May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)
Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)
Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)
Yes. Employers may treat employees’ data without employees’ authorization only if the worker’s data is public information. Also, when a judicial authority requests it.
Is the company required to provide a privacy notice to workers? (Y/N)
Does the worker privacy notice need to address security measures?
Not necessarily. There is no legal obligation to include them in the privacy notice to workers.
Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Employees shall be informed about the purpose of collecting the data and its possible communication to the public.
Data Subject Rights
Are there data subject rights for workers? (Y/N – if Y, please list)
Yes. Workers have the same rights as any data subject.
What is the timeframe to respond to data subject requests from workers?
According to article 17 of Law No. 6534, the information shall be provided within a maximum of 24 hours if it is not immediately available.
Are there exceptions to responding to data subject requests from workers?
Yes. Requests may be denied when the applicant is not the owner of the personal data, or the legal representative is not duly accredited for it; when the rights of a third party are injured; or when there is a legal impediment that restricts access to personal.
Special Rules for Worker Information
Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
There are no specific employment rules about privacy related discrimination.
Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Yes. Generic rules about the transfer of personal data to third parties are also applicable to employee information.
Are there rules about automated decision making involving workers (e.g., hiring decisions)?
Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Such information is considered “sensitive data” according to Law No. 6534/2020.
Are there specific security requirements for storing and processing worker information?
No. The general regime is also applicable for worker information.
Are there rules about using worker information for marketing?
Yes. Generic rules about the use of personal data for marketing are also applicable to worker information for marketing. Therefore, written consent is needed. Furthermore, it is prohibited to advertise or disseminate sensitive data of explicitly individualized persons.
Are there rules about surveillance of workers?
No. However, surveillance measures should not jeopardize employees’ dignity or exceed acceptable -national and international- standards.
Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
No. However, as a general principle, consent is required.
Government and Recourse
Is there a legislative body or government entity that regulates employment-related privacy matters?
In the event of a violation, is the recourse regulatory, a private right of action, or other?
Expected Changes to Worker Privacy Laws:
Yes. Telework Law No. 6738 is expected to be further regulated, and there are in Congress projects aiming to replace current Data Protection Law No. 6534/2020.
Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).
Yes. Data Protection Privacy Law are extended to legal persons.