The Challenge in Protecting Personal Data in Work Relations
The data protection concern has become, in recent years, more strong and important, with the coming into force of laws dealing with the subject.
The beginning of the whole discussion occurred with the enactment of Law No. 12,965/2014, better known as the “Brazilian Civil Rights Framework for the Internet”, which establishes principles, guarantees, rights and duties for the use of Internet in Brazil.
In addition, was enacted Law No. 13,709/2018, which exclusively provides for the protection of personal data and was amended by Provisional Measure 869, dated December 27, 2018, which also established a deadline of 24 (twenty four) months for the entry into force of the provisions set forth by Law No. 13,709/2018.
In this sense, companies have until August/2020 to organize and create mechanisms for the protection of their customers’, suppliers’, employees’ and service providers’ personal data.
Specifically, in the context of employment relationships, it is essential that companies treat the personal data of candidates, employees and service providers very carefully in order to avoid the application of the substantial fines provided for in the legislation, which can reach 2% of the company’s, group’ or conglomerate’ revenues in Brazil, in its last fiscal year, limited to the surprising amount of R$ 50 million.
That is, the amount arbitrated as a fine for non-compliance with the General Data Protection Law already demonstrates the importance of the subject nowadays and the dimension of the precaution companies must have when dealing with the personal information that is made available to them.
In general terms, law defines, as personal data, any information related to the natural person identified or identifiable (name, address, telephone, taxpayer number, etc.) and sensitive data as any personal data with a higher discriminatory potential (racial or ethnic origin, religious belief, medical condition, political opinion, union membership, sexual orientation, etc.).
In this way, as from the first contact with a candidate for a job position, the company must deal with the personal information received with full responsibility, and it is imperative to request only essential data for a specific purpose and suitability, without excess, to avoid future allegations of discrimination in hiring, for example.
To do so, an example of a measure aimed at protecting the company against this type of allegation would be the adoption of clear forms that evidence the free and unequivocal manifestation of the candidate, through which he/she agrees with the disclosure of his/her personal data for the specific and exclusive purpose of completing the selective process and enabling the registration and fulfillment of the other accessory labor obligations, in case the hiring is implemented.
Likewise, we envisage the need to include specific clauses in employment agreements with regard to the processing of the personal data of employees and their family members, for purposes such as inclusion of people in health insurance, life insurance, dental plan and others.
In this sense, it is also essential to revise the services agreements entered into with third parties who will have access and, consequently, manipulate such data, such as health plan operators, life insurance and payroll management companies, and it is recommended to include express clauses on the form of treatment and protection of the transferred data, as well as the responsibility in case of a possible leak.
Another very sensitive aspect concerns information related to the workers’ health, which, although already protected by medical confidentiality, deserve special attention in relation to the storage and dissemination of medical certificates and examinations, purchase of medicines through covenants and use of health insurance, in order to preserve the intimacy of the employees and their family members.
At this point, it is important to remember the provisions set forth by Resolution No. 1,819/2007, of the Federal Medical Council, which prohibits the inclusion of the code of the international classification of diseases in medical certificates, in specific cases, without the express authorization of the patient, precisely to protect their privacy.
In practical terms, companies should review their internal policies, clearly defining the sectors that may have access to the data of candidates, employees and third parties, as well as how to use such information, mapping and identifying potential failures in compliance, being also responsible for the orientation and training of personnel who will handle such information.
Another important aspects concerns to the fact that multinational companies, in general, need to share this data with the head office located abroad. Likewise, it is essential to obtain the consent of the holder of the information, in case this transfer of data does not occur due to a legal obligation, but only for the purpose of maintaining/updating the database, as well as having a system that guarantees the maximum protection of this information in the sharing process.
As outlined above the best way to address this matter is with sufficient transparency and awareness that personal information should be collected and used only for legal and specific purposes, without any distortion of finality.