What is the Impact of LGPD on CALL CENTERS ?!

By June 19, 2020 No Comments

* Rodrigo Santiago 

The General Data Protection Law, Law 13.709 / 18, aims to establish clear, unique and harmonious rules for the treatment of personal data in order to guarantee the data subject's right to privacy.

In view of the new rules and the scope of this law, several companies from the most varied branches of service began to develop strategies to be in compliance and not suffer the sanctions provided for. However, there are sectors that encounter greater difficulties than others, so the purpose of this article is to address how call center companies are impacted by law and what strategies can be adopted to comply with requirements.

Definition of Personal Data

 First, it is important to understand clearly how the GDPR defines personal data and personal data processing activity. In its article 3 the law defines the treatment as:

  • Any processing operation carried out by a natural person or a legal person under public or private law, regardless of the medium, the country of its headquarters or the country where the data are located

In its article 5, the law categorizes the term personal data into three types:

  1. Personal Data: Information related to an identified or identifiable natural person;
  1. Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, affiliation to a union, organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a person Natural;
  1. Anonymized Data: Data related to the holder that cannot be identified, considering the use of reasonable and available technical means at the time of its treatment.

Scope of LGPD

The law will cover any and all organizations or companies that carry out activities that involve the use of personal data in the national territory or extra territorially in the cases of:

  • Data processing operation being carried out in national territory;
  • The purpose of using personal data to offer or provide consumer goods or services to customers located in the national territory;
  • Personal data have been collected in the national territory.

The situation of Call Centers

 Call center companies process millions of personal data on behalf of their customers on a daily basis. Because of this amount of information, there is a lot of concern and doubt about what must be done to continue providing services in compliance with the requirements of the law. In addition, what has drawn the most attention is precisely the fines provided for in the law.

It is important to note that the call center companies work, for the most part, with personal data of customers of another company. In this way, they assume the role of "Operator" of this data and the companies that hire their services are considered "Controllers". However, it is necessary to take care, because as a company the call centers are “controllers” of the data of its collaborators.

Practices for fitness

 At first, it is necessary to make sure with your customers that the consent and authorization of the data subject to carry out the processing activities is being obtained and to establish strategies together to obtain this consent.

One of the main points that call center companies will need to be aware of, is transparency in communication and requesting personal information. According to the law, the company must make clear to the client / user the purpose it has for the personal data that was requested, that is, every organization can only request data from its customers that are related to its service. In addition, it is important to note that this does not apply only to new customers who create registrations after the LGPD comes into force, existing registration bases must be updated, requiring organizations to send their already registered customers a request for consent in relation to personal data provided by him.

In addition to the attention to customer transparency as mentioned in the previous topic, call center companies must make it clear to customers where the data will be stored and ensure their protection.

To mitigate the possibility of any data threat and ensure a secure storage environment, we recommend the following practices:

  1. Update internal rules, policies and procedures. 
  2. Define with the companies that contract their services if the consent of the data subject is being obtained and jointly elaborate ways to obtain this consent. Also define ways to handle requests from data subjects and the communication flow in the case of incidents involving personal data.
  3. Update employment contracts, contracts with suppliers and contracts with customers.
  4. Appoint a DPO (Data Protection Officer).
  5. Ensure that all systems used within the call centers are in compliance with the LGPD.


Faced with this new scenario, it is up to the call center companies to study the best strategies to not only adapt themselves to the law, but also to remain existing. The relationship with the customer and transparency have never been more important for the continuity of their activities as now, there is no more room for generic justifications in privacy policies, the customer will need to have confidence that their data will be well used and protected.

* Rodrigo Santiago is a Consultant at [SAFEWAY]



SAFEWAY is an Information Security consulting company, recognized by its clients for offering high value added solutions through projects that fully meet business needs. During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.

Today through 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people. SAFEWAY can also help your organization by validating compliance and maturity with GDPR (General Data Protection Regulation) and GDPR (General Data Protection Law) considering the business environment to which it is inserted, in order to identify the main action plans for compliance with the regulations, aiming at process improvements and gains for your organization.