Employee Privacy Notice under the LGPD

FIRST PRIVACY helps companies with the preparation of privacy notices to fulfil the legal requirements from the  Brazilian Data Protection Law (LGDP). Under the LGPD, companies have the obligation to provide data subjects with transparent information concerning the processing of their personal data. For that, privacy notices must be carefully prepared and made available to data subjects who can be employees, consumers, customers, websites users etc.

The correct way to provide employees with a privacy notice

In the context of employment relationships, employees should receive an employee privacy notice right after joining a company. This document must contain at least the following:

• Identification of the controller (employer) including contact details.
• Information on the personal data processing activities: Description of the processing activities, specific purposes, duration of the processing, as well as the possible existence of transfers of personal data outside national borders.
• Responsibilities of the companies who will carry out the processing.
• Information on the shared use of data by the data controller and its purposes, as well as on the specific situations in which employees' personal data will be disclosed to external parties (e.g., legal requests or investigations, or to access third-party services).
• The data protection rights of data subjects. 

For transparency reaons, a list of the categories of personal data processed should be also included. In this case, it should be noted that, in order to comply with legal obligations under Brazilian employment law, employers may collect and process important personal information such as information related to an employee's family (number of children or marital status, to allow, for example, access to specific bonuses or benefits) or personal data that fall under the definition of Sensitive Personal Data under the LGPD (For example, health data related to medical leave or health insurance management). 

Employees' personal data can be processed on the grounds of precise legal bases. These may be the performance of an employment contract, the fulfilment of a legal obligation, the legitimate interest of the employer or the consent of employees. The latter, in particular, should be carefully considered due to the imbalance of power between employers and employees. 

Ultimately, it is important that the information provided to employees through privacy notices is provided in a transparent, clear and unambiguous manner, without misleading or abusive content.