The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.
Until the new General Data Privacy Law goes into effect, consent is not specifically required in the HR context in Brazil. Under the Federal Constitution, both Brazilians and foreigners residing in Brazil have the right to “private life, honor and reputation” and may be compensated if these rights are violated.
There is some precedent for using consent to process data in Brazil. Under Brazil’s Internet Law (which applies generally to internet use), internet users must give their express consent in order for businesses to collect, use, store and process personal data. In addition, users should receive clear information about how their data will be stored, processed, used and protected. Personal data may only be used for purposes that were originally agreed to and only for reasons that justify the collection.
Starting in early 2020, once the new General Data Privacy Law goes into effect, personal employee data can only be processed in certain cases. The approved reasons which will likely be most relevant for employers include:
the employee’s (i.e. the data subject’s) unambiguous consent;
Consent from an employee (or other data subject) should be given in writing or through another method that demonstrates the genuine consent of the employee. The consent should be specific to the data that is being processed, and if consent is provided in writing, it should be highlighted so it stands-out from other sections. Note that the burden of proof for consent is on the employer if it's questioned in court.
Employers who use consent will need to develop a process to obtain consent along with a way to allow employees to revoke their consent at a later date.
Employees should have access to information relating to their personal data that’s being collected, including:
There are additional limitations when processing sensitive personal data. Sensitive data includes: racial/ethnic origin, religious belief, political opinions, trade union/religious/philosophical/political membership, health/sexual life, and genetic/biometric data.
Sensitive personal data may be processed in a few instances, including when:
HR Best Practices: Start preparing for the new General Data Protection Law by compiling the data that you collect on employees and identifying the legal basis for the collection. Clearly inform employees as to why you are collecting personal data.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.
