Almost 8 years years ago, the Mexican Federal Law on the Protection of Personal Data held by Private Parties (the Federal Law on Data Protection) was enacted. Almost 8 years ago, things started to change in Mexico.
At that time, when companies faced the question "Do you comply?" it was not unusual to hear this kind of answers:
- This is a fad!
- Who REALLY cares about personal data?
- My company doesn't need to comply with THAT law, I only process client's information.
- My IT department is in charge.
- My American/European parent company is in charge of THAT stuff.
Nowadays, things are different and data protection is here to stay in Mexico.
It doesn't matter if your company is 100% Mexican or if it is a subsidiary of a foreign company, chances are that you must have to comply and that you really need to review your compliance level (certain companies only comply with one of eight Data Protection Principles).
How unique is the Mexican Data Protection Law?
In a broad sense, the Federal Law on Data Protection is unique in its own way, but it is impossible not to find European, American and APEC-region influences on it. Simply, Mexico was behind a global trend and its new Federal Law was feed with the experience of several countries.
Many times, I have said that the Mexican Data Protection Law has an 80% European DNA, mostly because of the Data Protection Principles that were introduced into the Mexican legal system (and the "ARCO rights") by reference to the then-in-force Data Protection Directive and the then-forthcoming GDPR.
Because of that, it is easier for European organizations to understand the Mexican data protection requirements; but any DPO with knowledge about the requirements of the European GDPR will find that some Mexican principles are quite similar to those that soon will be enforceable in the EU.
What should I do?
The truth is that you will have to comply at a local level, by means of at least:
- a review and assessment of all your data flows,
- a review of electronic and physical formats that your company uses to collect personal data,
- an assessment over how your company complies with eight (8) data protection principles,
- an inventory of your filing systems and the relevant security measures applied to them,
- a review of your contracts with the relevant data processors,
- a review of your contracts with data importers (including foreign data processors, if that is the case),
- implementation of an effective procedure to address data access, rectification, deletion or opposition rights (known in Mexico [and Spain] as ARCO Rights).
- designation of an internal or external "personal data person or department", which in large organization will act as a DPO,
- ensure the existence of a Data Breach Management and Notification Procedure,
- implement "accountability" measures like data protection training for your personnel and the implementation of data protection policies, codes of conducts and/or information security procedures, and
- draft and made available new privacy notices, compliant with the Mexican requirements.
What are the fines?
For 2018, the following sanctions and fines apply:
b) Fines from $8,060.00 to $12,896,000.00 Mexican pesos (approx. US$430 to US$689,550 or €350 to €559.000) per breach, and
c) Fines from $15,098.00 to $24,156,800.00 Mexican pesos (approx. US$860 to US$1,379,100 or €700 to €1.118.000) per breach.
Please note that fines for any breach of the Mexican Data Protection Law may double the amount of the relevant fine if sensitive data are involved.
BGBG and Data Protection
Our team will be glad to assist you at any moment to answer your questions and to provide legal counseling to comply with the Mexican data protection legal provisions. A list of our specialized services can be reached, here.
Please note that BGBG has been recognized, for the third year in a role, as one of the best Mexican law firms on data protection. You can check the complete ranking, provided by Leaders League®, here: http://www.leadersleague.com/en/rankings/2017-ranking-of-the-best-law-firms-in-mexico-data-protection
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.