Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Cross-border data transfers are not prohibited under Brazilian law. When transferring employee data, the Internet Law and other Brazilian laws which regulate data privacy should be followed. The Internet Law outlines that individuals have the right to privacy and confidentiality, regardless of where their personal data and communication records are processed. This applies to employers who have an establishment and/or employees located in Brazil.
Cross-border data transfers under the General Data Protection Law
Effective February 2020, the General Data Protection Law (LGPD) will set the standard for international data transfers in Brazil. Brazilian employers will be able to transfer employee data in cases including:
- when the data is being transferred to countries or international organizations that provide a level of protection that is deemed adequate under the LGPD;
- when the controller can prove compliance with the principles and rights that are outlined in the law via: a) contractual clauses (either standard or specific to a given transfer); b) global corporate rules; or, c) regularly issued stamps, certificates and codes of conduct;
- when the employees have given their specific consent for the transfer, and they were given prior information about the international nature of the operation (i.e. they have specifically consented to their data being transferred internationally for the given purpose);
- when necessary to: comply with a legal or regulatory obligation of the employer; execute a contract or preliminary procedure relating to a contract of which the employee is a party (at the request of the employee); or, when necessary to protect the life or safety of the employee or a third party.
HR Best Practices: Note that more specific rules relating to data transfers may be introduced prior to the LGPD going into effect in early 2020. The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred outside Brazil when an adequate level of protection and privacy is ensured.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.