Ariadne Fabiane Velosa
Lawyer at Marcos Martins Advogados
The General Data Protection Law (LGPD), Law No. 13,709/2018, aims to regulate the processing of personal data in Brazil, both by the public authorities and by the private sector.
This law applies to all natural or legal persons, whether public or private, who process personal data. It also applies to digital media, and can even be applied to companies that do not have a physical establishment in the country.
Its aim is to protect citizens’ personal data by enabling greater control over their data,
- through transparent and secure practices; establishing clear rules on the collection, storage, processing and sharing of personal data for companies; fostering economic and technological development in a data-driven society; ensuring free enterprise, free competition and consumer protection; increasing society’s confidence in the collection and use of its personal data; and increasing legal certainty in the use and processing of personal data (MONTEIRO, 2018)[1].
In turn, personal data is data that allows a person to be identified or makes them identifiable, for example, their name, documents such as CPF, RG, CNH, address, among others.
It is certain that this law is reflected in the field of employment law, with regard to a company’s selection process. Therefore, the person responsible for hiring within a commercial establishment must act with caution and apply the necessary measures to protect the candidate’s data from the moment the vacancy is advertised.
This requires measures that do not discriminate against the candidate, as well as asking for the candidate’s express consent and informing them in an understandable way that their data will be used for assessment and selection purposes.
Therefore, during the candidate selection and hiring phase, it is essential that the candidate is aware of the purposes for which their personal data will be used. It is up to the recruiter to request only the information necessary for the selection process, and information that will not be useful for filling the vacancy should be excluded, unless there is a justifiable reason.
In this context, more personal issues, such as religion, sexual choice and so on, are called sensitive data, i.e. information that has a “high potential for harming its owners”[2], which the LGDP guarantees protection.
In this way, when the employer goes into matters concerning the candidate’s personality and convictions, it must have a clear and objective purpose for a certain characteristic to be decisive in filling the vacancy, with the General Data Protection Law limiting the employer’s discretionary power, to the extent that, as provided, it must stick to the employment purposes.
It should be noted that if the company uses establishments that specialize in employee recruitment or outsourced services, it should request that they comply with and process the candidates’ personal data in line with the General Data Protection Act, in addition to the mandatory documents such as compliance with labour and social security obligations, which will guarantee the hiring company greater legal certainty.
On the other hand, the recruiter or the company’s Human Resources department will have to be careful when storing CVs for subsequent selection processes. If it is the employer’s decision to create a reserve list, express consent for this purpose is essential.
Article 8 of Law No. 13,709/2018 also states that consent to the processing of personal data must be in writing or by another means that demonstrates the data subject’s will.
In the event of non-compliance, article 52 of the LGPD provides for administrative penalties to be applied to the agent who commits data processing infractions, such as warnings, fines or total or partial prohibition of activities related to data processing.
The body responsible for overseeing and regulating guidelines and applying penalties will be the National Data Protection Authority (ANPD), which was sanctioned on July 9, 2019.
Thus, the General Data Protection Act will directly affect employment relationships, so it is recommended that even before the Act comes into force, which will be in August 2020, it is important that companies review their selection processes and adapt to the new rules, to avoid improper processing of data and possible sanctions for non-compliance.
[1] MONTEIRO, Renato Leite. Brazil’s General Data Protection Law: a detailed contextual analysis. JOTA, 2018. Available at: https://www.jota.info/opiniao-e-analise/colunas/agenda-da-privacidade-e-da-protecao-de-dados/lgpd-analise-detalhada-14072018. Accessed on: July 8, 2019.
[2] DONEDA, Danilo apud SANDEN, Ana Francisca Moreira de Souza. The protection
of employee personal data in Brazilian law: a study on the limits on obtaining and use by the employer of information relating to the employee. São Paulo: LTr, 2014, p. 63.
