IDC Names Securiti a Worldwide Leader in Data Privacy


What HR Need to Know About LGPD’s Employee Data Protection

By Securiti Research Team
Published August 15, 2021 / Updated September 26, 2023

The LGPD or the Lei Geral de Proteção de Dados Pessoais is a data privacy regulation that is devised to protect the privacy rights of individuals in Brazil.

This law imposes a streamlined set of obligations on organizations (public as well as private) who process personal data collected in Brazil, carry out personal data processing activities in Brazil, process personal data of individuals located in Brazil or process personal data for offering goods or services in Brazil.

The LGPD is inspired by the GDPR and has sixty-five articles which comprehensively cover all facets of data protection in Brazil. The law was passed on August 14, 2018, and went into effect on September 18, 2020. The LGPD will be enforced by the ANPD, the statutory and exclusive regulator - sanctions under the LGPD will be enforced from August 1st 2021.

Employee Data under the LGPD

Similar to GDPR, the LGPD protects employees data that is collected, stored or processed by an organization. There are a number of articles that specifically state the requirements with regards to employee’s individual data. Let's look at what each article states:

Employers’ Obligations

Article 6 discusses the employers’ obligations towards the processing of employees’ data and what they need to do in order to stay compliant. These obligations include:

  1. Purpose of processing: Any processing of employees’ personal data must have a legitimate, specific, legal and explicit purpose.
  2. Prevention of harm from processing: Employers must ensure that appropriate measures are taken to protect an employee's data from damage due to processing.
  3. Adequacy of processing: The processing activity should adequately match up with what the stated purpose of the processing is.
  4. Necessity of processing: Employers must limit the collection and processing of employees’ personal data to the minimum necessary for the stated purpose.
  5. Accountability of processing: Employers must be able to demonstrate the adoption of measures capable of achieving compliance.
  6. Maintenance of the Quality of Data: Employers must ensure the accuracy, clarity, relevancy and currentness of their employees’ personal data.

Article 7 of the LGPD also defines 10 legal grounds for processing personal data by organizations . Employers must ensure processing activities that involve employees’ personal data is covered by at least one of these legal bases and in compliance with the obligations required above.

Securiti’s data mapping solution helps organizations meet data privacy compliance requirements through automatic discovering and mapping of data within assets and processing activities.

Privacy Notice Requirement

Article 9 of the LGPD further explains what information employers need to provide to their employees in a clear, adequate and ostensible manner:

  • The specific purpose of the processing
  • The duration and type of the processing
  • Identification of the controller and contact information
  • Information regarding the shared use of data
  • Responsibilities of the data controllers
  • The data subject’s rights (i.e employee’s rights)

privacy notice

Revamp your privacy notice and simplify the creation process with Securiti’s Privacy Policy & Notice Management. This module can help you manage your privacy notices and keep them in line with the requirements set by privacy regulations.

If employers process employees' personal data relying on the basis of consent, they must collect and document that consent correctly as per Article 8 of the LGPD. The requirements of these records are as follows:

  1. Employers must record the consent of employees for data processing
  2. Employers are prohibited to process personal data if the consent is defective
  3. Generic authorizations for processing personal data shall be considered void
  4. Employees can revoke consent at any time
  5. Processing carried out under previously given consent remains valid as long as there is no request for deletion
  6. In case of a change in the purpose of processing of data, the employee must be notified of these changes and can revoke consent

consent management

Securiti offers organizations with a consent management solution to honor consent of all their employees. The solution allows organizations to to build customized

Internal Assessment

When legitimate interest is leveraged as the lawful basis for processing employee data, the ANPD might request the employer to conduct a DPIA. Employers and associated processors must also keep records of processing activities. Under article 10, 37 and 38, the organization is required to conduct an internal assessment for each of their processing activities to ensure that proper security measures are in place.

internal assessment

Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.

Sensitive information and Processing

Every privacy law puts great emphasis on the sensitive personal data of an individual. This can be seen in laws such as the GDPR and CCPA where sensitive data has requirements separate from personal data.

As per the LGPD, sensitive personal data is personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;

Under Article 11 of the LGPD, employers must only collect and process sensitive personal data for certain limited purposes or with specific consent of the employee. Due to these additional restrictions on sensitive personal data, employers must discover where they collect, store and process employee’s personal data to ensure they are in compliance with the LGPD.

sensitive information

Securiti’s Sensitive Data intelligence Solution allows organizations to discover and catalog sensitive data within their data stores and implement adequate security measures to protect this data from breach.

Data Processors Obligations

Under Article 39 of the LGPD, the processor is bound to follow the instructions of the controller for any data processing activity and the controller must ensure its instructions are followed.

cross border transfer

When assessing the risk associated with a third-party vendor, organizations need to consider three main points; data protection, privacy violations, and respect for consumers' data. Securiti helps organizations automate this process.

Cross-Border Transfer

Generally, personal data of individuals can only be transferred to third-party countries by organizations if:

  • The third countries have adequate protections for the data as per LGPD requirements (assessed by ANPD)
  • tThe employer undertakes safeguards (contractual clauses, binding corporate rules etc.)
  • The data subject has provided explicit consent.

Securiti's assessment automation and data mapping solutions can help organization discover cross-border data flows and conduct transfer assessments to maintain the safety and integrity of their data

Data Breach Management

Data can be breached at any time and this puts the individual at risk. Apart from having security measures in place, organizations also need to have a breach management system in place to mitigate the damage of a data breach.

The systems used for processing personal data shall be adapted in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules. Under article 48 of the LGPD and subsequent guidance by the ANPD, employers are required to inform the ANPD about any breach incidents which pose a risk of harm to the affected data subjects within 2 days.

Securiti offers Data Breach Management (Data Breach Automated Notification, Data Breach Assessment) to monitor breaches and notify data subjects in a timely manner).

Data Rights and DSR Fulfillment

Under article 17 and 18, individuals have the following rights in relation to their personal data:

  1. Confirmation of the existence of processing of their personal data
  2. Access to their personal data
  3. Correction for incomplete, inaccurate or out-of-date personal data
  4. Anonymization/blocking/deletion of their personal data
  5. Portability of personal data to another service or product provider
  6. Deletion of personal data processed with consent after processing is complete
  7. Information about the private and public entities employer has shared data with
  8. Information about the possibility of denying consent and consequences of such denial;
  9. Revocation of consent for the processing of personal data
  10. Oppose processing carried out on the basis of waiving of consent if the processing is not compliant with the LGPD
  11. Request for the review of decisions made solely on the basis of automated processing which affect the data subject's interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality

Article 18 of the LGPD requires organizations to immediately adopt and fulfill employee DSR requests without cost to the employee, within a given time period and according to the terms provided in regulation.

Securiti offers the DSR Automation Solution to enable simplified fulfillment of individuals data subject requests.The solution recruits the help of automated processes to help enterprises swiftly respond to data subject requests and enable coordination between stakeholders for reviews and approvals.


Data privacy laws such as the LGPD give employees the same rights to their personal data as consumers, which means that employers are going to get scrutinized over the employee data they store.

Achieving compliance through manual methods can be a struggle given the infinitely growing volume of data being collected by organizations. This is where Securiti comes in with automation to offer a simple and efficient road to compliance.

See how Secutiti can help your organization comply, request a demo today!

Frequently Asked Questions (FAQs)

LGPD (Lei Geral de Proteção de Dados), Brazil's data protection law, applies to employees. Employers must comply with LGPD when collecting and processing personal data of their employees.

LGPD grants employees rights such as the right to access their personal data, the right to correct inaccuracies, the right to delete their data, and the right to object to processing under certain circumstances. Employees also have the right to be informed about data processing activities, among others

Securiti for Workday

Security | PrivacyOps | Governance | Compliance

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend