Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

What HR Need to Know About LGPD’s Employee Data Protection

By Securiti Research Team

Published August 15, 2021 / Updated September 26, 2023

The LGPD or the Lei Geral de Proteção de Dados Pessoais is a data privacy regulation that is devised to protect the privacy rights of individuals in Brazil.

This law imposes a streamlined set of obligations on organizations (public as well as private) who process personal data collected in Brazil, carry out personal data processing activities in Brazil, process personal data of individuals located in Brazil or process personal data for offering goods or services in Brazil.

The LGPD is inspired by the GDPR and has sixty-five articles which comprehensively cover all facets of data protection in Brazil. The law was passed on August 14, 2018, and went into effect on September 18, 2020. The LGPD will be enforced by the ANPD, the statutory and exclusive regulator - sanctions under the LGPD will be enforced from August 1st 2021.

Employee Data under the LGPD

Similar to GDPR, the LGPD protects employees data that is collected, stored or processed by an organization. There are a number of articles that specifically state the requirements with regards to employee’s individual data. Let's look at what each article states:

Employers’ Obligations

Article 6 discusses the employers’ obligations towards the processing of employees’ data and what they need to do in order to stay compliant. These obligations include:

Purpose of processing: Any processing of employees’ personal data must have a legitimate, specific, legal and explicit purpose.
Prevention of harm from processing: Employers must ensure that appropriate measures are taken to protect an employee's data from damage due to processing.
Adequacy of processing: The processing activity should adequately match up with what the stated purpose of the processing is.
Necessity of processing: Employers must limit the collection and processing of employees’ personal data to the minimum necessary for the stated purpose.
Accountability of processing: Employers must be able to demonstrate the adoption of measures capable of achieving compliance.
Maintenance of the Quality of Data: Employers must ensure the accuracy, clarity, relevancy and currentness of their employees’ personal data.

Article 7 of the LGPD also defines 10 legal grounds for processing personal data by organizations . Employers must ensure processing activities that involve employees’ personal data is covered by at least one of these legal bases and in compliance with the obligations required above.

If employers process employees' personal data relying on the basis of consent, they must collect and document that consent correctly as per Article 8 of the LGPD. The requirements of these records are as follows:

Employers must record the consent of employees for data processing
Employers are prohibited to process personal data if the consent is defective
Generic authorizations for processing personal data shall be considered void
Employees can revoke consent at any time
Processing carried out under previously given consent remains valid as long as there is no request for deletion
In case of a change in the purpose of processing of data, the employee must be notified of these changes and can revoke consent

Sensitive information and Processing

Every privacy law puts great emphasis on the sensitive personal data of an individual. This can be seen in laws such as the GDPR and CCPA where sensitive data has requirements separate from personal data.

As per the LGPD, sensitive personal data is personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;

Under Article 11 of the LGPD, employers must only collect and process sensitive personal data for certain limited purposes or with specific consent of the employee. Due to these additional restrictions on sensitive personal data, employers must discover where they collect, store and process employee’s personal data to ensure they are in compliance with the LGPD.

Data Breach Management

Data can be breached at any time and this puts the individual at risk. Apart from having security measures in place, organizations also need to have a breach management system in place to mitigate the damage of a data breach.

The systems used for processing personal data shall be adapted in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules. Under article 48 of the LGPD and subsequent guidance by the ANPD, employers are required to inform the ANPD about any breach incidents which pose a risk of harm to the affected data subjects within 2 days.

Data Rights and DSR Fulfillment

Under article 17 and 18, individuals have the following rights in relation to their personal data:

Confirmation of the existence of processing of their personal data
Access to their personal data
Correction for incomplete, inaccurate or out-of-date personal data
Anonymization/blocking/deletion of their personal data
Portability of personal data to another service or product provider
Deletion of personal data processed with consent after processing is complete
Information about the private and public entities employer has shared data with
Information about the possibility of denying consent and consequences of such denial;
Revocation of consent for the processing of personal data
Oppose processing carried out on the basis of waiving of consent if the processing is not compliant with the LGPD
Request for the review of decisions made solely on the basis of automated processing which affect the data subject's interests, including decisions intended to define her/his personal, professional, consumer and credit profile, or aspects of her/his personality

Article 18 of the LGPD requires organizations to immediately adopt and fulfill employee DSR requests without cost to the employee, within a given time period and according to the terms provided in regulation.

Conclusion

Data privacy laws such as the LGPD give employees the same rights to their personal data as consumers, which means that employers are going to get scrutinized over the employee data they store.

Achieving compliance through manual methods can be a struggle given the infinitely growing volume of data being collected by organizations. This is where Securiti comes in with automation to offer a simple and efficient road to compliance.

See how Secutiti can help your organization comply, request a demo today!

LGPD (Lei Geral de Proteção de Dados), Brazil's data protection law, applies to employees. Employers must comply with LGPD when collecting and processing personal data of their employees.

LGPD grants employees rights such as the right to access their personal data, the right to correct inaccuracies, the right to delete their data, and the right to object to processing under certain circumstances. Employees also have the right to be informed about data processing activities, among others

What HR Need to Know About LGPD’s Employee Data Protection

Employee Data under the LGPD

Employers’ Obligations

Privacy Notice Requirement

privacy notice

consent management

Internal Assessment

internal assessment

Sensitive information and Processing

sensitive information

Data Processors Obligations

cross border transfer

Cross-Border Transfer

Data Breach Management

Data Rights and DSR Fulfillment

Conclusion

Frequently Asked Questions (FAQs)

Securiti for Workday

More Stories that May Interest You

Newsletter

Company

Resources

Terms

Get in touch

What HR Need to Know About LGPD’s Employee Data Protection

Employee Data under the LGPD

Employers’ Obligations

Privacy Notice Requirement

privacy notice

Consent Management

consent management

Internal Assessment

internal assessment

Sensitive information and Processing

sensitive information

Data Processors Obligations

cross border transfer

Cross-Border Transfer

Data Breach Management

Data Rights and DSR Fulfillment

Conclusion

Frequently Asked Questions (FAQs)

Securiti for Workday

Schedule a LIVE One-on-One Demo

Join Our Newsletter

Share

More Stories that May Interest You

Employer Obligations on Employee Data Under Indian Law

The HR Guide to Employee Data Protection

Understanding Valid Consent Requirements A Closer Look at the Draft Guidelines Issued by the Quebec Data Protection Authority

Newsletter

Company

Resources

Terms

Get in touch