Digital marketing and the LGPD: what is the agency's responsibility?
Posted: Thu Feb 13, 2025 10:11 am
As a first point, I would like to highlight that the LGPD is not, under any circumstances, a law that prevents the use of personal data. On the contrary, its objective is to establish clear and effective rules regarding the use of such data, and to highlight measures that must be adopted to preserve the privacy and protection of everyone's information.
In this context, it is essential to understand who the agents are, in the law, so that it is possible to verify not only the issue of responsibility in the use of lead data to perform tasks relevant to the contracted work, but also what the rights of the holders are.
So, for the LGPD, we have:
· Holder : natural person to whom the personal data refers, e.g.: the lead.
· Controller : natural or legal belize phone number list person under public or private law responsible for decisions regarding the processing of personal data. Ex: Agency or client, depending on what is agreed between the parties.
Operator : a natural person or legal entity under public or private law that processes personal data on behalf of the Controller. Here, the same example above applies, as the LGPD determines responsibility based on who uses the data.
· Data Controller : professional responsible for acting as an interface between agents. I understand that, depending on the agency's business model, regardless of whether it is a Controller or Operator, it must appoint one.
· ANPD : Authority responsible for monitoring and guiding compliance with the LGPD.
It should be understood that data processing goes far beyond just the collection and use of data; it also includes: sharing, access, modification, storage, that is, any and all operations carried out with a person's data.
In this scenario, the agency's stance must be to fully comply with the law, in all stages and processes, carried out to achieve the objective for which it was hired.
And to this end, clarity is essential regarding the business model itself, strategic planning, organizational chart and task flowcharts in which everyone must be aligned with the LGPD to combat not only the excessive collection of data without a specific purpose, but also which legal bases will be used to support the execution of the object for which the agency was hired.
Special care must be taken at this point, as the agency, depending on the portfolio of services it performs, may play the role not only of Operator, but also of Controller, as it makes decisions and submits data to treatment other than that agreed upon in the contract.
Example: if the agency was hired to create a marketing campaign from data that it accesses in the client's own environment and, for its own convenience, decides to download this data into its directory, without consulting the client, taking away from them the opportunity to indicate how this storage should be done, the agency will go from Operator to Controller.
In this context, it is essential to understand who the agents are, in the law, so that it is possible to verify not only the issue of responsibility in the use of lead data to perform tasks relevant to the contracted work, but also what the rights of the holders are.
So, for the LGPD, we have:
· Holder : natural person to whom the personal data refers, e.g.: the lead.
· Controller : natural or legal belize phone number list person under public or private law responsible for decisions regarding the processing of personal data. Ex: Agency or client, depending on what is agreed between the parties.
Operator : a natural person or legal entity under public or private law that processes personal data on behalf of the Controller. Here, the same example above applies, as the LGPD determines responsibility based on who uses the data.
· Data Controller : professional responsible for acting as an interface between agents. I understand that, depending on the agency's business model, regardless of whether it is a Controller or Operator, it must appoint one.
· ANPD : Authority responsible for monitoring and guiding compliance with the LGPD.
It should be understood that data processing goes far beyond just the collection and use of data; it also includes: sharing, access, modification, storage, that is, any and all operations carried out with a person's data.
In this scenario, the agency's stance must be to fully comply with the law, in all stages and processes, carried out to achieve the objective for which it was hired.
And to this end, clarity is essential regarding the business model itself, strategic planning, organizational chart and task flowcharts in which everyone must be aligned with the LGPD to combat not only the excessive collection of data without a specific purpose, but also which legal bases will be used to support the execution of the object for which the agency was hired.
Special care must be taken at this point, as the agency, depending on the portfolio of services it performs, may play the role not only of Operator, but also of Controller, as it makes decisions and submits data to treatment other than that agreed upon in the contract.
Example: if the agency was hired to create a marketing campaign from data that it accesses in the client's own environment and, for its own convenience, decides to download this data into its directory, without consulting the client, taking away from them the opportunity to indicate how this storage should be done, the agency will go from Operator to Controller.