Employee Data Privacy

Brazil - Employee Consent

 Download as a PDF

Do I have to obtain employees' consent in order to collect their personal data?

The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements.

scott-webb-199458There is some precedent for using consent to process data in Brazil. Under Brazil’s Internet Law (which applies generally to internet use), internet users must give their express consent in order for businesses to collect, use, store and process personal data. In addition, users should receive clear information about how their data will be stored, processed, used and protected. Personal data may only be used for purposes that were originally agreed to and only for reasons that justify the collection.


New General Data Privacy Law

The General Data Privacy Law (LGPD), which became effective August 2020, only allows the processing of personal employee data in certain cases. The approved reasons which will likely be most relevant for employers include:

  • the employee’s (i.e. the data subject’s) unambiguous consent;
  • when necessary to comply with a legal or regulatory obligation;
  • when necessary for the execution of a contract or preliminary procedures relating to a contract to which the employee is a party, at the request of that employee;
  • when exercising rights in judicial, administrative or arbitration proceedings; 
  • when necessary to fulfill the legitimate interest of the employer or third party, except when the employee’s fundamental rights which require personal data protection prevail; or,
  • to protect the life or physical safety of the data subject or third party.

Employers should not automatically choose to rely on consent when there are other lawful bases. It appears that Brazil may, similarly to European Union, take the position that employee consent in the context of employment may not be considered entirely freely given due to the unequal relationship between the employer and the employee. When consent is used as the lawful reason to process personal employee data, the consent should be given in writing or through another method that demonstrates the genuine consent of the employee. The consent should be specific to the data and purpose of the processing, and if provided in writing, it should be highlighted so it stands-out from other sections. Note that the burden of proof for consent is on the employer if it’s questioned in court. Employers who use consent will need to develop a process to obtain consent along with a way to allow employees to revoke their consent. Employers also need to be able to address and respond to other rights under the LGPD.

Employees should be provided with clear information, ideally in a separate or highlighted data processing notice, about personal data that’s being collected, including:

  • joshua-newton-210070the reason their data is being processed;
  • the type and duration of the processing;
  • the identity and contact information of the data controller (i.e., the employer);
  • information relating to data that’s being shared and the reason it’s being shared (including international transfers);
  • the responsibilities of the individuals who will carry out the data processing;
  • the name and contact information of the Data Protection Officer; and,
  • their data rights.

There are additional limitations when processing sensitive personal data. Sensitive data includes: racial/ethnic origin, religious belief, political opinions, trade union/religious/philosophical/political membership, health/sexual life, and genetic/biometric data. Sensitive personal data may be processed in certain instances, such as when:

  • employers receive the express, specific and distinct consent from the employee for processing personal data for a specific purpose;
  • the processing is indispensable for the employer’s compliance with a legal or regulatory obligation;
  • necessary for the employer to exercise rights in judicial, administrative or arbitration proceedings;
  • necessary for the protection of life or the physical safety of the owner or third party; or,
  • ensuring the prevention of fraud and the safety of the employee in processes of identification and authentication of registration in electronic systems (with some restrictions, including when the employee’s personal data rights and freedoms prevail over the employer’s rights).

Biometric data is frequently used by HR teams in Brazil to manage working hours. Employers will likely need to obtain the employee’s specific consent to continue to collect and process biometric data for the purpose of managing work hours.


HR Best Practices: Prior to collecting new personal employee data, assess whether the personal data collection is permitted and identify the legal basis for the collection. Clearly inform employees as to why you are collecting personal data in a separate or highlighted data processing notice.


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk