1 Relevant Legislation and Competent Authorities
1.1 What is the principal data protection legislation?
The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010, and its Regulations, published in December 2011 (hereinafter the "FLPPDHPP").
1.2 Is there any other general legislation that impacts data protection?
Yes, as follows: the General Law for the Protection of Personal Data in the Possession of Obliged Subjects, which regulates the processing of personal information in the possession of any Federal, State or local authority (the "Law"); the Privacy Notice Rules, published in January 2013; the Binding Self-Regulation Parameters, also published in January 2013; and the General Guidelines for the Protection of Personal Data for the public sector (Federal, State or local authorities). It is worth mentioning that Mexican data protection laws and general legislation follow international correlative laws, directives and statutes, and thus have similar principles, regulatory scope and provisions. Moreover, there are other laws such as: the Criminal Code; the Law for the Regulation of Credit Information Companies; the Law for Regulating Financing Technology Institutions; provisions set forth in the Copyright Law and the Federal Law for Consumer Protection; and some specific provisions set forth in the Civil Code and the Commerce Code, which are also related to data protection.
1.3 Is there any sector-specific legislation that impacts data protection?
Mexican data protection legislation is not based on sectoral laws. The Law, as described above, regulates the collection and processing of any personal information ("PI") by any private entity acting as a Controller or Processor, which impacts any sector that is involved in any sort of personal data collection or processing.
1.4 What authority(ies) are responsible for data protection?
The National Institute of Transparency, Access to Information and Personal Data Protection ("INAI") is the authority responsible for overseeing the Law. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The INAI has the authority to: conduct investigations; review and sanction data protection Controllers; and authorise, oversee and revoke certifying entities.
The Ministry of Economy is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in the Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice, in cooperation with the INAI.
2.1 Please provide the key definitions used in the relevant legislation:
- "Personal Data" Any information concerning an individual that may be identified or identifiable.
- "Processing" The collection, use, disclosure or storage of personal data, by any means. Use covers any action of access, management, benefit, storage, transfer or disposal of personal data.
- "Controller" The individual or private legal entity that determines the processing of personal data or provides the guidelines for the said processing.
- "Processor" The individual or legal entity that, solely or jointly with another, processes personal data on behalf of the Controller.
- "Data Subject" Any identified or identifiable natural person.
- "Sensitive personal data" Any personal data that may affect the most intimate sphere of an individual, or that which, if misused, may lead to discrimination or carry a serious risk to the individual. In particular, sensitive personal data are considered those that may reveal information such as ethnic or racial origin, a present or future medical condition, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions and sexual preference.
- "Data Breach" Data Breach means any security breach that if occurring in any phase of the data collection, storage or use, may affect in a significant manner the patrimonial or moral rights of individuals.
- "ARCO Rights" Refers to the access, rectification, cancellation or opposition rights, which can be enforced by any data subject, in connection with the collecting or processing of its personal information.
- "Consent" An expression of will made by any data subject, or by any person with legal authority to act on behalf of the data subject, for conducting any activity related to the collecting or processing of the personal information of the data subject.
- "Pseudonymisation" The processing of personal data in such a manner that it can no longer be attributed to a specific data subject, without the use of additional information.
- "Privacy Notice" A document issued by the Controller either in physical, electronic or any other format, which is made available to the data subject prior to processing his/her personal data, and whereby the Controller informs the data subject, among other matters, about: the terms for the collection of personal data; which personal information will be collected; the identity of the Controller; the purpose of the data collection; the possible transfers of data; and the mechanisms for the data subject to enforce its ARCO rights.
- "Transfer" Any data communication made to a person other than the Collector or the Processor, either in Mexican territory or abroad.
3 Territorial Scope
3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?
Mexican data protection law is not limited to PI Controllers established or operating in Mexican territory. Although the Law does not provide a specific reach or scope of its applicability, the Regulations to the Law do. In this regard, such regulations (and, therefore, the Law), in addition to being applicable to companies established or operating under Mexican law (whether or not located in Mexican territory) apply to companies not established under Mexican law that are subject to Mexican legislation derived from the execution of a contract or under the terms of international law.
Additionally, Mexican regulations on data protection apply to: company establishments located in the Mexican territory; persons or entities not established in the Mexican territory but using means located in such territory, unless such means are used merely for transition purposes that do not imply a processing or handling of personal data; and when the Controller is not established in the Mexican territory but the person designated as the party in charge of the control and management of its personal data (a service provider) is.
In the case of individuals, the establishment will mean the location of the main place of business or location customarily used to perform their activities or their home.
4 Key Principles
4.1 What are the key principles that apply to the processing of personal data?
- Transparency This principle is not defined in the Law; however, the Law makes it clear that personal data can in no way be collected, stored or used through deceitful or fraudulent means.
- Lawful basis for processing The Controller is responsible for processing personal and/ or sensitive data in accordance with the principles set forth in the Law and international treaties.
- Purpose limitation Personal data shall only be collected and processed in compliance with the purpose or purposes set forth in the Privacy Notice. Moreover, the purpose of the Privacy Notice must be certain, which is achieved by establishing the purpose for which the personal data will be collected and processed in a clear, objective manner, not leaving any room for confusion.
- Data minimisation The Controller will be responsible and shall endeavour to make reasonable efforts so that the personal data processed are the minimum necessary according to the purpose that originated the collection of PI.
- Proportionality Controllers can only collect personal data that are necessary, appropriate and relevant for the purpose(s) of their collection.
- Retention This translates into the obligation of the Controller to retain personal data only for the period of time necessary for complying with the purpose(s) for which the data were collected, with the obligation to block, cancel and suppress the personal data afterwards.
- Responsibility The Controller must safeguard and be accountable for any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any of the best international practices, corporate policies, self-regulatory schemes or any other suitable mechanism to this effect.
- Quality This principle is accomplished when the personal data processed are accurate, complete, pertinent, correct and updated as required, in order to comply with the purpose for which the personal data will be collected.
- Consent The Controller shall obtain the consent of the data subject, prior to the collection of any personal information, and must keep evidence of the consent.
- Loyalty This consists of the obligation of the Controller to process any PI collected favouring the protection of the interests of the data subject and the reasonable expectation of privacy
To view the full article, click here.
Originally published by ICLG.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.