MCDONALD’S SOFRE VAZAMENTO DE DADOS NO BRASIL

10 Jun MCDONALD’S SOFRE VAZAMENTO DE DADOS NO BRASIL

By Fabio Alonso Vieira, Carolina Barbosa Cunha Costa, and Gabriela Tchalian

Arcos Dourados, the company which maintains the McDonald’s network in Brazil, has reported to have suffered a leak of customers’ personal data.

The precise date of the leak is unknown; however, potentially affected customers have been notified by email on April 17, 2022. Official announcements were forwarded to the press thereafter.

According to Arcos Dourados, a service provider suffered an incident that resulted in unauthorized access to customers’ personal data..

As far as it could be verified, it has not been informed:

(i) the proportion of the leakage;
(ii) whether other improper forms of processing, such as data alteration, have also occurred;
(iii) whether data subjects other than customers have been affected, for example, employees; or
(iv) the specific measures adopted in response to it.

In the note sent to the press, Arcos Dourado’s informed that the data of the leak consists of name, marital status, address, e-mail, telephone number and CPF/ME number. It was highlighted that the list does not include sensitive personal data.

Although the absence of sensitive personal data may seem to mitigate the issue, it is important to note that, according to the Supreme Court decision that suspended the Provisional Measure No. 954/2020, there are no irrelevant data. Personal data or sets of personal data may be combined to generate even more information and details about the affected data subject.

In compliance with its legal duty under article 48, caput, LGPD, in addition to notifying the possible victims, Arcos Dourados informed the National Data Protection Authority (“ANPD”) of the incident. Finally, it made two emails available for contact and clarification: sac@mcdonalds.com.br and privacidade.lgpd@br.mcd.com.

At this time, the ANPD has been adopting a more educational than punitive stance in cases of leakage or non-compliance with LGPD rules. This in itself does not mean that, in case of proven violation of the rules of the law, the ANPD will no longer apply administrative sanctions against Arcos Dourados.

The degree of sanction will eventually depend on the degree of maturity of the company’s data protection compliance program and its posture in the face of the leak, since, since the entry into force of the LGPD, this is not the first incident involving McDonald’s.

This article is intended exclusively to provide information and does not contain any opinion, recommendation, or legal advice from KV Advogados concerning the matters herein addressed. Copyrights are reserved to Kestener & Vieira Advogados.