May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)
Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)
Yes. Pursuant to Personal Data Act, data relating the employee´s health requires his/her prior, written and express consent.
Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)
Yes. As indicated in Act No. 18,331, employers may treat employees’ data without employees’ consent provided it is not classified as sensible information.
Is the company required to provide a privacy notice to workers? (Y/N)
Does the worker privacy notice need to address security measures?
Not necessarily. Security measures at work are mandatory by the Safety and Health Act, and its corresponding regulatory decrees (such as decree 291/007) but there is no legal obligation to include them in the privacy notice to workers.
Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Employees must be informed about the address, name of who will handle the data (in this case, the employer), the purposes for which the data is provided.
Data Subject Rights
Are there data subject rights for workers? (Y/N – if Y, please list)
Yes. Workers have the same rights as any data subject (i.e. access, rectification, deletion, and inclusion of personal data to which the employee is entitled). In addition, workers have the right to not be subject to personal evaluations that affect him/her.
What is the timeframe to respond to data subject requests from workers?
In case of a worker’s requests to access, rectify, update, include, delete personal data the timeframe is 5 working days (Section 14 of Act No. 18,331).
Are there exceptions to responding to data subject requests from workers?
Yes. Requests may be denied when the data relates to third parties or could endanger the defense of the Sate or public safety (Section 14 and 26).
Special Rules for Worker Information
Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
There are no specific employment rules about privacy related discrimination.
Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Yes. Generic rules about transfer of personal data to third parties are also applicable to employee information.
Are there rules about automated decision making involving workers (e.g., hiring decisions)?
Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Sensitive Data has special regulation (i.e. Biometric data in Section 18 Bis of Act No. 18,331; data related to health in Section 19; sensible data in Sections 18 and 4 E).
Are there specific security requirements for storing and processing worker information?
No. The general regime is also applicable for worker information.
Are there rules about using worker information for marketing?
Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing. Therefore, the data must be provided by their holders or obtained with their consent, for advertising purposes.
Are there rules about surveillance of workers?
No. However, it is generally understood that certain requirements must be met: the installation or usage of cameras must have a justification, employees must be previously informed , and they cannot be installed in bathrooms and/or changing rooms, or rest areas.
Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
No. However the employee´s authorization or consent is required.
Government and Recourse
Is there a legislative body or government entity that regulates employment-related privacy matters?
In the event of a violation, is the recourse regulatory, a private right of action, or other?
Expected Changes to Worker Privacy Laws:
Yes. A Teleworking bill is in process of approval, being currently discussed in the Senate of Parliament.
Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).
Yes. The Personal Data Act No. 18.331 is applicable to all persons. In the case of worker´s data, in some cases, there are particular treatments, such as sensitive data.