Monitoring employees’ communications under the Brazilian Data Protection Law
The Brazilian Federal Constitution provides for the inviolability of secrecy of correspondence and data communication, but until now there were not specific regulations on access, by the employer, to employees’ communications and other personal data in Brazil. That will change with the Brazilian General Data Protection Law – LGPD.
The LGPD creates a new legal framework for data processing regarding identified or identifiable persons, thus including employees. It imposes a strict requirement upon data controllers intending to rely on the data subject consent as a legal basis for the processing of personal data: it must be a free and unambiguous manifestation.
However, considering that, in practice, employers and employees usually do not negotiate in equal conditions, employee’s consent to access to their personal data may be subject to questioning. In this context, a question that arises is whether the employer can use other legal grounds to justify monitoring employees’ communications.
Pursuant to Brazilian law, the employer assumes the risks of the economic activity and has the so-called power of direction, under which it may supervise employees’ activities, ensure the proper use of work tools, require compliance with its rules and impose disciplinary sanctions.
In light of such prerogative, currently case law holds that the employer has the right to access and review information created by the employees by means of the corporate devices, provided they have prior knowledge that such devices should be used as work tools, thus having no expectation of privacy. Conversely, the employer’s access to personal accounts, such as e-mail or messaging application, and other private communication tools of its employees is forbidden even if connection to such accounts were made through employer’s hardware or equipment.
This understanding may prevail when the LGPD comes into force. The direction and monitoring of employees’ activities by the employer shall be expected given the fact that the employer is liable, before third parties, for acts committed by its employees in the performance of their work, or by reason of it. Thus, the employer has a legitimate interest in reviewing personal data created or processed upon the use of devices made available for professional purposes, provided employees are aware that such work tools are subject to monitoring.
Depending on the situation, the employer can also access employees’ personal data if it needs to comply with legal obligations, such as regulations that require the company to keep the contact of its employees with clients.
However, a reasonable level of care when monitoring employees is required, particularly with respect to sensitive information. Personal data shall be processed lawfully, with transparency and in a less intrusive manner, on a need to know basis. The employer must adopt security measures to protect data and avoid unauthorized access or disclosure.
Non-compliance with the LGPD may result in fines of 2% of the companies' local income, up to BRL 50,000.000,00 per violation, apart from the employer’s obligation to indemnify its employees for damages they may incur into.
On this issue | August 2019