Under the General Data Protection Law (LGPD) now in force, a frequently asked question is whether collection companies contracted by financial institutions, retail chains, or other lending organizations can continue to call individuals – allegedly using their personal data shared by the companies which contracted the service and, therefore, creditors of the vindicated amount – or not.
The answer is relatively simple, from the perspective of the LGPD. Although the LGPD is very similar to the text of the GDPR (the European data protection law), there was considerable political pressure in Brazil to add "credit protection" as one of the legal bases to justify the processing of personal information, in the text of the law – regardless of whether or not the data subject has given consent. As a result, the legal bases of the LGPD encompasses a total of ten (10) legal bases, against only six (6) legal bases of the GDPR. If the reader wishes to go deeper into the topic, simply access the article "The legal bases of LGPD x the legal bases of GDPR, "which compares the two texts' legal bases.
From the perspective of the LGPD, the collection company may pursue the protection of the creditor's credit, for which it has been contracted and is under contract and has received personal data from third parties in debt. However, companies contracting them must monitor some types of collection services due to the (at least) questionable strategies they employ to achieve success. In some cases, these may entail risks that could reach the companies that contracted those services if those contracts haven't clearly defined the scope of the responsibility for the collection companies' methods, including indemnity clauses, in case of joint or subsidiary judicial condemnation.
Simple examples of failures or questionable practices by collection companies can be found below:
On January 4, 2021, CNN Brazil reported that a company that called more than 80 times to collect a debt was ordered to refrain from making any contact with the telephone line holder, in addition to being obliged to indemnify him R$ 5,000.00. The sentence was confirmed by the São Paulo State Superior Court of Justice because the collection was not addressed to the real debtor, and while the line holder tried to inform the company of that fact, the warning was simply disregarded.
And it is precisely at this point of vulnerability that we turn our attention to the LGPD. Suppose the charge is addressed to an individual other than the actual debtor. In that case, it is up to that individual, the victim of the improper charge, to argue that the improper treatment of their personal data violates the LGPD and requires the imposition of the sanctions provided for in Art. 52 of the LGPD. These sanctions range from a warning to a fine of up to 2% of corporate income limited to R$50 million, in addition to other sanctions including the elimination of data, even prohibition of the activity.
Thus, even in Brazil, the moral damage perspective is compensatory instead of punitive, and the indemnities are negligible under the vile argument of unlawful earning. From the LGPD's perspective, mistakes in the charges are more severe and can raise penalties with considerable financial impact.