What HR Need to Know About LGPD’s Employee Data Protection

Privacy Notice Requirement

Article 9 of the LGPD further explains what information employers need to provide to their employees in a clear, adequate and ostensible manner:

• The specific purpose of the processing
• The duration and type of the processing
• Identification of the controller and contact information
• Information regarding the shared use of data
• Responsibilities of the data controllers
• The data subject’s rights (i.e employee’s rights)

Consent Management

If employers process employees' personal data relying on the basis of consent, they must collect and document that consent correctly as per Article 8 of the LGPD. The requirements of these records are as follows:

1. Employers must record the consent of employees for data processing
2. Employers are prohibited to process personal data if the consent is defective
3. Generic authorizations for processing personal data shall be considered void
4. Employees can revoke consent at any time
5. Processing carried out under previously given consent remains valid as long as there is no request for deletion
6. In case of a change in the purpose of processing of data, the employee must be notified of these changes and can revoke consent

Internal Assessment

When legitimate interest is leveraged as the lawful basis for processing employee data, the ANPD might request the employer to conduct a DPIA. Employers and associated processors must also keep records of processing activities. Under article 10, 37 and 38, the organization is required to conduct an internal assessment for each of their processing activities to ensure that proper security measures are in place.

Sensitive information and Processing

Every privacy law puts great emphasis on the sensitive personal data of an individual. This can be seen in laws such as the GDPR and CCPA where sensitive data has requirements separate from personal data.

As per the LGPD, sensitive personal data is personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;

Under Article 11 of the LGPD, employers must only collect and process sensitive personal data for certain limited purposes or with specific consent of the employee. Due to these additional restrictions on sensitive personal data, employers must discover where they collect, store and process employee’s personal data to ensure they are in compliance with the LGPD.

Data Processors Obligations

Under Article 39 of the LGPD, the processor is bound to follow the instructions of the controller for any data processing activity and the controller must ensure its instructions are followed.

Cross-Border Transfer

Generally, personal data of individuals can only be transferred to third-party countries by organizations if:

• The third countries have adequate protections for the data as per LGPD requirements (assessed by ANPD)
• tThe employer undertakes safeguards (contractual clauses, binding corporate rules etc.)
• The data subject has provided explicit consent.

Data Breach Management

Data can be breached at any time and this puts the individual at risk. Apart from having security measures in place, organizations also need to have a breach management system in place to mitigate the damage of a data breach.

The systems used for processing personal data shall be adapted in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules. Under article 48 of the LGPD and subsequent guidance by the ANPD, employers are required to inform the ANPD about any breach incidents which pose a risk of harm to the affected data subjects within 2 days.

Data Rights and DSR Fulfillment

Under article 17 and 18, individuals have the following rights in relation to their personal data:

1. Confirmation of the existence of processing of their personal data
2. Access to their personal data
3. Correction for incomplete, inaccurate or out-of-date personal data
4. Anonymization/blocking/deletion of their personal data
5. Portability of personal data to another service or product provider
6. Deletion of personal data processed with consent after processing is complete
7. Information about the private and public entities employer has shared data with
8. Information about the possibility of denying consent and consequences of such denial;
9. Revocation of consent for the processing of personal data
10. Oppose processing carried out on the basis of waiving of consent if the processing is not compliant with the LGPD
11. Request for the review of decisions made solely on the basis of automated processing which affect the data subject's interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality

Article 18 of the LGPD requires organizations to immediately adopt and fulfill employee DSR requests without cost to the employee, within a given time period and according to the terms provided in regulation.

Frequently Asked Questions (FAQs)