The domestic Data Protection Law (the “Law”) became effective on July 05th, 2010 and its Regulatory Law became effective on December 22nd, 2011 both refer herein as (the “Domestic Law”). This new Law imposes stringent requirements that any organization or individual, holding personal data must comply in 2012 as explained below.
The Domestic Law regulates the processing of information relating to individuals (personal data), including the obtaining, holding, use or disclosure of such information, by any corporate or natural private person.
This document will briefly explain the most relevant aspects provided in the domestic regulations in this matter.
In the following paragraphs you will find a brief explanation of the terms use by the Domestic Law.
I. Terms.
Personal Data. Any information regarding an individual identified or identifiable. (For the Responsible be in the possibility for processing personal data, he must obtain the consent form the owner of such data).
Sensitive Data. This type of data affects the most intimate aspects of an individual, and an improper use of this data can have serious consequences for the owner of the data. The processing of this data must be justified by its purpose.
Privacy notice. It’s the physical or electronic document, or by any other format generated by the personal data responsible, and that is made available to the owner of the data, prior to the processing of his personal data. (By this document the responsible makes notice to the data owner of the purpose and data that is being processed).
Responsible. Is the corporate or natural private person that decides on the processing of personal data.
Data Protection Controller. Is the corporate or natural person, that sole or jointly, processes personal data on account of the Responsible. The appointment of this position can be granted to a natural person or to an administrative department within or external to the organization.
Governmental Authority. The Mexican Institute of Access to Information and Data Protection is the federal authority in charge of the enforcement of the Domestic Law.
Data Transfer. Any communication of personal data from the Responsible to a third party.
ARCO Rights. Rights by which the personal data owner decides on the treatment of its personal data. Access, Amendment, Cancel and Opposition.
II. Obligations.
These are the most relevant obligations that the Responsible and the Data Controller must comply in accordance to the provision of the Domestic Law.
1. Responsible obligations.
- Elaborate and execute the Privacy Notice.
- Appointment of the Personal Data Controller.
- Elaborate and execute a Service Agreement with the Personal Data Controller.
2. Data Protection Controller obligations.
- Process the requests of the persons whose personal data is processed (ARCO)
- Implementation of the Security Measures for the personal data protection.
III. Processes before the Mexican Institute of access to information and data protection and sanctions.
- Rights protection process. Its purpose is to give the data owner a mechanism to appeal the responsibly resolutions.
- Verification process. Its purpose is that the Institute has the possibility to verify the effective compliance of his resolution and the provisions of the law.
- Penalty process. Its purpose is the imposition of a sanction when there is an infraction to the provisions of the law or a non-compliance of the Institute resolutions.
The non-compliance of the Domestic Law provisions has the following consequences:
Administrative Sanctions:
- Warning to the responsibly to comply with the applications of the data owner’s.
- Fine form 100 to 160,000 days of minimum wage salary in Mexico City.
- Fine form 200 to 320,000 days of minimum wage salary in Mexico City.
- For a repeated breach of the law, fine form to 320,000 days of minimum wage salary in Mexico City.
- If sensitive personal data is involved in the infraction the fine will be increased to the double.
Criminal Sanctions:
- The person who is authorized to process personal data, and causes a breach in the database under his custody, in order to obtain a benefit, will be sanction with imprisonment from 3 months to 3 years time.
- The person, who fraudulently processes personal data, taking advantage of the error of the owner or the person who is authorized to transfer such data, will be sanction with imprisonment form 6 months to 5 years time.
- Such penalties will be increased to the double if sensitive personal data is involved
IV. Complementary Security Measures.
It is important to prepare the following documents in order to comply with specific provisions of the Domestic Law.
Confidentiality Agreement. It is important to enter confidentiality agreements with the employees in order to enforce them to comply with a non-disclosure obligation.
Internal Policies. The purpose of this document is to establish the guidelines that will rule the personal data processing within the organization.
ARCO Applications Policies. The scope of this document is to provide the Data Protection Controller with guidelines, in order to process the ARCO Rights application within the terms established by the Domestic Law.
Personal Data Transfer Agreement. According to the Domestic Law any Data Transfer must be placed in written agreement.
V. Additional Suggestions.
It is important to give general training on Data Protection provisions to all the members of the organization, in order avoid any breach in this regard.
Likewise, we suggest to include in your email communications as a footnote a brief paragraph informing that the personal data is protected under law, and make notice the location of the privacy notice that rules the personal data processing within the organization.
For further questions or comments, please do not hesitate to contact our attorney Andrés Gomez Calderón. agomez@cuestacampos.com
The above is provided as general information prepared by professionals with regard to the subject matter. This document only refers to the applicable law in Mexico. While every effort has been made to ensure accuracy, no responsibility can be accepted for errors or omissions. The information contained herein should not be relied on as legal, accounting or professional advice being rendered.
