In effect since 2020, the General Data Protection Law (LGPD) is impacting various businesses, companies, factories, and any other entity that processes the personal data of customers, employees, and suppliers. Today, we'll discuss the LGPD for restaurants!

For those of you who want to know if this also applies to your restaurant, here's our help section, designed to answer your questions.

Do restaurants need to comply with the LGPD (Brazilian General Data Protection Law)? 

Regarding the application of General Law of Data Protection (LGPD): it applies to all individuals, legal entities, public or private entities that process or have personal data stored. In other words, restaurants are involved. 

Some examples of strategies that rely on the provision of personal data – at least some of them – include email marketing and sending promotional messages via WhatsApp, which only became possible with the provision of personal information, enabling the sending of these promotional messages.  

In these two strategies, it is already possible to identify two pieces of data that qualify as personal data. According to the General Data Protection Law, in its Article 5, personal data is classified as:

I – Personal data: information relating to an identified or identifiable natural person. Examples include: email, telephone number, full name, date of birth, ID card number, tax identification number, address, among others. 

Email marketing is only permitted by sharing email addresses, and sending messages via messaging apps requires sharing phone numbers. For those with their own platform – whether through an app or a website – where customers have to enter more details to create their registrations for order requests, even greater care must be taken. There is no delivery without providing addresses. 

What should I do at my restaurant?

Your marketing practices can be maintained as long as they comply with the LGPD (Brazilian General Data Protection Law). The techniques must be secure, and there must be a guarantee that all collected data will not be passed on to third parties.  

A privacy policy that clearly demonstrates the purposes and objectives of data collection, and that addresses, through clear and objective communication, all aspects of everything involving customer data.

Be transparent enough to state what data is necessary and may be requested for the proper functioning of marketing or customer relations, and what your customers' rights are regarding their information.  

Penalties under the LGPD (Brazilian General Data Protection Law)

There is always the risk of security vulnerabilities, exposure, and unforeseen leaks that can still happen. Data is very valuable, in the literal sense, and is sold illegally by criminals.  

Such events trigger penalties that damage your company's image and will hurt your wallet. Let's see what the penalties are.

In more serious cases, failure to comply with the measures of the General Data Protection Law will result in penalties that will be applied by the National Authority.

• Warning, with a deadline for the offending company to regularize its situation according to the law. 
• Fines can reach up to 2% of the business's revenue, with a limit of 50 million reais. A daily fine is also possible, with a maximum value of up to 50 million reais. 
• Image publicity
• Deletion of stored personal data

Seek help from professionals and technology platforms.

For those of you thinking about opening a restaurant and worried about all the applicable laws for your business, and who don't have time to handle all the legal and regulatory matters, learn about... Privacy Tools, a Privacy Tech company, which assists as a privacy management tool. 

We are experts when it comes to LGPD (Brazilian General Data Protection Law) and personal data protection. We have helped over 500 companies comply with the law.