Law No. 13.709/2018, known as the “General Data Protection Law” or “LGPD” directly impacted business routines, including the process of hiring employees. Thus, from the validity of the LGPD (Sep 18, 2020) some precautions must be taken to ensure contract compliance and avoid penalties, inspections or legal proceedings.
In the pre-contractual phase, that is, during recruitment and selection, the employer must pay attention to the information it will require from the candidate, so that it is only adequate and necessary for the purpose for which it is intended (hiring).
It is important that the company collects the candidate’s consent form, which must be transparently exposed the treatment that will be carried out on their personal data. It must be clear how long the resume will be stored in the company, its sharing being prohibited, unless authorized by the candidate.
The company should also be concerned with the elimination of personal data in case of non-approval for the vacancy. It must be done in a way that ensures that data is not accessed in an illegal or unauthorized manner.
This selection and recruitment phase can be done directly by the company or by a specialized company. In the latter case, it is very important to review the contractual clause between the companies to define the responsibilities and obligations of each one.
In the contractual phase, the employer must include in the new employment contracts and add the old ones to include clauses informing how the employees’ data will be treated to fulfill the employment contract. It is important to mention that the LGPD considers generic clauses to be null, so the construction of contractual provisions deserves attention from companies.
Shares must be informed (ex: transfer of the employee’s personal data for the contracting of the health plan, meal and transportation vouchers, life insurance and personal accident and payroll management). Be very careful that, from now on, the sharing of employee information with unions depends on the owner’s consent or to comply with a legal, judicial or collective norm order.
In the contractual phase, the legal bases most used to authorize the processing of data are: (i) the execution of the contract, provided for in art. 7, item V of the law and (ii) to comply with a legal or regulatory obligation, provided for in art. 7, item II, which will justify the sending of personal data to the INSS, CEF, E-social, RAIS etc.
Companies that collect biometric data from their employees must exercise extra caution, since such data are classified as sensitive by the LGPD and, therefore, subject to greater protection. Such data must be used with the consent of the holder or when indispensable for the fulfillment of a legal obligation (ex: Electronic time registration).
It is important that the employer makes the employee aware of the Information Security and Data Protection Policies adopted by the company through training and assessments, precisely to avoid incidents and the company’s liability. Failure to comply with these Policies, provided that the terms of the CLT are observed, may result in the application of a penalty and even dismissal for just cause of the employee.
Once the employment relationship ends, the company may keep the employees’ data for the period necessary to defend itself in the event of a possible Labor Claim or inspections by public agencies. Therefore, the employee cannot demand that the company delete all their data after the termination of the contractual relationship. However, after that deadline, the company must safely dispose of such data.