BRAZIL Law and Practice Contributed by: Patricia Barboza, Alinne Gordilho and Amanda Costa, CGM Advogados
measure being invalidated by a labour judge in the event of a legal dispute. 6.9 Other Measures It is common for employers to take additional meas - ures regardless of whether the allegations in the com - plaint are substantiated. These actions may include reviewing policies, updating operational protocols, or implementing new or revised training on topics related to the complaint, such as harassment. Mediation is generally not applicable in HR internal investigations in Brazil. From a data protection perspective, employers are permitted to collect personal data for the purpose of an HR internal investigation, provided they have a law - ful basis for processing such data under the Brazilian General Data Protection Law (LGPD). Lawful bases include the data subject’s consent, compliance with a legal or regulatory obligation, performance of con - tracts or pre-contractual steps at the data subject’s request, regular exercise of rights and legitimate inter - ests. 7. Data Protection 7.1 Collecting Personal Data Stricter requirements apply if the processing involves sensitive data, such as information on racial or eth - nic origin, religion, political opinions, trade union or organisational membership, health, sexual orientation, genetic data or biometric data related to an individual. In these cases, legitimate interest cannot be used as a basis for processing. All processing of personal data must adhere to the general principles and requirements of the LGPD, as summarised in section 7.2 Specific Rules . 7.2 Specific Rules The LGPD is Brazil’s primary privacy legislation and applies to: • data processing activities conducted in Brazil; • processing of data collected in Brazil or related to individuals located in Brazil; and
• data processing activities aimed at offering goods or services to individuals in Brazil. Although the LGPD does not provide specific guide - lines for internal investigations in private organisa - tions, its general principles and requirements apply to any personal data processing for such purposes. Companies must ensure compliance with the LGPD by: • providing a privacy notice to data subjects in a clear, appropriate and visible manner; • processing only the personal data necessary for the investigation; • establishing a lawful basis for processing personal data (particularly sensitive data); • adopting technical and administrative security measures to protect personal data; • maintaining records of the relevant processing activities; and • meeting all other obligations set out in the LGPD. 7.3 Access Under the LGPD, data subjects have the right to eas - ily access information about the processing of their personal data. This information must be provided in a clear, appropriate and visible manner, typically through a privacy policy or notice. Data subjects also have the right to request confirmation of the existence of processing activities and access to their personal data, among other rights. The confirmation of data processing or access to per - sonal data must be provided by the controller upon the data subject’s request either: • immediately, in a simplified format; or • within 15 days, in a clear and complete declaration specifying details such as the data’s origin and the purpose of its processing. When granting access to data, the employer may tailor its response to safeguard the company’s com - mercial or industrial secrets that could otherwise be disclosed.
45 CHAMBERS.COM
Powered by FlippingBook