Protection of personal data in the employment relationship

Mannrich e Vasconcelos Advogados | View firm profile

Alessandra Barichello Boskovic [1]

Marco Antonio da Costa Sabino [2]

Hiring an employee in Brazil involves a series of formalities. Although, as a general rule, a written employment contract is not required, the employer must register the employee in a virtual system of the federal government (e-social) and make the proper registration in his work card (CTPS). Furthermore, in many cases a written contract is required, such as, for example, in fixed-term contracts, intermittent contracts or apprenticeship contracts. In all these scenarios, the employer will be faced with the need to collect and process the worker’s personal data, such as date of birth, social security number, address, marital status, parentage, etc.

Compliance with certain labor and social security obligations will also require the employer to have access to additional – often sensitive – employee data. This is the case, for instance, of biometrics, for access to the employer’s premises or control of working hours; health data, collected in mandatory occupational exams; and information on family status, on the basis of which the family salary will eventually be paid.

Home office, which became quite common during the pandemic, popularized virtual meetings, in which the employee may have recorded his/her image and voice.  This is another situation in which personal data will be collected and processed. This raises a number of questions about the protection of personal data in employment relationships, in the light of the General Data Protection Act (LGPD – Law No. 13,809/2018).

Pursuant to Article 7(I) of the law, the processing of data is legitimate with the consent of its data subject. Therefore, clauses are increasingly frequent in employment contracts, through which the employee expresses his/her agreement with the processing of his/her personal data by the employer. Article 8, caput and §1 of the law, provides that consent must be provided in writing, in a prominent clause of the other contractual clauses, or by other means that demonstrate the expression of will of the data subject.

But there are legal hypotheses in which the processing of personal data may also be carried out regardless of consent, among which stand out, therefore relevant to this analysis: when necessary to fulfill the contract or preliminary procedures related to the contract of which the data subject is a party, at his/her request; and when necessary to meet the legitimate interests of the controller (Article 7, V and IX). And there is no denying that the employer has legitimate economic and social interests that can justify the processing of personal data of its employees.

This means that the processing of personal data collected during the recruitment and selection process, in the hiring phase or during employment, when necessary to comply with the legal duties imposed on the employer by social legislation, does not require express and specific consent of the employee. Of course, for the sake of legal certainty, it is recommended to formalize the agreement of the data subject, but its absence does not imply legal violation of the employer.

[1] Obtained her Master’s and PhD degrees in Law from Pontifícia Universidade Católica do Paraná (PUCPR). Researcher at GETRAB-USP. Partner lawyer at Mannrich e Vasconcelos Advogados.

[2] Obtained his PhD in Law from Universidade de São Paulo (USP). Professor at Fundação Instituto de Administração (FIA). Partner lawyer at Mannrich e Vasconcelos Advogados.

More from Mannrich e Vasconcelos Advogados