Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Currently, the Federal Constitution gives Brazilian citizens and residents the general right to access and correct their personal information. Separately, the Consumer Protection Code (Law 8078, 1990) gives consumers the right to access and request corrections/deletion of personal data that has been collected.
General Data Protection Law
Once the Brazilian General Data Protection Law goes into effect in August 2020, employers will be expected to provide individuals with clear information about how their data will be processed. These details should be provided and available in a clear manner and include:
- the reason the data is being processed;
- the type and duration of the processing (with consideration given to commercial/industry secrets);
- the identity of the data controller (i.e., the employer);
- the controller’s contact information;
- information relating to how personal data may be shared and the reason it may be shared;
- the responsibilities of the individuals who will process the data; and,
- the employee’s rights as it relates to their data.
When requested, access to personal data should be provided to employees within 15 days from their request (employees can elect either paper or electronic form). When consent is used as the method to collect the employee data, note that the employee can request a complete electronic copy (subject to commercial/industry secrecy) in a format that allows the data to be used for other processing operations.
Data subjects can request that their personal data be deleted and corrected (with some exclusions). Employers can deny deletion requests in certain circumstances, including when necessary to comply with a legal or regulatory obligation and when the data has been anonymized.
HR Best Practices: Create a clearly defined process to give employees the ability to review and correct their personal data. When information can’t be shared or deleted due to legal requirements, employees should be informed of this in advance of the collection. Additional rules relating to employee access may come out prior to the law going into effect in August 2020.