The LGPD makes a relevant distinction between personal data and sensitive data, granting extra protection to sensitive data, given its potential to harm the data subject. Sensitive data are those that contain racial or ethnic origin, political opinion, religious conviction, membership of a trade union or organization of a religious, philosophical or political nature, as well as data relating to sexual life, health, genetic or biometric data, when linked to a natural person.
Already the Personal data is all information that allows the direct or indirect identification of a natural person, such as name, telephone number, address, ID, CPF, passport, work card, voter registration card, IP address, email, among others.
Due to the greater offensive potential, whereby misuse can lead to violations of personal rights, companies must exercise extreme caution when handling data considered sensitive. It should be noted that the legislation only presents an exemplary list of information that would constitute sensitive data and should not be limited to the types already presented. For example, gender, in principle, would not be considered sensitive data. However, depending on the context, in the case where the individual has a social name, revealing the gender may cause harm to the data subject, and data processing agents must exercise extreme caution.
At this point, article 46 of the LGPD establishes that data processing agents must take all appropriate technical, security and administrative measures to protect data from unauthorized access or accidental or unlawful destruction, loss, communication, alteration or any form of inappropriate or unlawful processing.
In the event of problems with the handling of this data, the court will assess whether the processing agents took all possible measures to prevent the incident. Based on this, management protocols must be established, both at the technical level of the database and at the administrative level of the controller, to limit access and further protect sensitive data. These protocols must specify how to respond in different scenarios, whether in the event of a data leak or database vulnerabilities.
Furthermore, it is worth noting that the International Labour Organization (International Labor Organization) developed a Code of Practice on the Protection of Workers' Personal Data, with the aim of providing guidelines for the management of employment information.
This ILO Code of Practice recommends that employers not collect sensitive information from employees, such as sexual, religious, or political orientation; medical data and criminal records, except where legally required; and data provided by the data subject in an excessive manner or irrelevant to the purpose of the data processing. Employees should be aware of how their data will be used, have easy access, and can request the deletion of this information at any time. However, they must still comply with all legal requirements set forth in the LGPD.
This ILO recommendation is consistent with the provisions of Law No. 13,709/2018, particularly with regard to sensitive data and strict compliance with data collection in accordance with the controller's purpose. Employers must protect the confidentiality of sensitive personal data by not making it public or sharing such information, except in the case of specific consent granted by the data subject.
Therefore, data processors will be required to keep all data received confidential, as will employment or service contracts, which must be reviewed to comply with the General Data Protection Law, clearly explaining the purposes for which the personal data provided will be used (ANGELIS, 2019). The data storage period in the controller's database is another aspect that must be specified in the data collection agreement. After this period, the employee's data must be deleted, under penalty of penalties.
REFERENCES
ANGELIS, Giovana de Abreu. The impact of the new data protection law on the labor sphere, 2019. Available at: https://www.migalhas.com.br/depeso/311803/os-reflexos-da-nova-lei-de-protecao-de-dados-na-esfera-trabalhista. Accessed on October 17, 2020
Português do Brasil 
English
[…] LGPD and Sensitive Data in Employment Relations […]