Brazil’s data protection law and its implications for employers
Main image
Brazil data protection
Flavia Azevedo
Flávia Martina Azevedo is a partner at Veirano Advogados
Marcella Cruz
Marcella Cruz is an associate at Veirano Advogados


The Brazilian General Data Protection Law (LGPD) was approved in 2018, but only entered into force on 18 September 2020. After this period, companies started the process of strategic planning and implementing methods to comply with the new LGPD.

After the initial frenzy, companies started worrying about the penalties that might be imposed by the Brazilian National Data Protection Agency (ANPD) in case of breach of LGPD’s provisions, as LGPD administrative sanctions started to apply as of 1 August 2021. Violators will be subject to administrative sanctions, as well as daily fines, which can include anything from 2% of sales to R$50m. Okay, but how does it affect employment and labour relations?

It is hard to imagine an employment relationship that does not involve the exchange of a significant amount of information, and it starts during the pre-employment screening process and remains effective until after the end of the employment agreement. Therefore, the LGPD not only applies to the employment relations, but it represents a significant part of the process that might be adjusted accordingly.

Below are some examples of data that must be protected according to the LGPD during the employment relationship’s phases.

Pre-employment screening

During the entire pre-screening process, there is information that must be requested from the candidates such as personal data (address, age, marital status, etc.) and health data depending on the activity that the employee will perform. During the pre-screening, the employer should require the candidate’s express consent to collect their personal data and the requests must be limited to the legitimate interest of the company, meaning that it only must require the information that is crucial to the pre-screening process.

Hiring process

After the candidate is selected, the employer is required to ask to vast personal data to formalise the hiring process. In this situation, the information required can be sensitive, such as union affiliation, blood type, number of children, biometric data, among others.

At this point, it is important to highlight that the processing of sensitive data can only be carried out in the cases where it is indispensable for:

  • compliance with legal or regulatory obligations by the controller (in this case, the controller would be the employer);
  • the regular exercise of rights, including in contract and in judicial, administrative, and arbitration proceedings;
  • the protection of the life or physical safety of the holder or third party; and
  • the prevention of fraud and guarantee the security of the data subject in the processes of identification and registration in electronic systems (except when the processing presents harm to the fundamental rights and freedoms of the individual).

During the employment relationship

There is also much information that is required to be requested during an employment relationship, especially information related to the health and safety of employees, which is sensitive data. Additionally, it is usual to have the employee’s date transferred abroad to the companies that are part of the employer’s same economic group.

According to the LGPD, international transfers of personal data are only allowed in the following cases:

  • to countries that provide a level of protection of personal data that is adequate to the provisions of the LGPD;
  • when the controller offers guarantees to comply with the regime of data protection provided in the LGPD;
  • when the transfer is necessary for international legal cooperation between public organisations;
  • when the transfer is necessary to protect the life or physical safety of the data subject or of a third party;
  • when the national authority authorises the transfer;
  • when the transfer results in a commitment undertaken through international cooperation;
  • when the data subject has given their specific consent for the transfer;
  • for compliance with a legal or regulatory obligation by the controller;
  • when necessary for the execution of a contract related to a contract of which the data subject is a party, at the request of the data subject; or
  • for the regular exercise of rights in judicial, administrative, or arbitration procedures.

Post-contractual phase

During this period the employer is required to detain information related to the employee’s severance package and their medical information due to the required medical examination that must be carried out at the end of employment relationship. Consent is not required to keep this type of information as they are required by law. However, the employer must observe the deadline to store employment information which may vary depending on the situation and the type of data.

It is undeniable that the LGPD not only applies to the employment relationship but represents a considerable part of the process that must be adequate according to LGPD’s provisions, especially now that the penalties – which can achieve millions of dollars – can be enforced by the ANPD.