In the past week, McDonald’s has informed that it was the newest subject to a data security incident involving clients’ personal data. The fast-food company sent an email to its clients informing that several client’s personal data as Taxpayer number (CPF), name, marital status, email, personal address and telephone number may have been exposed due to the incident.
The email stated that the incident was caused because one of McDonald’s contractors/data processors allowed unauthorized access to some of its clients’ personal data that were being processed and informed McDonald’s clients about the company’s contact channels to address further questions.
According to the LGPD, the data controller can be held liable by its contractors/data processors’ acts, although the data controller is able to latter on pursue a reparation for damages from the data processor in court, in certain cases. This is an example of the importance of adjusting the companies’ commercial agreements to the LGPD, with provisions regarding both parties’ obligations and rights, to mitigate risks and avoid future disputes.
On the other hand, in this type of data security incident, the data subjects are able to use the data controller’s contact channels to exercise its LGPD’s rights and request additional information regarding the data processing and sharing, as well as the data
security incident, such as confirming the existence and processing of the data subject’s personal data and being informed of their personal data involvement in the incident, with the data controller being obliged to analyze and address these requests.
Our team is available to provide further information, as well as assessing our clients with their procedures to comply with the LGPD’s regulatory obligations to the ANPD and/or the data subjects.