Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
Brazil’s General Data Privacy Law (LGPD) does not include a registration requirement. That said, Brazil’s data protection authority (ANPD) can require that employers and other data controllers submit impact reports when the general principles of processing personal data under the law are at risk, particularly when processing is based on the company’s legitimate interest. Employers and other data controllers are required to retain records of personal data processing operations. In the event an impact report is required, it should contain at minimum:
- a description of the types of data being collected;
- the method(s) used for collecting/processing personal data;
- the method(s) used to ensure the data is being secured; and,
- the employer’s analysis of measures that have been adopted to safeguard the data and mitigate risk.