Adaptation to LGPD required in the production chain

We have been talking for a long time about the need to adapt the entire production chain to the Basic Data Protection Act.

But what is the production chain?

Any company or self-employed providing services to the Controller, that is to say the main company authorized to decide on the nature, purpose and hypotheses of the processing of the personal data in its database.

We recently had a specific case that implemented what we have long warned against: the need to adapt the entire production chain.

Mc Donald’s notified its owners and the public on April 17, 2022 of the occurrence of an incident involving personal data from its database.

The problem is that the reported incident did not occur within Mc Donald’s itself, but in the environment of one of its operators, i.e. one of the companies that provide services to Mc Donald’s and in particular allow unauthorized access to personal data of holders, including sensitive data .

Sensitive data within the meaning of the Basic Data Protection Act is all personal data.racial or ethnic origin, religious beliefs, political opinions, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sex life, genetic or biometric data if linked to a natural person”.

This incident reinforces the need to adapt to the LGPD of all operators, that is, all companies that offer products or services for the main company.

It is of no use if your company is in the process of adapting to the LGPD and all its suppliers, i.e. the so-called production chain, and is not in the same process.

If an incident involving personal data occurs in one of them, as in the specific case of Mc Donald’s, the data controller, i.e. the main company, is jointly and severally liable for all data supplied to the holders.

The law provides specific details on the rights of owners.

All claims of the Holders are always addressed to the Data Controller, in accordance with the General Data Protection Code pursuant to paragraph 1, article 18 of Law 13.709/2018 reproduced below:

“The holder of the personal data has the right to petition the national authority to the data controller in relation to his data.”

In addition, all lawsuits are always directed against the main company or the person responsible, since the person concerned has passed on his personal data to this company and does not know the suppliers in the production chain.

This is why this awareness is so important that any effort to adapt to LGPD can fail if the other stakeholders are not in the same process.

And to make sure your business is on the right track, check it out

Some practical information security tips for organizations in the process of adaptation:

  1. Information security policy is fundamental

We always believe that people should exercise common sense and responsibility when using company computers, but an IT policy should be a priority.

Everyone should understand the rules regarding everything from passwords to customer privacy to physical and digital protection.

Ensure that all employees have read and signed the company’s information policy.

  1. data and backup

It’s not enough to protect yourself from hackers, malware and attacks, it’s essential to back up your data securely and regularly, with secure access levels for fast and efficient recovery if necessary.

  1. information security

All businesses are under attack by cyber criminals. And small and medium-sized even more.

The main reason is that they are a gateway to their customers and partners as they have access to portals, network and a very strong bond of trust.

But rest assured, criminals will prefer to target SMEs that don’t prioritize information security.

  1. Keep your operating systems and software up to date

Some operating systems are not so insecure, most attacks or virus propagation happen due to some security loopholes, small vulnerabilities that hackers and criminals often exploit.

It is therefore very important to keep systems up to date, preferably automatically.

And remember that not only is piracy a criminal, but it may also deny access to updates, leaving your business vulnerable.

  1. employee awareness

Everyone should understand and take seriously the elements of information security and data protection for their business.

Review information security policies and practices a few times a year.

Set strict guidelines and follow them to the letter.

  1. Checklist of security measures

Finally, have a checklist of the security measures needed to adapt to LGPD and ask your operators to provide documentation to show they are in place and ongoing.

We take the opportunity to invite you to learn more about the GDPR adaptation process: Register to take part in the practical marathon on adaptation to data protection law. There will be 27+ hours of free and certified online content so you can feel confident bringing any business of any size to the General Data Protection Act. To participate, visit the following link:

If you have any questions, we are at your disposal, send us an email:

Dalva Azevedo Neiva is co-founder and partner of USE Tecnologias®, Coordinator of ANPPD@ Regional DF, Member of ANPPD® Security Committee, DPO and Data Privacy Consultant Security and Privacy Risk Manager

Dr. Silvia Brunelli do Lago, DPO and Government Relations at ANPPD, effective member of the Privacy and Privacy Committee at OAB/DF, Attorney specializing in Government Relations and Associations. With over 28 years of experience.



Leave a Comment