The saga of using Biometry digital by Drugsil won a new chapter this Thursday (30). To Techblog, Procon-SP states that it is not satisfied with the response of the company, which belongs to the Raia Drogasil group, the largest pharmacy chain in the country, on the collection and purpose of the data considered sensitive by LGPD. For the pro-consumer agency, it was not clear what is the need for the procedure imposed on the customer for get discounts.
Procon-SP notified Drogasil in July
Procon-SP notified Drogasil on July 7 and asked for explanations about the discount policy applied to all products sold within the chain’s pharmacies. In June, the Techblog heard clients from Droga Raia, which also belongs to Raia Drogasil, who had to provide digital biometrics to obtain discounts that could reach 33%.
In the notification, Drogasil was asked about the criteria adopted to capture customer biometrics, something that goes against the principles of the LGPD, according to experts heard by the Techblog. They were also included in the note sent by Procon-SP inquiries about the collection, processing and storage of sensitive data from customers who take advantage of offers.
Drogasil responds to Procon-SP on biometrics
In reply to notification, Drogasil informed Procon-SP that it uses different criteria to define the discounts practiced. THE offer varies by product category: are different promotions for medicines, health and hygiene products in general. But all are granted equally to customers, says the company.
Drogasil also responded that the right to promotions is not linked to the provision of digital biometrics, and that customers who refuse to provide personal data can take advantage of “standardized discounts”. This statement conflicts with the cases of network customers who were conditioned to swipe the reader to take advantage of offers of items such as powdered milk for children, vitamins and even medicines for recurrent use.
Experts claim that, in this case, Drogasil and Droga Raia do not differentiate between the sale of consent, as lawyer Caroline Dinucci, a specialist in LGPD, explained in an interview with Techblog:
“It is not clear the difference between sale and consent. It’s kind of weird. They cannot require biometrics if there are other ways to confirm identity. Why don’t you ask for the person’s RG document? What will she achieve by storing the biometrics?”
The company also pointed out in response to Procon-SP that “customers can exercise all rights determined by the General Personal Data Protection Law, including correcting and updating your information”.
About biometrics, Drogasil states that, previously, the capture of sensitive data was used only to “identify” consumers who chose to provide the information. The company issued, after notification from Procon, a note confirming the suspension of the collection of digital biometrics from customers.
Even so, the company’s response to Procon-SP states that it continues to use biometrics only for the Universal Benefits Program, a discount agreement for registered companies, with payment through the payroll. According to the service’s website, the most attractive benefit is the reduction in the price of drugs on the network. Univers has over 25 million customers.
The objective of capturing biometrics, in the case of Univers, is “to prevent fraud in the processes of identification and authentication of registration in electronic systems and to guarantee the safety of customers”. Drogasil claims that the benefits program complies with the LGPD.
Answers do not satisfy and Procon-SP may fine Drogasil
But the responses from the pharmaceutical retailer did not meet the requirements of Procon-SP. For the executive director of the agency, Fernando Capez, Drogasil violates LGPD articles by requiring biometrics to practice discounts. Specifically, Capez cites the data processing principles contained in Article 6 of the law, which address the purpose, adequacy and need for collecting information.
Procon-SP says in a note on Drogasil’s responses:
“For Procon-SP, even though the company has informed about the biometric collection policy, it failed to clarify the purpose of this data, it does not specifically prove what would be the need to apply this procedure, even with the allegation of need of identification, it was not clear or evidenced that the identification could not be given by other means.”
The company’s note will now be forwarded to the inspection sector of the pro-consumer agency, which could initiate a new investigation into the use of biometrics carried out by Drogasil. O Techblog found that, as it is the largest pharmacy chain in Brazil, the fine imposed on the company by Procon-SP for the misuse of data should reach the maximum value of R$ 10.7 million.
Raia Drogasil was contacted by the report of Techblog. The company sent a placement in a note:
Drogasil informs that it specifically answered all Procon-SP questions in a timely and transparent manner. In any case, the company remains at the disposal of the agency to provide any further clarification.