LGPD: unprecedented ruling highlights importance of security in processing sensitive data

Sibele Pimenta
Lawyer at Marcos Martins Advogados

The LGPD was a real watershed for the corporate world. Since it came into force, the storage, processing and protection of data have become essential actions in companies of all sizes and segments, avoiding irregularities that lead to sanctions and high fines. In a new decision handed down by the TST, a new alert has sounded in the market, bringing to light strict penalties for those who break these rules.

In February of this year, the TST published a decision condemning a company that works in risk management in the road transport sector for collecting and providing third parties with data on credit restrictions (SPC or Serasa) for risk assessment in selection processes for workers to be hired by insurance companies and carriers – applying the LGPD retroactively to a case that has been going on since 2012.

The company complained against in the case was not the employer, but carried out research and provided credit data on cargo drivers to clients who used its database in selection processes. Even though the convicted company’s activities were lawful, the final ruling was justified by the irregular handling of sensitive information – which, according to the LGPD itself, deserves greater protection because it covers highly personal issues susceptible to discrimination, such as racial origin, religious conviction, ethnicity, sexual option, etc.

Before the LGPD came into force, the Labor Courts were already of the opinion that a search of credit protection agencies’ records, with the aim of helping in the process of selecting and hiring employees, was not only abusive, but also discriminatory and violated the worker’s right to privacy. Even though the information is in the public domain and is even used by HRs, in the specific case of business activity, the search for such data does not amount to an offensive act, a violation of a person’s image, honor, intimacy or dignity, as long as it is not used as a criterion for selection processes – a fact that aroused general surprise with the decision handed down by the TST.

Apart from the defense of privacy, the case brought to light the importance of processing and storing the credit data of workers and even those not admitted to a given selection process – whose information is often part of the database of many companies.

The need for this is indisputable – but many companies are still far from ready. According to a survey carried out by RD Station, 93% of companies say they know or have at least heard of the LGPD, but only 15% are ready or in the final stages of preparation. Failure to define explicit protocols for this security can lead to fines of up to 2% of the company’s revenue, with a firm limit of up to R$50 million.

A new understanding of this need will have to be put in place and, if it really is considered important for the company, it will have to be rethought how to properly safeguard them with reduced risks of theft, leaks and misuse. In both cases, the consent form is one of the fundamental actions for adapting to the LGPD.

All professionals, whether they are current or unsuccessful in selection processes, must authorize the storage of their data and be clearly informed about how it will be stored and treated securely. To this end, the internal policy on the handling of documents must also be carefully drawn up, explaining all the actions that will be taken to this end.

Fines and sanctions for non-compliance with the law are already in force. With the exemplary decision, we now have a clearer understanding of the possible line of judgment to be applied in cases of the use of sensitive data – highlighting important principles of the protection of individuality and the fundamental right to the protection of personal data.

Those that have not yet adapted must urgently comply with the rules so that they do not suffer the sanctions defined. Legal support in this mission is completely valid, with a view to adapting the rules to the segment in which the company operates and, above all, developing an assertive privacy policy.

With repercussions felt globally and in all corporate operations, guaranteeing the security of professionals’ data requires a critical view from the department responsible for this application. Only in this way will the company be secure in its legal compliance and avoid suffering severe penalties for failing to protect its employees’ data.

Marcos Martins

Leadership

Foto Leonardo Dias

Leonardo Ribeiro Dias

Leadership

Mariana Piva

Leadership, Leadership

Share on social media