Brazil’s National Data Protection Authority (ANPD) has released their notes following an investigation into the use of personal data in the pharmaceutical sector. There were concerns regarding practices and whether they complied with LGPD. There were multiple concerns regarding privacy policies. Some sites did not provide any information at all regarding their privacy policy and other failed to provide important information.
The ANPD have said as a whole the policies lacked:
- Conceptual precision
- Maturity as to data protection
- Information for the data subject
- Clarity on the treatment of personal data.
Loyalty Programs
Those with loyalty programs didn’t address how they store and process the data involved in these programs. Others failed to provide information on how personal data is shared with service providers, social networks and security and regulatory authorities.
For those with loyalty programs and offering discount coupons and cashback offers there were many issues with missing information. The legal bases for which any data was collected was not made clear. Individuals were also not informed that there were data sharing agreements with advertisers, service providers, authorities and other third parties. It was not clarified what data was shared and there was no information on how data is processed within pharmacies.
There were concerns regarding whether a consumer’s right to information request would encounter problems if their information had been used within a loyalty program.
Additionally, there were issues found in the way that points accumulated could end up creating sensitive information about individuals. As purchases are made and points are accumulated the purchase history is noted. By noting multiple purchases you could gather information regarding a persons health or sex life. This would be fine if the legal bases for this data collection was made clear, which it hasn’t been.
There is no reason why loyalty programs cannot take place but there must be transparency between the company and the individuals.
Biometric Data
Some pharmacies were also found to be using the biometric data of customers. Some ways it was being used was to identify customers, validate customers’ registration and to prevent fraud.
Biometric data can be used but must meet the principles of necessity and minimization. It may not be the only form of identity verification and if it can be done via non-sensitive personal data then it should be considered whether there is any reason to be using biometrics.
When collecting biometric data there needs to be a face-to-face conversation where the consumer is made aware of what this means for data processing. Any biometric data being compromised can cause serious harm to the data subject impacted.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.