Brazilian Retail and LGPD: How to Apply the New Law in Practice

Summary:

The General Data Protection Law came into effect in August 2020, raising doubts about its implementation in the daily operations of retail. The new law imposes duties on companies regarding data transparency and security. Inspired by the European General Data Protection Regulation, this law seeks to define what sensitive data is and the rules for processing and storing third-party data.

Customer Registrations in Retail, How to Adapt?

Customer registration in retail remains allowed, but retailers must be aware that, from now on, there are guidelines on how to handle and store this data. It is believed that, in the medium term, this law will impact the cultural shift towards respecting privacy. It will likely cause changes in how businesses collect, store, and share data. Additionally, the accountability of both public and private entities for data breaches and misuse contributes to a more privacy-conscious retail environment and greater trust between all parties. After all, that’s what we aim for, right?

Flow Counting and Net Promoter Score, Is There Any Care to Be Taken with AlterVision’s Products?

Flow counting through cameras does not require extra adjustments, as all stored data is anonymized and not sensitive, and the images themselves are not saved. It simply indicates that someone entered the establishment. Likewise, collecting customer feedback through a service-related question does not require written consent from the customer or additional care with the data, as long as no personal or sensitive information is stored.

LGPD: Digging Deeper:

LGPD applies “to any processing operation carried out by a natural person or by a legal entity of public or private law, regardless of the medium, the country of their headquarters, or the country where the data is located,” as long as the processing activity is carried out within national territory, as expressly stated in Article 4 of the law.

But what does this mean? It means that any operation involving personal data, including collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of the information, modification, communication, transfer, diffusion, or extraction, must comply with the new data retention criteria, under the risk of facing penalties, including monetary ones, regardless of the controller’s sector.

The concepts of personal data, as listed in the law under Article 5, sections I, II, and III, are key:

“I – personal data: information related to an identified or identifiable natural person;”

Notice that the legal definition of personal data is not limited to descriptive information about a person, but can also encompass photos, license plates, home addresses, location functions on phones, and other elements that could identify the data subject.

“II – sensitive personal data: personal data about racial or ethnic origin, religious belief, political opinion, union membership, or membership in religious, philosophical, or political organizations, data relating to health or sex life, genetic or biometric data, when linked to a natural person;”

In other words, sensitive personal data relates to privacy, deeper elements of a person’s intimacy and private life. Therefore, greater restrictions are justified for its processing, including more legal protection and a closed list of circumstances under which it can be processed, as seen in Article 11.

“III – anonymized data: data related to a subject that cannot be identified, considering the use of reasonable and available technical means at the time of processing;”

Anonymized data is data that was originally personal or sensitive, but lost its link to the data subject through an anonymization process, defined in Article 5 as “XI – use of reasonable and available technical means at the time of processing, through which data loses the possibility of association, directly or indirectly, with an individual.” Additionally, it must be ensured that the subject cannot be identified later, under the penalty of pseudonymization, as both have distinct rules in LGPD.

Another vital element for LGPD implementation is understanding the consent concept, which the law defines as “XII – consent: free, informed, and unequivocal manifestation by which the data subject agrees to the processing of their personal data for a specific purpose.”

It is observed that, in cases where the data has already become publicly available by the data subject, the law does not require explicit consent for its use, as stated in Article 7, paragraph 4. Therefore, the controller can use the data. However, when the data is sensitive, explicit consent from the data subject is required, along with information on the specific purpose for the data’s use, meaning that generic consent for processing personal data is not allowed. Moreover, consent can be revoked at any time.