The Brazilian Data Protection Authority (ANPD) concluded its audit on the processing of personal data by pharmacy chains and loyalty programs, imposing corrective measures on RaiaDrogasil and Febrafar. RaiaDrogasil must offer an alternative to biometric identification for its Univers Program, facilitate customer access to information about data retention, and clarify the use of sensitive data for profiling and advertising purposes. Furthermore, it will face an Administrative Sanctioning Process to investigate possible violations of the LGPD. Febrafar, on the other hand, will need to review its legal basis for data processing, update privacy information on its website, and ensure that its associates make it easier for data subjects to access their rights.
According to the ANPD, the preventive measures applied are not sanctions but instructions to correct identified issues, with penalties possibly resulting if they are not complied with. The Stix loyalty program, also under investigation, had its process archived, with the possibility of future investigations if new facts arise. These decisions highlight the importance of compliance with the LGPD in the retail and loyalty sectors, emphasizing the role of audits in protecting data subject rights.