Posts

Data Protection Officer (DPO) in Brazil

Data protection is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them.

The personal data controller is a person appointed by the company who basically will be responsible for the communication between the latter, the subject of the personal data and the ANPD (National Data Protection Authority), which oversees compliance with Law no. 13.709/2018, the General Law on Personal Data Protection (LGPD).

Article 41 of the LGPD obliges all companies to appoint a personal data controller, also known as a Data Protection Officer (DPO) by European law.

For the time being, there are no exceptions to the rule referred to in the previous paragraph, although the matter is already the subject of public consultation, for the exemption of small data processors, such as micro-enterprises, small businesses, start-ups and non-profit legal entities, natural persons and unincorporated entities. If these small processors do not appoint a controller, an obligation at least to provide a channel for communication with the data subject is also under consideration.

Note that this exemption applies only to the data controller. The LGPD will not cease to apply to small data processors.

The ANPD has not completed this public consultation and therefore its opinion has not yet been released.

What does a DPO do? According to the paragraphs of article 41, the DPO is responsible for: 1) accepting complaints and communications from data subjects, providing explanations and taking appropriate action; 2) receiving communications from the national authority and taking appropriate action; 3) advising the entity’s employees and collaborators on the practices to be followed with regard to the protection of personal data; and 4) performing the other duties determined by the controller or established in supplementary regulations.

Is it possible to outsource the control of personal data in Brazil? The LGPD does not prohibit outsourcing of the data control. Therefore, it is not obligatory that the controller be an employee of the company.

Accordingly, since it is possible to hire an external DPO, the employees can focus on the company’s core business, without being overburdened or even distorting their employment contracts, which could give rise to legal consequences, such as the payment of additional compensation for deviation from their original function or dual activity.

Logically, hiring a DPO, as a regular employee of the company, is justified when the company’s size and volume of data processing is so significant as to warrant this person’s dedication exclusively to this function.

The Brazilian Bar Association, in response to Consultation no. E-5.537/2021, has authorized lawyers to exercise officially the activities of DPO.

Penalties for non-compliance with the LGPD, which includes absence of a controller, have been in force since the beginning of August 2021, including fines of up to R$50 million, in addition to compensation for property, moral, individual or collective damage.

The Stüssi-Neves Advogados team is at your disposal for any additional explanation regarding this matter.

Fernando Seiji Mihara and Maria Lúcia Menezes Gadotti
Associate lawyer and Partner in Labour Law Area – São Paulo
[email protected] and [email protected]

The LGPD and Labour Relations in The Brazilian Jurisdiction

Non-observance of the LGPD will give rise to administrative sanctions imposed by the National Data Protection Authority as from August 2021, as determined by article 20 of Law 14.010, which modified the text of article 65 of Law 13.079.

In spite of this, many authorities are already imposing or seeking to impose penalties for failure to comply with the LGPD and are taking court action in this respect. Moreover, there is nothing to prevent data subjects from claiming compensation in court, as well as coercive measures to enforce compliance with the LGPD.

In the context of labour relations, the LGPD is firmly present in the three stages, although there are no specific regulations in this respect. Apart from the direct relationship between the company, the candidates for job vacancies offered and its own employees, the LGPD is also present in relations with the employees of outsourced companies.

For the reasons set out in the preceding paragraph, companies must adapt as soon as possible, creating procedures and policies, adjusting their work contracts and agreements for services with independent contractors, training and instructing their work force regarding the law and the care necessary in the treatment of data, thereby avoiding the formation of administrative and judicial liability and the exposure of their name, brand and reputation.

At the pre-contract stage, companies will have to adjust their recruitment and selection processes, deciding whether resumes not used are to be discarded or kept in their database for future vacancies, obtaining, in the latter case, the express consent of the candidate to do so.

The companies must also consider that the recruitment and selection processes may be subject to investigation by the competent authorities and/or judicial discussion by these same persons or by the candidate himself, and, in this respect, the treatment of candidates’ data may constitute evidence for their defence, the regular exercise of rights.

In the course of the employment relationship, the applicability of the LGPD is vast, since the employer is obliged to provide personal as well as sensitive data of its employees in order to comply with legal obligations, such as for the E-social, for the DCTFWeb, for the CAT, for the obligatory Occupational Health and Safety Programmes, for the labour inspectors of the Special Secretariat of Social Security and Labour and of the Federal Revenue, unions and class entities, among others.

The employer uses the data of its employees, also, in order to comply with contractual obligations, such as for the provision of benefits, health and life insurance, agreements in general with other companies etc., constituting, therefore, the regular exercise of rights, which strictly exempts it from obtaining the express consent of the employee, provided of course that such benefits are in the latter’s interests or result from a regulatory provision.

The employer may also be obliged to use such data in administrative or judicial proceedings, as determined by the supervisory body or judge, in which case authorisation to supply such information from the employee is not required, since this undoubtedly constitutes a regular exercise of a right.

In the event of an occupational accident or health problems that justify the adoption of measures by the employer for the protection of the life and physical safety of the data subject, in this case, the employee, the company will also have to use his data.

It is essential to mention, if only briefly, the matter of the employee’s consent, since a trend of opinion has already been formed on this point, not only in Brazil, but also abroad, to the effect that it is inapplicable, as a rule, to employment relationships, given the worker’s situation of “hypo-sufficiency”. On this subject, we will express our views in further detail in a future article.

On termination of the employment, the employer should, strictly speaking, eliminate the personal data of its employee, since their purpose has been achieved or they are no longer necessary. However, considering that many of these data may be subject to analysis by the Brazilian authorities and/or constitute evidence in legal proceedings that may be brought against the company, including by the employee himself, they may be stored, for compliance with legal obligations or the regular exercise of rights, for the period in which they may be required; these are situations that, we repeat, do not require consent of the data subject.

The retention period could, in principle, be standardised according to the two-year and five-year limitation periods that apply to the employment relationship. However, there are situations that may exceed these periods, such as cases of accidents at work and death of a worker leaving minor heirs, matters which should be considered when the employer sets the parameters for the storage and destruction of data.

These are the initial observations of our labour team regarding the impact of the LGPD on labour relations. We will continue to produce material on the subject, as there will be many challenges to be faced in the near future.