LAW AND REGULATIONS
The Federal Law on Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares) (the "Law") was enacted and entered into force on 6 July 2010.
The Executive Branch issued (i) the Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos en Posesión de Particulares) on 21 December 2011 (the "Regulations"), which entered into force on December 22, 2011, (ii) the Privacy Notice Guidelines on January 17, 2013 (the "Guidelines") which will enter into force on 18 April 2013, and (iii) the Parameters for Mandatory Self-Regulation on 17 January 2013 (the "Parameters") which entered into force on 18 January 2013. References to the Law throughout this document include the Regulations, the Guidelines and the Parameters.
The Law applies to personal data and sensitive personal data (see definitions below): (i) processed in a facility of the data controller located in Mexican territory; (ii) processed in any facility regardless of its location if the processing is performed on behalf of a Mexican data controller; (iii) where the Law and the Regulations are applicable as a consequence of Mexico's adherence to an international convention (even where the data user is not located in Mexico); or (iv) where the data controller is not located in Mexican territory but uses means located in Mexico to process personal data located abroad. However, when personal data is only in transit through, and is not processed in, Mexico, the Law does not apply.
The Law is limited in its application to the private sector, and does not apply to the government.
DEFINITION OF PERSONAL DATA
"Personal Data" means any information concerning an identified or identifiable individual. Unless otherwise noted in this document, personal data includes sensitive personal data.
DEFINITION OF SENSITIVE PERSONAL DATA
"Sensitive Personal Data" means personal data touching on the most intimate areas of the data subject's life, or data the misuse of which may lead to discrimination or serious risk to the data subject. Specifically, the definition includes data which may reveal items such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical or moral beliefs, union affiliation, political views, and sexual orientation.
NATIONAL DATA PROTECTION AUTHORITY
The Federal Institute for Access of Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos (IFAI)) ("IFAI") and the Ministry of Economy (Secretaría de Economía).
REGISTRATION
Not required.
DATA PROTECTION OFFICERS
All data controllers are required by Law to designate a personal data officer or department (jointly hereinafter referred to as the "Data Protection Officer") to handle requests from any data subjects (called "Data Owners") exercising their rights under the Law. Data Protection Officers are also required to promote the protection of Personal Data within their organizations.
Data controllers located outside Mexico who process personal data of Mexican data subjects abroad must appoint a representative or set up a sufficient alternative mechanism to comply with all aspects of the Law (e.g. comply with "ARCO" rights discussed below).
COLLECTION AND PROCESSING
The term "processing" is broadly defined to include the procurement, use, access, management, transfer, disposal, disclosure or storage of personal data of an identified or identifiable individual by any means
Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data, – i.e. reliance on the assumption that the personal data provided by the data subject will be treated as agreed upon by the parties (in the privacy notice or otherwise) and in compliance with the Law.
To process personal data, data controllers must provide a privacy notice (Aviso de Privacidad) (the "Privacy Notice"), which must be made available to a data subject prior to the collection and processing of his or her personal data. The Privacy Notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.
The Privacy Notice must contain: (i) the identity and domicile of the data controller collecting the data; (ii) the purposes of the data processing; (iii) the options and means offered by the data controller to data subjects to limit the use or disclosure of data; (iv) the means for exercising rights of access, correction, cancellation or objection in accordance with the provisions of the Law; (v) where appropriate, the types of data transfers to be made; and (vi) the procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice. For transfers, the Privacy Notice must contain the name of the transferee or the person to whom the information is transferred.
The Guidelines consider three forms of privacy notice: comprehensive, simplified and shortform, depending on whether the data is personally obtained from the data subject, the data is obtained directly or indirectly from the data subject or the space to obtain data is minimal or limited (where the space allotted for the gathering of personal data or the Privacy Notice is also minimal or limited), respectively. Each of these forms must meet specific disclosure requirements. The Privacy Notice must be drafted in simple, clear and comprehensible terms, contain all necessary information specified above, and be available in Spanish. The Privacy Notice must be made available to the data subject prior to the collection of the data, at first contact if obtained indirectly or prior to their use when obtained indirectly and no contact is required with the data subject. There are some exceptions to the requirement to provide a subsequent Privacy Notice, such as when the data will be used for scientific, statistical or historical purposes. The data controller has the burden of proof to show that the Privacy Notice was provided.
Personal data must be collected and processed in a lawful manner, in accordance with the provisions of the Law and Regulations, and may not be obtained through deceptive means.
Consent is required for all processing of personal data, except as otherwise provided by the Law. Implicit consent (notice and opt out) applies to the processing of personal data. Express consent (notice and opt in) applies to the processing of financial or asset data and Sensitive personal data, unless an exception applies. With respect to personal data, consent may be communicated verbally, in writing, by electronic or optical means, via any other technology, or by any other unmistakable indications. However, a Data Controller must obtain express written consent from the data subject for any processing of Sensitive Personal Data; written consent may be obtained through the data subject's written signature, electronic signature, or any other authentication mechanism set up for such purpose.
Further, databases containing sensitive personal data may not be created unless justified by legitimate, concrete and consistent purposes, in furtherance of the explicit objectives or activities pursued by the data controller.
Exceptions to the consent requirement for processing of personal data, including sensitive personal data, apply where: (i) exempted by other legislation; (ii) the data is contained in publicly available sources; (iii) the identity of the data subject has been disassociated from the data; (iv) processing is for the purpose of discharging obligations under a pre-existing relationship between the data subject and the data controller; (v) there is an emergency situation that could potentially harm an individual with regard to his person or property; (vi) processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation; or (vii) pursuant to resolution issued by a competent authority.
Processing of personal data must be limited to the fulfilment of the specific purposes set out in the Privacy Notice. If the personal data is used for a purpose not identified in the Privacy Notice, consent of the data subject is required anew.
Databases containing sensitive personal Data may be created only: (i) where necessary to comply with a legal requirement; (ii) where justified for purposes of national security, public order, public health, or for the protection of third party rights; or (iii) when the data controller is compelled to create it for a legitimate and specific purposes.
The data controller must ensure that Personal Data contained in databases are relevant, correct and up to date for the purposes for which they has been collected. When the personal data are no longer necessary for the fulfilment of the objectives set forth in the Privacy Notice and applicable laws, they must be eliminated.
The Data Controller must also, among other things, implement privacy policies and mandatory privacy programs, set up supervisory systems, update and inform its personnel about matters regarding protection of Personal Data, and set up procedures to receive and process complaints and resolve questions from data subjects.
TRANSFER
The data controller may freely transfer personal data to domestic or foreign third parties, if the Privacy Notice so provides and the data subject has not opted out. Details regarding the transfers (recipient of the personal data, purposes of the transfer, etc.) of personal data must be provided under the Privacy Notice.
Any third party receiving personal data assumes the same obligations as the data controller that transferred the personal data. Except for disclosures to data processors, personal data may only be transferred for the purposes authorised by the data subject's consent to the Privacy Notice, which must be opt out or opt in depending on whether the information is personal data or sensitive personal data, respectively.
Domestic or international transfers of personal data may be carried out without the consent of the data subject where: (i) the transfer is pursuant to a law or treaty to which Mexico is party; (ii) the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management; (iii) the transfer is made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies; (iv) the transfer is necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject; (v) where the transfer is necessary or legally required to safeguard public interest or for the administration of justice; (vi) where the transfer is necessary for the recognition, exercise or defence of a right in a judicial proceeding; and (vii) where the transfer is necessary to maintain or comply with an obligation binding on the data controller and the data subject.
The Regulations distinguish between domestic and international transfers of personal data. For international transfers of personal data, the third party receiving the personal data must enter into an agreement or other instrument with the data controller to ensure the lawful processing of the personal data in compliance with the Law. The transfer of personal data between or among related corporate entities is allowed for specific purposes as long as those purposes are mentioned and disclosed to the data subject in the Privacy Notice. If the personal data is intended to be used for purposes other than those indicated in the Privacy Notice, then express consent must be obtained from the data subject anew.
SECURITY
All responsible parties that process personal data must establish and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. Data processors may not adopt security measures with respect to personal data that they process on behalf of a data controller that are inferior to those which the processor has in place to manage its own information. The sufficiency of the security measures will be assessed in relation to the risk involved, potential consequences for data subjects, sensitivity of the data, and technological developments. The Regulations set out criteria that must be considered by the data controller in determining the appropriate security measures and actions to protect the Personal data, and require data controllers to periodically review and update their security measures. The IFAI may also issue non-binding recommendations to data controllers for securing personal data when the data controller's security measures are insufficient or may put the personal data in risk.
Data controllers or third parties involved in any stage of personal data processing must maintain the confidentiality of the data, and this obligation continues even after the end of any relationship with the data subject or with the data controller.
Any third party who is in charge of securing personal data on behalf of the data controller ("Third Party") is subject to the same obligations as the data controller to protect the data. The Third Party shall; (i) process the personal data only in accordance with the instructions of and purposes indicated the data controller; (ii) set up security measures to protect the personal data; (iii) keep the personal data confidential; (iv) eliminate the personal data once the legal relationship between the data controller and the third party is terminated; and (v) refrain from transferring personal data, except where (a) the data controller instructs it to do so; (b) the transfer is made to a subcontractor; or (c) the personal data is requested by an authority.
BREACH NOTIFICATION
Security breaches occurring at any stage of processing that materially affect property or Sensitive personal data must be promptly reported by the data controller to the data subject, so that the data subject can take appropriate action to defend his or her rights.
The Regulations provide that breach notification must include at least the following information; (i) a description of the issue; (ii) the personal data that was exposed to the security breach, (iii) recommended actions to the data subject on how to protect his/her own interests and to secure the personal data; (iv) the corrective actions that the data controller will take immediately, and (v) the process pursuant to which the data subject may obtain additional information regarding the data breach, and any information mentioned in the notice to protect his/her interests, the actions to be taken by the data controller to mitigate any harm or damage and the recommendations of the data controller to the data subject on how to mitigate the effect of the breach.
ENFORCEMENT
The provisions of the Law are mandatory, and apply to data controllers and any other person processing personal data. the ifai may act ex-officio or in response to complaints regarding violations of the law. if any breach of the law or the regulations is alleged, the IFAI may perform on site inspections at the data controller's facilities to verify compliance with the Law. Inspections may last up to 180 days.
Data subjects can enforce their access, correction, cancellation and objection rights ("ARCO Rights") via the IFAI and ultimately the court system.
Violations of the Law may result in either monetary penalties or imprisonment.
- The IFAI may impose monetary fines from 100 to 320,000 times the Mexico City minimum wage (approximately US$480 to US$1,534,275, based upon an exchange rate of MxP$13 per US$1). With regard to violations committed concerning the processing of sensitive personal data, sanctions may be increased up to double these amounts.
- Three months to three years imprisonment may be imposed on any person authorised to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties are doubled for sensitive personal data.
- Six months to five years imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorised to transmit such data. Penalties are doubled for sensitive personal data.
Data controllers may adopt self regulation mechanisms, such as codes, policies, rules and, standards, or become part of incorporated or unincorporated self-regulatory bodies to support their compliance with the provisions of the Law; these self-regulation standards become binding on Data Controllers and provide prima facie evidence that the Data Controller is in compliance with the Law.
The implementation of the self-regulation mechanisms is regulated at length by the Parameters. The Parameters intend to foster compliance by data controllers with the Regulations, and incentivize the data controllers to apply for certification by the IFAI or other certifying organisms. The Parameters set forth the components that, at a minimum, must be addressed in any self-regulatory mechanism, including, scope, duration, internal updating mechanisms, ARCO rights enforcement, alternate dispute resolution, and form agreements. The Parameters also address the certification system.
ELECTRONIC MARKETING
Email marketing constitutes the processing of persona data and is subject to the Privacy Notice and opt-out consent requirements of the Law.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
The Guidelines which address the use of cookies, web-beacons and other analogous technologies, require that when a data controller uses online tracking mechanisms that permit the automatic collection of personal data, the Privacy Notice must include; a prominent warning to the data subject of the use of such technologies; the fact that personal data is being gathered; and the option to disable such means (unless they are necessary for technical reasons). The notice must also specify the type of personal data being gathered and the purpose.
However, an IP address alone is not likely to rise to the level of personal data under the Law.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com
