LGPD and labor relations: pre-contractual, contractual and post-contractual phases

Luara Rezende
Lawyer at Marcos Martins Advogados

The General Personal Data Protection Act (LGPD) has a direct impact on labor relations. As far as the labor sphere is concerned, the application of the LGPD encompasses the phases prior to the conclusion of the contract, such as the collection of information about the candidate, the curriculum, the background, among others, up to the execution of the employment contract. It is therefore necessary to understand the impacts of the law on employment routines and contracts, including the pre-contractual, contractual and post-contractual phases.

Even if a company provides services or sells products exclusively to legal entities, we must not forget that companies are made up of people. These people (employees, collaborators, directors, service providers, representatives, etc.) are also data subjects under the LGPD and must have their personal and sensitive data protected.

Thus, within employment relationships, considering that there is a lot of traffic in this type of information, it is necessary for any and all companies to comply with the LGPD. Let’s see:

Under the terms of the LGPD, the data that needs to be protected includes personal data – such as one’s name, address, education, curriculum vitae, parents’ names, age, e-mail address, marital status – as well as sensitive personal data such as membership of trade unions or religious, philosophical or political organizations and data relating to health.

Thus, for the purposes of the LGPD we have that:

  • Datasubject – the employee or service provider who supplies the information to the employer; and
  • Data Controller/Operator – the employer, who must make the necessary decisions about processing.

Here, it is extremely important to say that there is no manual for adapting to the LGPD. Each company will have to check its processes and procedures internally, with a multidisciplinary team, to identify the need to change one procedure or reinforce another. This is because each company has a different flow of information, depending on its size, number of employees and processes. So internal mapping is essential.

We believe that, when reviewing internal processes and procedures for processing data, the employer and/or contractor should ask themselves the following questions:

  • What personal data am I collecting?
  • Why am I collecting this data?
  • What is the purpose of processing this data?
  • Is there a legal basis for the collection and processing?
  • Do I need the data subject’s consent?
  • Can I share this data?
  • When should I dispose of it?

As we saw in the Introduction, there is no need for consent when the processing of data arises from a legal obligationor for the performance of a contract. The law also defines some specific situations where consent is not required:

  • regular exercise of rights in legal proceedings (Article 7, VI, and Article 11, II, point “d” – use of data in a labor claim, for example);
  • for the protection of the life and physical safety of the data subject (Article 7, VII, and Article 11, II, point “e” – in the event of an accident and referral to hospital, for example).

However, even if there is a legal basis for processing the data, it must be processed correctly and safely, so even with the legal obligation, there is the possibility of incurring sanctions if the processing is inadequate.

In this case, it is important to note that the employer must comply internally, but also externally, insofar as some of the personal data or sensitive personal data is passed on to third parties, such as outsourced companies, health insurance plans and information passed on to e-Social.

Within employment relationships we can divide the processing of data into 3 phases: 1. Pre-contractual; 2. Contractual and, 3. Post-contractual.

A. Pre-contractual phase

The pre-contractual phase can be understood as the entire selection process, i.e. vacancy opening, receipt of CVs, screening of CVs and interviews, until the actual hiring. However, when carrying out its selection process, the controller must also maintain a database of CVs, as well as handling the CVs of those candidates not selected for the vacancy.

At this stage, it is important to take a few precautions:

  1. Request the information that is strictly necessary for the assessment and selection of the candidate (there is no way to define an exhaustive list of information; it must be assessed on a case-by-case basis, the activities of the position offered, etc.).
  2. Take care when handling and archiving CVs, even though consent has been given, the protection of the information contained therein remains in force;
  3. Inform the candidate of the treatment that will be given to the information contained therein and if there is an interest in keeping the CV in a database, it is necessary to obtain express authorization for this;
  4. It is important to note that the data is used specifically to apply for the vacancy advertised and cannot be used for any other purpose, with the exception of statistical data where the information is treated anonymously;
  5. Caution should be exercised when using and passing on information obtained during interviews. The selection team should be instructed on the responsibility of preserving sensitive information;
  6. Once a candidate has been selected, the information on unsuccessful candidates must be correctly disposed of, depending on the option (CV database or data deletion).

B. Contractual phase

The contractual phase begins when the employee is hired or the contract with the service provider is formalized . From then on, all the data and documents arising from the relationship between the company and the employee will have a greater flow and, therefore, greater caution and care must be taken, with the definition of specific processes and procedures according to the reality of each company.

Companies should therefore analyze all the departments that have access to employee data and ask themselves the following questions:

  • Who has access to the data/documents? (Remember, it’s not just the HR department. Accounting and finance may also have access to certain data)
  • Is it transmitted internally or to third parties?
  • How is it transmitted?
  • Which documents/data are processed?
  • Where is it stored?

Based on this mapping, it will be possible to analyze the risks and the need to adapt to the law, reviewing contractual clauses , policies and specific training.

An even more important part is the processing of sensitive personal data , such as health data, race, biometrics, etc. and data on minors. Although the collection of some of this data is based on law, this data requires greater protection from the controller.

A company that provides health insurance to employees, for example, will need to review its contract with the insurance company that provides the services, since it could be held responsible for security incidents incurred by the operators it appoints.

If the company also hires minors, or if the employee designates minors as dependents, under the terms of the law, the legal guardians must authorize the processing and must be kept informed of all processing carried out with the minors’ personal data.

In this sense, it is also important to define data access hierarchies , analyzing which people really need access, in order to minimize leaks or inappropriate use of information.

C. Post-contractual phase

The post-contractual phase is characterized by an employee leaving the company. At this stage, there is a need to inform the data subject of the end of data use, either by legal determination or by request.

However, when it comes to labor relations, there are obligations to keep documents that are imposed by law, and this can lead to the right-holder’s request being withdrawn in the event of future use of the data, which must be analyzed on a case-by-case basis.

One example we can cite is the storage of documents that could be used as evidence in labor lawsuits or for the granting of information related to social contributions, or possible inspections by the Ministry of Economy.

The current statute of limitations for employees to claim their credits and labor rights arising from employment relationships is 5 (five) years, up to a limit of 2 (two) years after the termination of the contract. Therefore, the company has a legal guarantee to keep supporting documents for at least the limitation period.

However, during the storage period, the guidelines of the LGPD must still be observed, with the adoption of techniques capable of keeping the data confidential, and after the end of this period, disposal is mandatory.

Here we recommend that there should be a table for the temporality and destination of this data and, for this table to be effective, an assessment should be made of whether or not these documents need to be kept.

Finally, we stress that data must be disposed of in such a way that there is no way of recovering it later, by eliminating the originals and any copies. This is a hotly debated topic among IT professionals, as there are disagreements about the real possibility of disposal.

The key to everything is internal mapping, with a multidisciplinary team to identify the strengths and weaknesses of the process adopted by the company or the need to create/change these processes, the creation of policies and documents to prove that the necessary measures have been adopted and continuous training for the employees who handle the data, to avoid any kind of penalty.

Marcos Martins Advogados is aware of this issue and is prepared to provide qualified legal advice to its clients.

Have any questions? Talk to our lawyers and receive guidance.

Share on social media