Does the LGPD absolutely restrict the sharing of sensitive data between contractors?

Luciana Magnolo Onofre
Lawyer at Marcos Martins Advogados

Not always! Let me explain:

The General Personal Data Protection Law (LGPD), Law No. 13,709/18, brought a new guideline regarding the form and adequacy of the processing of personal data by individuals or legal entities. The main purpose of the law is to protect individuals’ fundamental rights to freedom and privacy.

With the advent of the Law, many companies set out to adapt their systems, behaviors and policies, but often without a proper understanding of the rule. As a result of the strong fear of penalties for non-compliance with the law, some companies have started to restrict the transit of information, sensitive data or not, which is necessary to fulfill their contractual obligations arising from legal relationships with partners, service borrowers, service providers, suppliers, among others.

The exchange of data and information is an essential condition for establishing legal relationships, whether as a way of subsidizing the eventual provision of services or as a means of monitoring the regularity of those with whom you are contracting.

Subject to the limits established in the legislation and provided that they are inherent to the legal relationship established, there is no obstacle to sharing documents that contain personal information about employees, directors or partners, since permission is presumed as a result of an established legal relationship.

Article 7 of Law No. 13,709/2018 establishes this:

Art. 7 The processing of personal data may only be carried out in the following cases:
I – upon the provision of consent by the data subject;
II – for compliance with a legal or regulatory obligation by the controller;
(…)
IX – when necessary to meet the legitimate interests of the controller or a third party, except in the event that the fundamental rights and freedoms of the data subject that require the protection of personal data prevail; or
(…)

In this way, companies can process and share the data of their employees and service providers, within the limits required and authorized by law, always taking great care in this sharing, which should only be done with those who actually need to receive such data.

On the other hand, it should also be pointed out that in a legal relationship involving the provision of services, the company that takes on the services not only has the right, but also the duty to monitor the regularity of the service provider, under penalty of being held subsidiary or even jointly and severally liable for compliance with labor and tax obligations. In this sense, there is undoubtedly a duty on the part of the service provider to share data with the borrower, without this infringing the law

Therefore, in legal transactions, both sides must act jointly to guarantee the protection and care of the data shared between them.

Although the LGPD allows the transit of this data between contractors, it also imposes joint and several liability in situations of exposure and leakage of sensitive data that goes beyond the limits established in the legislation or even those that are not relevant or necessary to the legal relationship established.

The Marcos Martins Law Firm reaffirms its commitment as a Business Partner, seeking strategic solutions, always aware of the legal changes that impact its clients and meeting their needs.

Questions? Talk to our lawyers and get advice.

Share on social media