Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Currently, the Federal Constitution gives Brazilian citizens and residents the general right to access and correct their personal information. Separately, the Consumer Protection Code (Law 8078, 1990) gives consumers the right to access and request corrections/deletion of personal data that has been collected.
General Data Protection Law
Once the Brazilian General Data Protection Law goes into effect in February 2020, employers will be expected to provide individuals with clear information about how their data will be processed. These details should be provided and available in a clear manner and include:
- the reason the data is being processed;
- the type and duration of the processing (with consideration given to commercial/industry secrets);
- the identity of the data controller (i.e., the employer);
- the controller’s contact information;
- information relating to how personal data may be shared and the reason it may be shared;
- the responsibilities of the individuals who will process the data; and,
- the employee’s rights as it relates to their data.
When requested, access to personal data should be provided to employees within 15 days from their request (employees can elect either paper or electronic form). When consent is used as the method to collect the employee data, note that the employee can request a complete electronic copy (subject to commercial/industry secrecy) in a format that allows the data to be used for other processing operations.
Data subjects can request that their personal data be deleted and corrected (with some exclusions). Employers can deny deletion requests in certain circumstances, including when necessary to comply with a legal or regulatory obligation and when the data has been anonymized.
HR Best Practices: Create a clearly defined process to give employees the ability to review and correct their personal data. When information can’t be shared or deleted due to legal requirements, make sure employees are properly informed in advance of the collection. Additional rules relating to employee access may come out prior to the law going into effect in February 2020.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.