ANPD publishes findings regarding the use of personal data by pharmacies to offer medicine discounts

On May 12, 2023, the General Coordination for Technology and Research (“CGTP”) of the Brazilian National Data Protection Authority (“ANPD”) published a Technical Note containing an assessment of personal data processing in the pharmaceutical sector, especially when associated with the offering of discounts in medicines.

The key findings of CGTP were outlined in an Executive Summary and are listed below:

1. Existing practices that are not fully in compliance with the Brazilian General Data Protection Law (“LGPD”), such as data processing for purposes other than those assigned to the data subject, excessive collection of personal and sensitive personal data, as well as lack of transparency regarding the processing, conditions and exercise of data subjects’ rights.

2. Lack of transparency regarding the scope, purpose and possibility of consent as a legal basis, as well as the consequence of refusing to share data with service providers and other business partners, such as those responsible for loyalty programs, who carry out customer profiling in their interactions with customers.

3. Ineffective compliance with LGPD rules by the evaluated entities. In certain cases, CGTP considered that the data subject’s right to information was harmed, such as in the price differentiation conditioned to the provision of personal data in loyalty programs.

4. Need to improve communication with the National Consumer Secretariat (“SENACON”) regarding the granting of discounts conditioned to the supply of personal data by the data subjects, which can harm the consumer’s right to information.

5. The treatment of biometric data, which, in addition to being on the 2023-2024 ANPD agenda, must involve the debate and participation of several sectors besides the pharmaceutical industry, and must also comply with appropriate security, technical, and administrative measures.

6. Need for greater transparency regarding the processing of personal data, thus adopting and respecting the legal assumptions and the purposes informed to the data subjects.

7. Need to establish an inspection relationship directly with the processing agents involved in the procedures related to the business model of pharmacies and other representative entities, including loyalty programs, in order to investigate in detail the conditions and purposes of each treatment, the security measures involved, the levels of compliance with the LGPD, among other aspects of each processing agent.

As a result of these studies, ANPD has plans to:

(1) develop an educational material for the industry regarding the flow of personal data in business models of pharmacies, together with the General Coordination for Standardization (“CGN”), including the concerns raised and appropriate suitability measures;

(2) collaborate with SENACON, which has complementary authority to the ANPD in connection with the business models of pharmacies; and

(3) foster the development of complementary studies, through the General Inspection Coordination (“CGF”), in order to further understand the suitability and compliance procedures for data processing by the pharmaceutical sector in Brazil, as well as to report on the current situation and trends in this market.

Ultimately, the Technical Note demonstrates how ANPD carries out monitoring, enforcement actions with a responsive bias, and standardization, in order to ensure compliance with the LGPD.

Demarest’s Privacy, Technology and Cybersecurity and Telecommunications, Media and Technology teams are available to provide any clarifications that may be necessary.