top of page
Buscar

LGPD and employee rights: how far does the risk of dismissal for cause extend?

  • Foto do escritor: DBS Partner
    DBS Partner
  • há 4 dias
  • 5 min de leitura

The LGPD (Brazilian General Data Protection Law) guarantees employees rights such as access, correction, deletion, and portability of data, as well as transparency in the use of information

 

LGPD and employees rights

The LGPD (Brazilian General Data Protection Law) and employee rights have become a recurring topic in labor relations.


The General Data Protection Law (Law No. 13.709/2018) is not limited to the use of information by large companies or digital service providers: it also directly impacts the routines of workers, who have a duty to respect and protect sensitive data to which they have access in the performance of their duties.


A recent case analyzed by the Regional Labor Court of the 2nd Region (TRT-2) reinforced this understanding.


The call center operator was dismissed for just cause after accessing, without authorization, the bank details of famous clients.


The decision confirms that violations of the LGPD can justify termination of employment, demonstrating that curiosity or carelessness regarding personal data can have serious consequences in professional life.


LGPD and its application in labor relations

The LGPD establishes rules for the collection, processing, storage, and sharing of personal information. Its scope is broad and involves companies, partners, representatives, collaborators, and employees.


In the corporate environment, this means that anyone with access to personal data must safeguard its confidentiality and use the information only for legitimate and previously authorized purposes.


Just as managers and companies are held responsible for poor data management, employees can also be held responsible for improper conduct.


When a worker accesses information without authorization, it constitutes a breach of trust, one of the grounds that labor law recognizes as justification for dismissal for cause.

 

The case judged by the TRT-2 (Regional Labor Court of the 2nd Region)

The case analyzed by the TRT-2 had a major impact due to the involvement of well-known names. A call center operator at a financial institution was dismissed for just cause after improperly accessing the bank accounts of famous clients, including a soccer player and a country music singer.


According to the case file, the access was made without any request or consent from the account holders, in clear violation of the internal information security policy and the provisions of the LGPD (Brazilian General Data Protection Law).


The irregularity was identified by the company's own monitoring system, which recorded the employee's logins. During the investigation, the worker admitted that he acted out of "curiosity" and was fully aware that the practice was prohibited.

 

Court Ruling

Judge Marco Antônio dos Santos, of the 27th Labor Court of São Paulo, considered the conduct serious enough to constitute just cause for dismissal. In his decision, he highlighted that the act represented a direct breach of the LGPD (Brazilian General Data Protection Law), exposing the financial institution to legal, administrative, and reputational risks.


The ruling reinforced that there was a breach of trust, essential to maintaining the employment relationship, and that the employer had no obligation to maintain the contract in the face of such a serious offense.


The case is still awaiting review in a higher court, but it already serves as a precedent and a warning to companies and employees about the seriousness of the issue.

 

What is the employee's responsibility under the LGPD (Brazilian General Data Protection Law)?

Often, when the LGPD is mentioned, it's automatically associated with the responsibility of companies. However, employees play a central role in data protection.


Upon being hired, employees gain access to sensitive information about clients, suppliers, and even colleagues. This includes financial data, health information, purchase history, and even personal details.


The employee's responsibility is:

 

  • Use the data only for professional purposes and within the limits authorized by the company;

  • Do not share information with third parties without express authorization;

  • Report security breaches or data breach incidents immediately;

  • Comply with internal compliance and information security policies.


When these responsibilities are not met, the employee may be subject to disciplinary action, including dismissal for just cause.

 

How to Explain the LGPD (Brazilian General Data Protection Law) to Employees?

To avoid problems, companies need to invest in continuous training and awareness. Many cases of non-compliance do not occur due to bad faith, but due to lack of knowledge.


Some strategies include:


  • Practical workshops showing real-life risk situations, such as accessing data without permission;

  • Clear internal policies, written in simple and easily accessible language;

  • Examples of permitted and prohibited conduct to avoid ambiguity;

  • Periodic training, reinforcing the importance of information security;

  • Incident simulations so that employees know how to act.


The goal is to make employees understand that the LGPD is not just a legal requirement, but a tool for protection and ethics in the workplace.

 

What does Article 42 of the LGPD say?

Article 42 of the LGPD addresses liability and the duty to compensate in case of damage resulting from a violation of the law.


It establishes that the data controller or operator who causes patrimonial, moral, individual, or collective damage will be obliged to repair it.


This means that if an employee accesses data without authorization and this conduct causes harm, both the employee and the company can be held liable.


However, the employer can exercise the right of recourse against the employee if they prove that the damage resulted from the employee's fault or intent.


In practical terms, this provision reinforces that the individual conduct of the employee has a direct impact and can lead not only to labor sanctions but also to civil liability.

 

What does Article 17 of the LGPD say?

Article 17 of the LGPD deals with the ownership of personal data. It establishes that every natural person is the owner of their data and possesses fundamental rights of freedom, privacy, and free development of personality.


In the labor context, this means that the employee must respect the privacy of clients and colleagues, recognizing that data is not freely accessible but belongs to each individual.


By accessing third-party information without authorization, the worker not only violates an internal rule but also disrespects fundamental rights guaranteed by law.

 

Impacts for Employers and Employees

The TRT-2 (Regional Labor Court of the 2nd Region) decision reinforces that the LGPD (Brazilian General Data Protection Law) is not abstract legislation, but a set of rules applicable to the daily operations of companies.


For employers, the case demonstrates the importance of:


  • Establishing well-documented internal information security policies;

  • Monitoring access to systems and recording inappropriate conduct;

  • Promoting periodic training on LGPD and compliance;

  • Having legal backing to apply penalties in case of non-compliance.


For employees, the message is clear:


  • Unauthorized access to personal data constitutes serious misconduct;

  • “Curiosity” or carelessness are not justifiable;

  • Respect for privacy is a legal and ethical obligation;

  • Violations can lead not only to dismissal for just cause, but also to civil and even criminal liability.

 

Conclusion

The TRT-2 (Regional Labor Court of the 2nd Region) ruling on the dismissal for just cause of an operator who accessed bank data without authorization shows how the LGPD (Brazilian General Data Protection Law) and employee rights are intrinsically linked.


The law not only protects data subjects but also imposes clear obligations on employees and employers.


Non-compliance can result in severe sanctions, including dismissal for cause, fines, and damage to the company's reputation.


Companies that invest in awareness, clear policies, and monitoring are better prepared to deal with the risks of the digital age.


Workers, in turn, need to understand that data protection is an essential part of their professional responsibilities.


Ultimately, the LGPD is not just a legal requirement: it is an opportunity to build safer, more ethical, and transparent working relationships, strengthening both organizations and the individuals who work within them.

 

 

Source: RHportal

Comentários

bottom of page