In October 2016, the Superintendence of Industry and Commerce published a guide that establishes parameters for any natural and/or legal person seeking a declaration of conformity for the international transfer of personal data. Accordingly, those requesting a declaration must provide the following information:

  1. The name and purpose of the personal databases that will be the subject of the international transfer, as well as a description of the processing.
  2. The types of personal data to be transferred.
  3. A copy of the privacy policy of both the sender and the recipient of the databases.
  4. The name or business name of the recipient of the databases, as well as a copy of documentation proving its existence and legal representation.
  5. A copy of the contract, agreement or document explaining the conditions of the transfer and the security and confidentiality measures that will be implemented for the protection of the personal information.
  6. A description of the processing that will be executed by the recipient, as well as its purpose. Additionally, the period of storage of the databases must be determined.
  7. A copy of the information security policy of the recipient of the information. If the recipient does not have such policy, it must expressly indicate the technical, human and administrative measures that will be implemented for the protection of the personal data.
  8. The mechanisms implemented by the recipient for addressing requests and/or claims from the data subjects in regard to their habeas data rights.
  9. A description of the natural and/or legal persons who will have access to the information transferred, as well as the corresponding confidentiality agreements.
  10. A copy of the regulations regarding the protection of personal data of the country to which the information will be transferred, as well as the regulations corresponding to the powers of the data protection authority. The existing mechanisms for the protection of personal information in the country should also be described, as well as the competent authorities, and the nature of such mechanisms (free or onerous).
  11. The latest report published by the data protection authority of the recipient country, in relation to its accountability in the exercise of its functions.
  12. Any other document and/or information pertinent for the understanding of the intended operation.

As a general rule, international transfers of personal data to countries that do not guarantee an adequate level of data protection are prohibited. However, this prohibition does not apply in specific cases as determined by law, such as when there are express authorizations of the data subjects for the transfer or when the Superintendence issues a declaration of conformity, among others.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.