Need to adapt to LGPD in the production chain

There has been talk for some time about the need to comply with the General Data Protection Law for the entire production chain.

But what is the supply chain?

All companies or freelancers who provide services to the Data Controller, or to the main company that has the power to decide on the methods, purposes and hypotheses of the processing of personal data in its database.

We recently had a specific case that made concrete what we had felt for some time: the need to adapt the entire production chain.

Mc Donald’s on April 17, 2022 communicated to its owners and to the general public the occurrence of an incident with personal data, from its database.

The problem is that the reported incident did not take place inside the Mc Donald’s itself, but in the environment of one of its operators, or one of the companies that provide services to the Mc Donald’s, specifically allowing unauthorized access to personal data. of the owners, including sensitive data.

Sensitive data according to the general data protection law are all personal data “relating to racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, if linked to a natural person “.

This incident reinforces the need to comply with the LGPD of all operators, that is, all companies that provide products or services to the main company.

Your company does not need to be in the process of adapting to the LGPD and all its suppliers, or to the so-called production chain, not being in the same process.

If an accident with personal data occurs in one of them, as in the specific case of Mc Donald’s, the data controller, or the main company, is jointly and severally liable for all data suffered by the owners.

There is a specific detail in the law regarding the rights of owners.

Any and all claims made by the owners will always be against the data controller, pursuant to the General Law on the protection of personal data, pursuant to paragraph 1, article 18, of Law 13.709 / 2018 transcribed below:

“The data controller has the right to appeal in relation to their data against the data controller before the national authority”.

Furthermore, all legal actions will always also be against the main company or the data controller, as the interested party has provided his personal data to that company and is not aware of the suppliers of the supply chain.

That is why this awareness is so important that any effort to adapt to LGPD can fall apart if others involved are not in the same process.

And to make sure your business is on the right track, check it out

some practical information security tips to help companies that are adapting:

  1. The information security policy is fundamental

We always think that people will have common sense and responsibility when using corporate computers, but having an IT policy should be a priority.

Everyone should have an understanding of the rules regarding everything from passwords to customer privacy to physical and digital protection.

Make sure all employees have read and signed the company’s disclosure policy.

  1. data and backup

It is not enough to protect yourself from hackers, malware and attacks, it is essential to back up your data securely and regularly, with secure access levels for quick and efficient recovery if needed.

  1. Safety information

All businesses are targeted by cyber criminals. And small and medium-sized even more.

The main reason is that they represent a gateway for their customers and partners, as they have access to portals, the network and a very strong relationship of trust.

But rest assured, criminals will prefer to attack SMEs that don’t prioritize information security.

  1. Keep your operating systems and software up to date

Some operating systems are not that insecure, most attacks or virus propagation occur due to some security holes, small vulnerabilities that hackers and criminals often exploit.

That is why it is very important to keep systems up to date, preferably automatically.

And remember that pirated software, in addition to being a crime, unfortunately these software may not have access to updates making your company vulnerable.

  1. Employee Awareness

Everyone should understand the elements of information security and privacy for their business and take them seriously.

Review information security policies and practices a few times a year.

Establish strict policies and follow them to the letter.

  1. Checklist of security measures

Finally, obtain a Checklist with the security measures necessary to comply with the LGPD and ask your operators to present the documentation proving that they are in place and on a continuous basis.

We take this opportunity to invite you to learn more about the GDPR adaptation process: sign up to participate in the Adaptation Marathon of the General Data Protection Act in practice. There will be over 27 hours of free and certified online content to make you feel confident that you are adapting any business, of any size, to the general data protection law. To participate visit the following link:

If you have any questions, we are at your disposal, send us an email:

Dalva Azevedo Neiva is Co-founder and Partner of USE Tecnologias®, Coordinator of ANPPD @ Regional DF, Member of the ANPPD® Security Committee, DPO and Data Privacy Consultant Security and Privacy Risk Manager

Dra. Silvia Brunelli do Lago, DPO and Government Relations at ANPPD, Effective Member of the Privacy and Data Protection Committee at OAB / DF, Lawyer specialized in Government Relations and Associative Entities. With over 28 years of experience.



Leave a Reply