Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
General Data Protection Law
Employers are expected to provide individuals with clear information about how their data will be processed under the Brazilian General Data Protection Law (LGPD). This information should ideally be provided in a separate or highlighted notice of data processing. These details should be provided and available in a clear manner and include:
- the reason the data is being processed;
- the type and duration of the processing (with consideration given to commercial/industry secrets);
- the identity of the data controller (i.e., the employer);
- the controller’s contact information;
- information relating to how personal data may be shared (including international transfers) and the reason it may be shared;
- the responsibilities of the individuals who will process the data;
- the name and contact information of the Data Protection Officer; and,
- the employee’s rights as it relates to their data.
Data subjects have a number of rights relating to their personal data under the LGDP, including the right to:
- request confirmation of the processing of personal data;
- request access to their personal data;
- request that personal data is corrected and/or updated;
- request the anonymization, blocking or elimination of personal data that is unnecessary, excessive or processed in violation of the law;
- request the transfer of personal data to another service provider;
- request the deletion of personal data that was previously processed with their consent;
- request the identification of public and private entities to which the employer (or other company) disclosed personal data or, when a shared database containing their personal data was used; and,
- object to the processing of personal data.
With the exception of the right to confirmation of processing and the right to access, there are no regulations on how these rights can be exercised. The data protection authority is expected to issue more detailed requirements and insights in the future.
Personal data should be stored in a format that favors the right of access. When employers (or other data controllers) receive a request for access or confirmation of personal data processing, employers must provide this information within 15 days of receiving the request (counting the date the employee made the request). Note that there are exceptions to these rights for commercial and industrial secrets.
Information should be provided in simple form immediately, or in a clear and complete statement. The response should indicate the origin of the data, the lack of registration (if applicable), criteria used and the processing purpose. The information should be provided electronically or in print, based on the employee’s (or other data subject’s) preference.
When processing originates from the consent of the employee (or other data subject) or via a contract, the individual may request a full electronic copy of the personal data in a format that allows subsequent use for other processing.
The data protection authority may change the deadlines for certain industries/sectors in the future (particularly for micro companies, small companies and startups).
HR Best Practices: Create a clearly defined process to give employees the ability to review and correct their personal data. When information can’t be shared or deleted due to legal requirements, employees should be informed of this in advance of the collection.
In the future, the data protection authority is expected to issue further regulations and model clauses.