Do you know what to do with Personal Data once you are no longer entitled to store and/or keep such data?
This is a common question among our clients, since compliance with the Federal Law on Personal Data Protection Held by Private Parties (hereinafter, "Data Protection Law") does not only set forth the obligation to make available a Privacy Notice, but it also sets forth many other obligations related to the protection and processing of such information, among others, the obligation to delete or remove personal data when there are no valid, legitimate, or lawful reasons for its storage or processing.
It is important to emphasize on the importance of the above mentioned, , since storing personal data within physical or electronic databases when there is no longer an obligation to store such data, may be considered a breach of the Data Protection Law and, hence, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (the National Institute for Transparency, Information Access and Personal Data Protection (hereinafter, "INAI" for its acronym in Spanish) may impose a sanction.
So, what do you have to do to properly delete personal data?
The answer is not as easy as throwing to the garbage certain documents or as sending to the Recycle Bin the electronic files.
In order to provide specific information to Data Controllers about deletion and elimination of personal data, INAI published the "Guide for the Secure Deletion of Personal Data," which purpose is to guide Data Controllers during the deletion or elimination of personal data, establishing secure procedures to guarantee that personal data may not be retrieved and wrongfully used .
The Guide will help to comply with the quality principle of personal data, which establishes that personal data shall be deleted, destroyed, erased, or eliminated once there is no valid, legitimate or lawful reason for its storage or processing.
By deleting the personal data on a secure manner, incidents which may jeopardize confidentiality or integrity may be avoided, since there are methods and techniques which may be followed in order to definitively delete such information. This will decrease the possibility to retrieve such information or for being accessed by unauthorized third-parties, when there is no obligation to store them.
In this sense, by minimizing the risks of retrieving personal data, which is no longer allowed to be stored in a data base of the Data Controller, the likelihood of information being leaked and/or the likelihood of personal data being used by unauthorized people is also decreased.
It is important to remember that breaches of the provisions of the Data Protection Law may imply, among other undesirable consequences, the ones listed below: (i) damages to the image and good standing of the company, which may lead to loosing clients and investors; and (ii) economic damages arising from fines or damages compensation.
As for the characteristics of the secure process to delete personal data, INAI's Guide lists the following ones:
- irreversible nature, which means that information may not be retrieved once it is deleted;
- security and confidentiality, which means that the same degree of security and confidentiality must be used for both storage and deletion method; and
- eco-friendly nature, which means that only a minimum amount of emissions and wastes must be produced.
Furthermore, said document explains physical and logic safe deletion methods, which may be implemented depending on the type of process used by a company for the storage of the personal data processed by the company.
In order to choose a deletion method, Data Controllers shall consider their business model, the information volume, the type of personal data, and the budget available for the deletion process. Evidence of such process must always be generated, in order to prove before INAI compliance of this measure.
Finally, please be advised that in order to help determine secure deletion methods, the implementation of a Personal Data Security Management System may be analyzed, in order to create systems to improve personal data processing and security.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.