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).

Yes.

If the business-to-business (B2B) relationship involves the transfer of personal data between the parties, the data protection requirements set forth by LGPD will be triggered. Thus, the parties will be obliged to comply with legal requirements imposed by LGPD to protect the data subjects (which may be clients, employees or even legal representatives of the parties).

When the B2B relationship does not involve the processing of personal data, LGPD will not apply. Notwithstanding the foregoing, the parties may still be obliged to adopt certain measures to protect data received from the other party, based on confidentiality clauses, general legal principles, bank secrecy obligations (when applicable), etc.

Cascione, Pulino & Boulos Advogados

Brazil

Offices

Cascione, Pulino & Boulos Advogados
Av. Brig. Faria Lima, 4.440
14° andar
CEP 04538-132
São Paulo, Brazil
Tel: +55 11 3165 3000

Torre do Rio Sul
Rua Lauro Müller, 116
26º andar — CEP 22290-906
Tel: +55 21 3289 0930