The granting of payroll loan for CLT workers, a new federal government bet to make access to credit to workers, may be facilitating a violation of the General Data Protection Law (LGPD).
A reader sought the InfomoneyLast week, being approached by three different banks outside the digital work card after making loan simulations on the e-consigned platform.
But the only data that the Ministry of Labor and Employment (MTE) can inform financial institutions for those who simulate on the government platform are name, social security number, margin of salary available for consignment and employment information – and not phone number or other contacts.
One of these attitudes was documented. Images captured by the reader on his cell phone show that, a few hours after simulating the loan hiring, he received a message on his WhatsApp from Banco do Brasil, where he maintains an active checking account.
In the image below, it is possible to realize that the text has specific information on the proposal offered at CTPS Digital, such as loan and installment value, as well as a link that directs the worker to the available offer.
Sought to know if the above contact is in accordance with what was established by the MP 1.292/2025 and by MTE Ordinance No. 435/2025the press office of the Ministry of Labor denied. “This conduct is not correct,” said the communication team.
Continues after advertising
In addition to BB, other financial institutions were also pointed out by the source because they adopted similar conduct – in a list that includes from traditional banks to Fintech. “We are not aware of it,” said MTE’s advisory.
It is worth mentioning that, as the source did not show evidence of the approaches made by these other financial actors, their names will not be cited in this report, nor were they sought for clarification.
Contact after simulation in the digital work card
Among the rules that guide the payroll loan for CLT workers, Article 6 of Ordinance MTE 435/2025 says that the personal information of the credit borrower and its employment bonds is obtained from the Digital Bookkeeping System of Tax, Social Security and Labor obligations (eSocial) and the National Register of Social Information (CNIS).
Continues after advertising
Already on official government pagesthe information is that only the necessary data for the credit proposal is shared: name, CPF, salary margin available for consignment and company time. There is no mention of contact data, such as landline, mobile or email.
Along with this, Article 2-A of MP 1,292/2025 also provides that the operationalization of this type of payroll be made in digital systems or platforms “maintained by public operators”. For the experts heard by InfomoneyThis provision aims to centralize authorizations in institutional and safe environments.
Thus, the worker is more protected from commercial practices considered improper and the use of sensitive data. For Sergio Pelcerman, a partner of the Almeida Prado & Hoffmann labor area, when addressing the worker based on data such as the status of a pending operation – no clear legal basis or explicit consent – the financial institution may be violating the General Data Protection Law (LGPD).
Continues after advertising
“Although the financial institution directs the worker to a public and official environment (such as CTPS Digital), the prior approach taken outside of these official channels, especially in messaging applications such as WhatsApp, can configure violation of the standard.”
According to him, this type of conduct distorts the purpose of the provisional measure, which is to ensure that the decision of the worker occurs free, autonomously and without external harassment. In addition, Pelcerman recalls that if there is no legal support for the approach, the Consumer Protection Code You may consider sending commercially biased messages outside the official channels, such as commercial harassment or abusive practice.
The reality is that banking institutions often already have personal data from Brazilians. This may include information such as CPF, telephone and financial history on their internal bases, obtained in previous relationships and with authorization from the holders – for the opening of account, loan hiring, credit card, among other procedures.
In the assessment of Alexander Coelho, a partner of Godke Advogados and a specialist in Digital Law and Data Protection, at first glance, it may seem harmless if the bank tries to cross internal data with those provided by the workers in the simulations, but there is what it calls “legal pranks”. He stresses that LGPD requires the use of even internal data to respect the original purpose for which they were collected.
Continues after advertising
“If the phone number was provided, for example, for an account opening, using it to offer payroll, without specific consent, may divert this purpose. The worker may have authorized consignable margin consultation at CTPS Digital, but this does not imply permission for the bank to sew its internal base and start a custom marketing campaign.”
Another warning made by rabbit is the risk of “illicit enrichment” of data. This can happen if the Bank crosses Digital CTPS information (such as consignable margin) with its own data (such as consumer habits), without transparency or authorization, and can create non-consent behavioral profiles.
For the expert, in the case of bank approaches outside the work portfolio app, the legal conflict is not in the use of internal data itself, but in the lack of transparency, consent and proportionality. “Banks need to prove that the customer has agreed with this kind of approach, or risk sanctions.”
Can banks send a message to customer WhatsApp?
If there is prior consent, whether for account holder or not, the sending of communications on WhatsApp by the banks is allowed. “This is a tool used to communicate with customers, make product offerings, business prospecting, and send general alerts,” explains Fábio Abranches, managing partner at Hondatar Advogados.
Continues after advertising
However, in your assessment, it will not be correct if any financial institution is using WhatsApp to promote the continuity of contracting the credit offered at CTPS. “She will be breaking the LGPD and distorting what the standard of payroll loan has.”
If the external approach occurs without the worker’s authorization, it is appropriate to report with the MTE, as well as the National Authority for Data Protection (ANPD), Procons, and the Labor Prosecutor’s Office (MPT).
“Everything is very new, and we are in an experimental phase in these early days. I believe the MPT will be very careful about the veracity of information and solidity of operations so that there is no distortion of the law.”
THE Infomoney He sought BB, presenting the simulation and contact prints in the messaging application. We question whether the bank has made contacts with workers who have made simulations outside the official platform, if the operation performed authorizes the submission of messages with reinforcement of proposals external to digital CTPS and which database was obtained the phone number used for contact via WhatsApp.
By note, the institution stressed that from the authorization to use the data, when simulating the credit at CTPS Digital, “the worker receives the offers up to 24 hours, analyzes the best option and hires on the bank’s electronic channel, according to the program rules”.
“BB makes available to customers with the proposal conditions in the CTPS Digital application. For the continuity of the loan hiring process, which occurs exclusively by bank channels, Banco do Brasil provides hiring options via BB application and via WhatsApp, adding convenience and ease of service,” says the statement.
The institution also indicated the Your dedicated page to pay for workers. In it, BB informs the necessary steps for hiring the loan, the simulation at CTPS Digital to the bank’s app. There, there is also a call to action (marketing technique that aims to encourage the user to perform an action) saying that “BB has the best consignment offer for you.”
For this, the interested party, account holder or not, must complete a form with data such as name, social security number, telephone and email. Here, information sharing is more evident and what removes any question about LGPD is in the girls. “When you register, you agree to receive BB communications,” says the end of the questionnaire.
However, the source that was approached on WhatsApp by BB claims that it has not completed the form in question, nor has it been informed in the simulation that it could be sought by the bank outside the digital work card platform.