Many companies in Mexico, particularly those with a large online presence, such as e-commerce businesses, digital marketing agencies, and social media firms, collect personal data from clients, suppliers, employees or any individuals with whom they share a commercial, labor, or contractual relationship. Despite this, a large number of companies fail to properly inform data subjects about how their personal information is processed, which can result in penalties from the authorities or even complaints from the data subjects due to the improper use of their personal information.
To avoid these risks, it is essential that every company that collects or stores personal data has a clear and visible privacy notice. The Federal Law on Protection of Personal Data Held by Private Parties (the "Law") establishes that any party processing someone else's personal data, regardless of the purpose or type of data collected, must first inform the data subject, through a privacy notice, about the use and processing of their personal information. These privacy notices, along with proper legal guidance, are crucial to the effective operation of any website or digital platform.
Privacy Notices
Privacy notices are documents used to inform individuals how their personal data will be processed. As a form of tacit consent, it is important that these notices are accessible to anyone whose personal data is being requested. According to the Law, privacy notices can be presented either in printed form, such as in a physical contract, or digitally, by the company's website.
The Law establishes that a privacy notice must include, at the minimum, the following:
- The identity and address of the data controller who has access to the personal data
- A clear specification of the personal data being collected, clarifying any information that is considered as sensitive
- The purpose for which the personal data will be processed
- The available options and mechanisms the data subject has in order to limit the use or disclosure of their personal data
- Available mechanisms to exercise ARCO Rights (Access, Rectification, Cancellation and Opposition).
- The means through which the data controller will communicate any changes to the privacy notice
It is essential to include each of these elements when drafting a privacy notice. Otherwise, the Law establishes that fines may be imposed, ranging from 100 to 160,000 times the Unidad de Medida y Actualización (UMA), depending on the situation. Additional penalties may also apply for the unlawful processing of personal data, such as using data for purposes not stated in the privacy notice or transferring data to third parties without the data subject's consent.
When handling personal data, companies must implement measures to ensure the protection of said data at all times. This not only protects the rights of data subjects but also helps to avoid legal and financial liabilities. Some recommended measures include:
- Developing internal policies for the proper handling and use of personal data
- Limiting access to personal data to certain authorized personnel only
- Regularly reviewing and updating the implemented privacy notice to ensure compliance with current regulations
What is Personal Data?
Personal data refers to any information that, individually or in combination, can be used to identify a persona, either directly or indirectly. This includes names, signatures, email addresses, phone numbers, home addresses, and more. The Law makes a clear distinction between personal data, like the previously mentioned examples, and sensitive personal data.
Sensitive personal data relates to the most intimate aspects of an individual, and if misused, could pose serious risks to their privacy and integrity. Because of its nature, the unauthorized spreading of this information could lead to discrimination if not properly protected. According to the Law, sensitive personal data includes information that may reveal personal aspects about a person, such as their racial or ethnic origin, health status, religious beliefs, political opinions or sexual preferences. More specific examples include an employee's medical history file or someone's affiliation with a political party. Documents containing this type of information must be handled with greater caution.
Given the nature of personal and sensitive personal data, their processing requires protective measures that must be available to all data subjects. For example, individuals have the right to access, rectify, cancel or oppose the processing and treatment of their data through the ARCO rights, which must always be respected by the data controller.
The use of personal data is always subject to the consent of the data subject. Nobody may use someone else's personal data without obtaining tacit or express consent. The Law states that consent is considered tacit when a privacy notice has been presented to the data subject, and said subject does not object to its terms.
Having a well-crafted privacy notice not only ensures compliance with current regulations, but also strengthens trust with clients, employees, users, suppliers, and business partners. Good privacy practices help avoid penalties and demonstrate a company's commitment to responsibility and data protection. Therefore, having the support and counsel of good lawyers is essential when drafting a privacy notice for your business.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
