Brazilian General Data Protection Law (LGPD) LGPD Information Series #1: LGPD BASICS What is the LGPD and how will it impact background screening services receive from Securecheck360? Brazil recently enacted its omnibus law governing the use of personal data, the Lei Geral de Proteção de Dados (LGPD), or general law for the Protection of Privacy. The LGPD is intended to regulate the processing of personal data to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.” When will LGPD take effect? After delays, the LGPD took effect August 27, 2020; enforcement of the LGPD’s penalties and sanctions provisions will not officially take effect until August 1, 2021. Securecheck360 is compliant with the LGPD, based on available guidance, and will be tracking monitoring developments of the LGPD as they evolve and sharing additional information with our clients as it becomes available. To whom does LGPD apply? With some exceptions, the LGPD applies to any natural person or legal entity that processes the personal data of the people of Brazil, even if the entity processing the data is based outside of Brazil. The LGPD applies to organizations if: the processing is carried out in Brazil (the data subject is in the Brazilian territory at the time of the collection); the purpose of the processing activity is to offer goods or services to individuals located in Brazil; and/or the processed personal data was collected in Brazil. What is Personal Data and how can it be processed? Personal data in this statute is defined broadly as “information regarding an identified or identifiable natural person.” There are also special restrictions for the processing of “sensitive personal data,” which is the data that relates to racial or ethnic origin, religious beliefs, political opinion, affiliation to unions or political, philosophical, or religious organizations, health information, sexual preference, or genetic and biometric data. What will LGPD require in the context of background screening? The LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in several areas, including distinguishing between controller and processor. In the context of a background screening, Securecheck360 is processor acting under the instructions of its controller client.
Compliance with the LGPD requires that the controller has a legal basis to direct processors to process personal data. These legal bases for processing personal data largely align with the GDPR. For the purposes of a background screening, legitimate interests (to fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights and freedoms of the data subject) is likely to be the most useful, rather than consent. There are no specific rules addressing employment and consent as a base for processing in the LGPD itself (personal data relating to an employee is treated by the law in the same way as other personal data) and henceforth, in principle, it might be possible to validly obtain consent in an employment context; but it is possible (and maybe likely) that the newly created Brazilian National Data Protection Authority (ANPD) will ultimately adopt a position similar to the GDPR – that consent is not valid in the employment context because of the power imbalance and the impossibility of freely given consent in an employment relationship. If the controller uses the legitimate interests ground, the controller should keep a record of the actual legitimate interests pursued by it as a controller (or by a third party). When processing is based on the controller’s legitimate interest, only the personal data which is strictly necessary for the intended purpose may be processed. The controller should adopt measures to ensure the transparency of data processing based on its legitimate interests. Of note, the LGPD provides that national authority may request the controller an impact report on protection of personal data when processing is based on the legitimate interests. Does LGPD require a privacy notice? As in the GDPR, the LGPD requires certain information to be imparted by the controller to data subjects before processing (a privacy notice). Best guidance at this point (which is subject to change once the ANPD begins promulgating rules) is that such privacy notice should contain:
The specific purpose of the processing; The type and duration of the processing; The legal basis for processing; Identification of the controller; The controller’s contact information; Information regarding the shared use of data by the controller and the purpose; Responsibilities of the agents that will carry out the processing; and The data subject rights, such as the right to access, rectification, erasure, data portability, etc., with explicit mention of the rights provided in Art. 18 of the GDPL.
To best comply with privacy principles, the controller might consider also including the following types of information: Information regarding data transfers to third countries, where applicable, and reference to appropriate or suitable safeguards;
The existence of the right to withdraw the consent if the processing is based on consent; The right to lodge a complaint with a supervisory authority; If applicable, information regarding automated decision making, including profiling.
What rights does LGPD provide for Data Subjects? The LGPD sets out nine fundamental rights granted to all Brazilian data subjects that are similar to the right fundamental rights stated in the GDPR:
Confirmation of the existence of processing; Access to data; Correction of incomplete, inaccurate, or out-dated data; Anonymization, blocking, or elimination of unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD; Portability of the data to other service providers or suppliers of products, at the data subject’s express request, according to the ANPD, and observing the protection of business and industrial secrets in the process; Elimination of the personal data processed with the consent of the data subjects, except in the cases outlined in Article 16 of the LGPD; Information on the public and private entities with which the controller has shared data; Information on the possibility of not providing consent and on the consequences of such denial; Revocation of the consent, according to the provisions of paragraph 5 of Article 8 of the LGPD; and Reviewing decisions based on the processing of personal data carried out exclusively by automated means.
LGPD separates the right to be informed into the right to “information about the public and private entities with which the controller has shared data” and “information about the possibility of denying consent and the consequences of such denial.” This gives the data subject not only a right to request information the organization collects about the data subject, but also the right to ask about what will happen if the data subject does not give the controller consent to process his/her personal data. Data subjects are also entitled to an explanation about any automated decision-making carried out by the controller that affects their interests. When a data subject requests a review, the controller must provide “clear and adequate information regarding the criteria and procedures used for an automated decision.” What about the appointment of a DPO?
The LGPD indicates that a DPO must be appointed by a controller; however, the ANPD will have further rule-making authority over this obligation, and could in the future exempt controllers from appointing a DPO according to the nature and the size of the entity or the volume of data processing operations. What about the transfer of personal information out of Brazil? While the LGPD indicates transfer mechanisms to ‘inadequate’ regions analogous to standard contractual clauses (SCCs), the ANPD has not promulgated language around their use, or guidance around which regions might be adequate, or what alternatives might be available. About Securecheck360 Securecheck360 provides comprehensive background screening, identity, and information solutions that give employers’ access to actionable insights that result in making decisive hiring. All our clients stand out from their competitors by having qualified and thoroughly vetted candidates through a combination of our unparalleled background screening processes, tailored solutions to cater to their unique requirements, quick turnaround time, compliance with regulatory laws, paperless workflow automation technology. The following content is provided in a spirit of businesses as supportive information on the potential impacts related to LGPD, although we are not approved to provide your business with legal advice because Securecheck360 is not a law firm.