Digital queue and Brazil's LGPD: what changes in your operations

Every digital queue system collects at least two pieces of personal data: name (to call the customer on screen or over the speaker) and phone number (to send a WhatsApp notification when their turn is near). Both fall under the LGPD definition of personal data: any information that identifies or can identify a natural person. Even a simple check-in is therefore personal data processing under Brazilian law — and it requires a legal basis, even if the process is simple and the only goal is queue management.

The complication arises when check-in includes a priority category. When a patient or customer marks 'elderly,' 'pregnant,' 'PwD,' or 'obese' on the kiosk screen or QR-code form, you're collecting data related to health status — which LGPD art. 5, XI classifies as sensitive data. Art. 11 sets a stricter legal regime for sensitive data: the available legal bases are more limited and the required documentation is more rigorous. Using the same legal basis as for regular personal data — such as generic legitimate interest — for sensitive data is a compliance error.

For regular personal data, the most common legal basis in queue operations is legitimate interest (LGPD art. 7, IX): the business has a legitimate interest in organizing service, and the customer has a legitimate interest in being called on time. This works for name, phone number, and arrival time. For sensitive data, art. 11 requires one of: specific and highlighted consent from the data subject, compliance with a legal or regulatory obligation, or regular exercise of rights — among other less applicable bases. The chosen basis must be documented internally, not just applied in practice.

The strongest legal basis for collecting priority category data in the queue context is compliance with a legal obligation (art. 11, II, a): Brazilian Law 10.048/2000 imposes an obligation on businesses to provide priority service — and to comply, they must identify who qualifies. This creates a direct link between collecting the sensitive data and complying with the law. Internal documentation must record this justification: priority category data is collected to enable compliance with Law 10.048, grounded in LGPD art. 11, II, a.

Before putting a digital queue system into operation, the business needs a Record of Processing Activities (RoPA) — or at minimum an internal document describing each category of data collected, the purpose, the legal basis, and the retention period. This document doesn't need to be extensive; a four-column table for each piece of data collected is sufficient. For small businesses without a mandatory DPO designation, the owner can maintain and update this documentation.

The privacy notice on the website and at the establishment entrance (QR code or link on the kiosk) must state that the system collects personal data for queue management, that priority category data may be collected when the customer chooses to flag it, and that processing is grounded in a legal obligation (Law 10.048) and legitimate interest (service delivery). It doesn't need to quote LGPD article numbers on the reception sign, but it must be legible. A footer line on the kiosk with a policy link is legally sufficient.

For healthcare businesses — clinics, labs, hospitals — the ANPD and the CFM (Federal Council of Medicine) have additional guidance. Health data in health services is subject to professional confidentiality, independently of the LGPD. This means that beyond having the right legal basis, internal access to the data must be controlled: reception staff should not have access to other patients' priority history, and the system should log who accessed which data and when.

LGPD art. 6, III establishes the necessity principle — data minimization: collect only data strictly necessary for the stated purpose. For a digital queue, the purpose is organizing service and notifying the customer. That requires: name (to call), phone number (to notify via WhatsApp), and priority category (to comply with Law 10.048). It does not require: CPF (Brazilian tax ID), date of birth, full address, email, or specific medical diagnosis. When a system requests data beyond what's necessary, it creates unnecessary compliance risk with no operational benefit.

A common mistake is requesting a specific diagnosis or medical certificate to justify priority status. For queue purposes, the category is sufficient: 'PwD' or 'pregnant,' without specifying the disability type or weeks of pregnancy. The business can require showing an ID or medical certificate at reception — a good fraud-prevention practice — but that data doesn't need to be entered in the system; it's only visually verified. What goes into the database is the category, not the diagnosis.

The LGPD doesn't set a single retention period for all data. The general rule (art. 16) is: data must be deleted at the end of the processing, except in legally mandated retention cases. For phone numbers collected for queue notification, the purpose ends when service is completed — the number can be discarded the same day. For the queue log (arrival time, category, wait time, operator), the purpose includes audit and compliance with Law 10.048, which justifies a longer retention period.

Procon and ANPD inspections typically request 3 to 6 months of history. For regulated sectors (healthcare, notary offices, government bodies), 12 to 24 months of queue logs is a defensible retention period — on condition that logs are anonymized or pseudonymized after service: strip name and phone number, keep only aggregate data (day, time, category, wait time, outcome). Anonymized data is not personal data under LGPD (art. 5, III), so it doesn't require a legal basis for retention, which greatly simplifies data lifecycle management.

LGPD art. 18 grants data subjects rights of access, correction, deletion, anonymization, portability, and information about processing. The response deadline is 15 calendar days (art. 19). For a digital queue business, the most common requests are deletion ('erase my data') and access ('what data do you have about me'). The contact channel for exercising rights must be stated in the privacy policy — a dedicated email address is sufficient; a sophisticated portal is not required.

When a deletion request arrives, the practical procedure is: confirm to the data subject which data was collected, delete name and phone number from historical records, retain only the anonymized queue log for audit purposes (no personally identifiable data), and internally record the request and response with dates. This internal record serves as evidence of compliance if the ANPD or courts question the process. A simple spreadsheet with request date, request type, response given, and response date is sufficient for most small and medium businesses.

The ANPD increased enforcement frequency from 2023 onward. Penalties under LGPD art. 52 reach up to 2% of the company's net revenue in Brazil in the prior fiscal year, capped at R$50 million per infraction. For small businesses — a three-room clinic, a four-chair barbershop, a neighborhood lab — the practical ceiling is much lower. But fines in healthcare businesses ranging from R$15,000 to R$80,000 have been recorded. That's not business-ending money, but it means bureaucracy, legal fees, deadlines, and energy diverted from the business.

The reputational risk can outweigh the fine. Priority category data — which reveals a health condition — carries high potential for embarrassment in a breach. An incident involving this type of data in a clinic or lab can trigger notification obligations to the ANPD and affected data subjects (LGPD art. 48), along with negative press coverage. For businesses whose trust is a core asset — medical practices, labs, specialist clinics — the exposure is disproportionate to the cost of prevention.