Source:  OneTrust Data Guidance

Within employment relationships, an employer may process a lot of personal data concerning their employees, and in this context, it is necessary to follow the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’), and all the labour laws in Brazil. Tatiana Bhering Serradas Bon de Sousa Roxo and Bianca Medalha Mollicone discuss the relationship between data processing in a work environment and the LGPD, and what legal grounds need to be considered when processing employee data.

Legal grounds under the LGPD

The LGPD lists ten examples where the use of personal data is authorised, including:

• data subject consent;
• when processing is necessary for compliance with a legal or regulatory obligation to which the controller is subject (such as informing the Inland Revenue and Customs of an employees’ earnings and withholding tax or informing social security contributions collected and paid by the organisation to national institute for social security);
• by the public administration for the data processing and shared use of data necessary for the implementation of public policies provided for in laws and regulations or supported by contracts, agreements, or similar instruments;
• to carry out studies by a research body, guaranteeing, whenever possible, personal data anonymisation;
• when data processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;
• for the regular exercise of rights in judicial, administrative, or arbitral proceedings;
• for the protection of a life or the physical security of the data subject or a third party;
• for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
• when necessary for the purposes of the legitimate interest pursued by the controller or by a third party, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection of personal data; and
• for credit protection, including the provisions of the applicable legislation.

In labour relationships, normally the legal grounds used are compliant with a legal or regulatory obligation to which the controller is subject, such as for the performance of a contract to which the data subject is a party and for the regular exercise of rights in judicial, administrative, or arbitral proceedings.

It is important to highlight that the personal data processed for the performance of a contract needs to comply with the data minimisation principle: data must be necessary and appropriate for the purposes of the execution of the contract.

Another legal basis commonly used by controllers in the context of HR management is legitimate interest, subject to not disregarding the interest or the fundamental rights and freedoms of the employee.

In regards to the legitimate interest of the controller, it can only justify the processing of personal data for legitimate purposes, considered from concrete situations, which include, but are not limited to: (i) support and promotion of the controller’s activities; and (ii) protection, in relation to the data subject, of the regular exercise of his/her rights or provision of services that benefit him/her, respecting his/her legitimate expectations and fundamental rights and freedoms.

Whenever the data processing is based on a controller’s legitimate interest, only the personal data strictly necessary for the intended purpose may be processed and the controller must adopt measures to guarantee the transparency of data processing based on this legal ground. The controller should perform a legitimate interest assessment (‘LIA’), which consists mainly of three tests, in order to determine the feasibility of using that legal basis: legitimacy of the interest; necessity test; and balancing test.

Therefore, considering the imbalanced relationship between the employer and employees, it is important that the controller be careful when analysing the legitimate interest, especially regarding the balancing test.

In the LGPD, there is a specific article (Article 11) for the regulation of the legal grounds for the processing of sensitive data, such as biometrics.

In labour relationships, the legal bases that sensitive data may be processed under are: with consent; for compliance with a legal or regulatory obligation; for the regular exercise of rights in judicial, administrative, or arbitral proceedings; for life protection or physical security of the data subject or a third party; or to guarantee fraud prevention and security of the data subject, in the identification and authentication processes of registration in electronic systems, except when fundamental rights and liberties of the data subject prevail and require protection of personal data.

Considering this, sensitive data within labour relationships will typically be processed for the purposes of a legal or regulatory obligation, for the regular exercise of rights in different proceedings, or with the data subject’s consent.

However, there are some legal bases that must be carefully analysed in labour relationships, considering the imbalance that exists between employers and employees and the need to comply with labour laws.

Consent is an important concept of the LGPD and may also be invoked in the HR context, but only in certain exceptional occasions.

To grant valid consent under the LGPD, the data subject must be fully informed of the processing’s nature and scope, including an understanding fully of how the information will be processed, used, and transferred to other entities. Prior to the entry into force of the LGPD, many companies relied on employees’ consent to process their personal data and short consents were often included in the employment contract. However, under the LGPD, valid data subject’s consent must be free, specific, informed, unequivocal, and revocable.

In the labour context, employees are only very rarely able to freely give, refuse, or revoke their consent, given the clear imbalance of power that results from the relationship between employer and employee. Consent can only be considered freely given if the acceptance or rejection of personal data processing has no consequences for the employee’s situation. Hence, it will be challenging for employers to rely on consent to process employees’ personal data under LGPD.

Employers should review the legal basis used for processing employee data and consider whether it will still be appropriate to rely on consent.

If an employee wants to deny the employer his/her consent, there is always a possibility that the employee might foresee possible repercussions of that action. This can affect an employee’s free will to give consent, to avoid unpleasant situations, or be on bad terms with an employer. Moreover, consent is often obtained in conjunction with the beginning of the employment relationship. Usually, to get the job, the employee must sign the employment contract and consent to personal data processing.

This means that consent should not provide a valid legal ground, unless the employee has an undeniable free choice to give and revoke it, with no repercussions to his/her position. Therefore, consent should be avoided if there is an unequal balance of power, as in the employment relationship, or if a withdrawal of consent would be problematic.

However, there might be situations in which processing employee’s personal data based on employee’s consent is lawful, especially if it’s in the interest of the employee and there are no negative consequences if the consent is denied.

Regarding consent, some special requirements are listed in the LGPD. Besides being freely given, informed, and unequivocal, consent must be provided in writing or by another means that demonstrates the data subject’s intention. If provided in writing, consent must be included in a separate clause of a contract or a separate statement.  It is crucial to keep in mind that the controller bears the burden of proving that the consent was obtained following the provisions of the LGPD and must refer to specific purposes. Generic authorisations for the processing of personal data are void and consent may be revoked at any time upon the express manifestation of the data subject.

Additionally, if there are any changes to the data processing purpose, form, and duration of the processing, the identification of the controller, the use of the data by the controller, or the data’s purpose, the controller should inform the data subject, emphasising the content of the changes in a clear manner, as to allow the data subject, in cases where his/her consent is required, to revoke it, if he/she disagrees with the change.

The circumstances surrounding consent in the HR context must be assessed carefully. To comply with the LGPD, companies should review their employment contracts and any freestanding employee data processing consents, replacing, when necessary and appropriate, the consent language in these documents by language referencing the alternative legal basis.

Finally, it is important to stress that the data subject has the right to oppose to data processing grounded on one of the hypotheses of consent waiver in case of non-compliance with the LGPD’s provisions.

Biometrics in the labour context and the LGPD

In Brazil, it is common to use biometrics (sensitive data) to control working hours, but how can this sensitive data can be lawfully processed?

It is understood that the processing of biometric data within the labour context must not use consent as legal ground considering the above – the consent would not be freely given and its refusal would have negative consequences for the employee.

However, processing biometric data can comply with the LGPD when it is done under the legal basis of ‘compliance with a legal or regulatory obligation’, considering that companies with over 20 employees are obligated to control their employees’ working hours.

Additionally, the Ordinance 1510/2009 issued by the Ministry of Labor and Employment, also known as ‘the Electronic Clock in Law’, regulates the electronic system used to control working hours and, because of the requirements inherent to this control, it’s considered more secure and less susceptible to fraud. Ordinance 373/2011, also issued by the Ministry of Labor and Employment, allows companies to use alternatives systems of control working hours authorised by a collective labour convention.

However, it is reasonable to understand that this should apply to big companies that have a greater challenge in controlling working hours and may use this system, that requires sensitive data.

Monitoring and use of personal devices at work

Regarding the monitoring of company devices and personal devices used at work, it is important to highlight that it is advisable that employers have clear policies, alongside privacy policies, providing effective communication concerning the monitoring of company devices.

These policies must be easily and permanently accessible for all employees, to guide them about acceptable and unacceptable use of networks and other ICT. Such a policy should be evaluated from time to time, to assess if there may be other less invasive tools or means available to achieve the same purposes.

If employees supply personal devices (mobile phones, laptops, tablets) for their work, it is also advisable to have a Bring-Your-Own-Device (‘BYOD’) policy, as well as Mobile Device Management (‘MDM’) technology, to protect the integrity and confidentiality of personal data processed by the company.

Employers should be aware of the risk coming from the over-collection of data in monitoring systems. The increasing amount of personal data generated in the work environment combined with new data analysis techniques, can increase the risk of incompatible further processing.

In labour relationships, there is a huge level of personal data processing, which highlights the importance that the new routines adopted in HR comply with Brazilian data protection and labour laws.