ANPD releases technical note on personal data processing in Brazil’s pharmaceutical sector

On May 12, 2023, the Brazilian Data Protection Authority (ANPD) published Technical Note No. 4/2022, which provides an analysis of the pharmaceutical sector’s use of personal data.

Since 2020, the ANPD’s Department of Technology and Research (CGTP) has sought to better understand how the pharmaceutical sector process personal data. In carrying out its studies, the ANPD analyzed previous investigations conducted by the Public Prosecutor’s Office, the privacy policies of companies in the sector, as well as meeting with industry representatives for discussions.

In summary, the ANPD reached the following conclusions via the study:

• The pharmaceutical sector still has a significant way to go in regard to protecting personal data in line with the rules established by Brazil’s General Data Protection Law (LGPD);
• There is a general lack of transparency regarding how data processing is carried out by the industry, including in relation to data sharing;
• As a consequence of the lack of transparency, it has become clear that data subjects face difficulties in objecting to their personal data being processed, much of which is classified as sensitive data;
• The studies into loyalty programs require further analysis – the roles of each processing agent within these programs and their forms of data sharing were not clearly identifiable;
• There are opportunities for the ANPD to educate the sector, including potentially developing educational material; and
• There is an opportunity to improve dialogue with the Brazilian Consumer Affairs Office (Senacon) regarding discounts that are conditional on consumers providing consent to having their personal data processed.

The technical note was forwarded to the ANPD’s Department of Supervision and Enforcement, in order to assist in taking any appropriate measures. The ANPD has also made an executive summary available with its main conclusions.

Analyzed practices

Technical Note No. 4/2022 has specifically analyzed certain practices carried out by the pharmaceutical industry that involve personal data flows – such as Drug Benefits Programs (PBMs), agreements with companies, loyalty programs, and data sharing for marketing purposes and delivery services. The following practices particularly stand out:

Drug Benefits Programs (PBMs)

These programs allow customers to purchase medication from pharmacies at discounted rates with the authorization of the laboratory or producer. As mentioned in the technical note:

• As a rule, a PBM requires the subject’s data (government-issued ID number, name and signature) to be registered beforehand;
• In the case of PBMs, the producer rather than the retailer (pharmacies) serves as the data controller, as pharmacies only request an individual’s information to verify their eligibility to receive the benefit.

Corporate agreements

This concerns partnerships established between pharmacies and companies to provide benefits to the latter’s employees. As mentioned in the technical note:

• Pharmacies assume the role of personal data processor, as their function is limited to verifying the subject’s data to check if they are a beneficiary of the agreement;
• It is common practice for pharmacies to transmit beneficiaries’ data (names and purchase values) to their employers.

Loyalty programs

This regards any programs linked to exclusive offers, advertising, and points programs. The technical note highlighted a need to further study the practices conducted in each program, as the ANPD’s study and the CGTP’s meetings did not directly focus on the pharmacies responsible for the programs. However, the technical note has already raised the following considerations:

• Concerns about data sharing with third-party companies;
• Possible prejudice to consumer’s information rights due to the access to discounted products being conditional on participating in loyalty programs;
• Challenges in meeting the requirements for consent, as stipulated in the LGPD.

Biometric data processing

With respect to biometric data processing, the ANPD’s analysis of this practice focused on its use to authenticate the identity of individuals. It confirmed that:

• It is possible to carry out other, less sensitive forms of identity verification than those which record fingerprint or even facial biometric data;
• To protect such sensitive data, it is necessary to ensure sufficient security measures – such as encryption and not sharing the data with third parties – are implemented;
• The use of biometric technology requires contextualization in order to comply with the LGPD.

New measures

On May 3, 2023, the ANPD’s Board of Directors determined to adopt the following measures, as provided for in Technical Note No. 4/2022’s executive summary:

• The ANPD’s Department of Supervision and Enforcement must institute specific procedures to monitor the sector;
• An analysis of the limits – in cooperation with Senacon – regarding consent to data processing as a legal hypothesis for the sector to concede discounts to customers, especially in loyalty programs;
• The ANPD’s Department of Standardization should explore creating potential measures to guide the sector in improving its data security practices.

For further information about the ANPD’s activities and other aspects of data protection, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.