The New General Law of Data Protection (LGPD) innovates how the personal data must be processed by companies in Brazil. Inspired by the European General Data Protection Regulation (GDPR), the Brazilian law establishes the parameters according to which companies can process personal data, that until then was not properly regulated by applicable legislation. This means that companies will need to perform significant changes in order to comply with the new legislation.

The non-compliance with the legislation may result in a fine of 2% of the companies' local income, up to BRL 50,000.000,00, but above all, it may impact the company's image and the reliability it inspires in the market.

Therefore, it is essential that the Legal and Human Resources departments are trained and capable of performing the processing of personal data according to the legal parameters. Some relevant points that should be noted are:

1) 10 Hypotheses in which the processing of data is allowed

  1. upon consent of the holder;
  2. for compliance with a legal or regulatory obligation by the controller;
  3. by the government, for processing and shared use of data necessary for the execution of public policies established by laws and regulations or established by contracts, agreements or similar documents;
  4. for studies to be developed by a research entity, in which it must be ensured, whenever possible, the anonymization of personal data;
  5. when necessary for the execution of a contract or preliminary procedures related to a contract, in which the holder is one of the parties, upon his/her request;
  6. for the regular exercising of rights in judicial, administrative or arbitral proceedings, the latter under the terms of the Arbitration Law;
  7. for the protection of life or physical security of the holder or third party;
  8. for health protection, in a procedure performed by health professionals or by health authorities;
  9. whenever necessary to meet the legitimate interests of the controller or of a third party, except in case the  fundamental and freedom rights of the holder require the protection of personal data; or
  10. for credit protection, including in what regards the specific legislation.

CONSENT: Companies shall evaluate the need of obtaining consent. This is because the consent must be obtained in a free, clear and explicit way with specific and transparent purpose, otherwise its invalidity may be alleged. In addition, the holder has the right to revoke the consent at any time.

2) Data collection and protection

The LGPD resulted in an important innovation in comparison to the GDPR, which is the possibility of retaining data after its processing, such as in the case of former employees, provided that it has the following purposes:

I – Compliance with a legal or regulatory obligation by the controller;

II – Studies conducted by a research entity, ensured whenever possible, the anonymization of personal data;

III – Transfer to a third party, provided that it is in accordance with the legislation in force; and

IV – Exclusive use by the controller and the data must be anonymized. The access by a third party is forbidden.

Except in those cases, the data must be deleted after processing. In case of resumes received by the company, a reasonable maximum period for the retention of data must be observed, which shall occur in a consented and pre-determined manner, considering the conditions of the job  for which the candidate has demonstrated interest and decided to provide the personal data by submitting the resume. The Retention Policy for personal data is certainly of great importance for companies.

3) Employee data protection

Pursuant to the new Law, responsibilities have been assigned for those who process the data of any individual. And, as a result, adopting this concept into employment relationships, it is evident that employers - or even services borrowers- will have to proceed with the proper collection, storage and processing of data from those who render services on their behalf.

The use of employee's data by companies is a common practice, for example, for establishing internal policies and for analysis of benefits to be granted by companies to their employees.

That is to say that since the selection process (when the individual provides the company a large number of data), passing through the hiring (when several documents will be provided and it must be required the prior consent of the data processing, i.e., through an explicit clause in the employment contract), until the moment of termination.

The retaining of employee data by companies after the termination of the employment contract is lawful and established by the LGPD, in accordance with labor legislation, as such data may be necessary for the fulfillment of legal obligations or even for the regular exercise of rights in judicial, administrative or arbitration proceedings.

LABOR STATUTE OF LIMITATION: The labor statute of limitation must be considered for data protection purposes. According to the Federal Constitution, the right to file a lawsuit expires in 2 years after the termination of the employment contract and employees may claim rights related to the past 5 years counting from the date of filing the lawsuit.

It is important to remark that companies will only be able to share the data of these employees with third parties (i.e., for bank accounts, health plans, corporate cards) if these limits are observed, otherwise, it may be characterized the violation of LGPD and labor legislation due to a potential abuse of right.

In addition to the necessary attention regarding the hypotheses and procedures for the processing of employee's data, a particular attention should be given to personal data considered as "sensitive data", which shall only be processed when strictly necessary.

4) Sensitive Data

Sensitive data, which was already protected by Brazilian legislation and jurisprudence rendered by Brazilian labor courts is currently also considered as data of maximum protection by the LGPD. The processing of any information of this type will be more restrict, which limits  the use of such information, for example, in labor lawsuits. It is worth noticing that part of the labor decisions rendered by Brazilian courts used to held the understanding  that the use of confidential personal data by companies in their defenses was abusive.

As from August 16, 2020, when the LGPD will come into force, all companies shall review such abusive practices in its employment relationships, because, in addition to breach the Federal Constitution and labor legislation, they will also be violating the protection of sensitive data of the employees, whenever the use or operation of the data does not enter into any of the hypotheses that would legitimize its processing.

The LGPD will require companies to re-evaluate: (i) their security practices; (ii) internal policies; (iii) codes of ethics, among others, including the actual need to process certain sensitive data.

GOLDEN RULE: Evaluate the real necessity for the company to process sensitive personal data. If it is not strictly necessary, the company will be taking unnecessary risks, which may reach the civil, labor and even criminal.

5) Outsourcing

The new labor legislation permits companies to outsource its core business, i.e., the ones considered essential for the operations of the company, which was also confirmed by the Federal Supreme Court (STF).

Therefore, in cases of outsourcing, controversial situations may arise due to possible confusion between actual beneficiaries of these data in employment relationships or persons authorized to process the data of employees or outsourced workers.

SUBSIDIARY LIABILITY x JOINT LIABILITY: Despite the liability of the services borrowers for not paying labor credits is subsidiary, LGPD expressly sets forth that the liability for data protection and processing shall be joint. Therefore, the services borrower and the outsourcing company must adopt measures together for ensuring the employee data security and protection. 

The services agreements executed with outsourcing companies shall be carefully drafted for establishing the responsibilities of each party - services borrower and outsourcing company - not only for preventing labor liabilities, but also to improve the management of data protection by all parties, mitigating their liability, according to the LGPD.

The services borrowers shall be even more diligent when hiring outsourcing companies for ensuring its realibility not only in the financial and labor-related aspects, but also that these companies are reliable and concerned about the regular processing of their employees' data.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.