Mexico jurisdiction report: The treatment of personal data
The law defines “personal data” as any information by which a person is identified or might be identified. The law also establishes the term “sensible personal data”, which is defined as any personal data that affects the most intimate details of its owner, or data the wrong use of which can create situations such as discrimination or cause a grave risk for the owner.
Under the law, the racial or ethnic origin, present or future state of health, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual orientation are considered as sensible personal data.
This law establishes that the owner of the personal data has certain rights which are known as the ARCO rights (the initials in Spanish), which are:
- Right to access
The owner of the information has the right to access her/his personal data which is in possession of a third party and to be notified through the data privacy notice about the treatment given to the personal data.
- Right to rectification
The owner of the information has the right to correct the data when it is incomplete or incorrect.
- Right to cancellation
The owner of the information has the right to request the cancellation (removal) of personal data. This action will result in a blocking period, after which the suppression of the data will take place. If the cancellation request is applicable, the authority responsible for the treatment of the personal data will follow the next steps:
- Determine the period in which the information will be blocked. This period must be notified to the owner of the information;
- Block the information;
- Implement measures which, if applicable, will allow the information to be maintained without being exploited;
- Inform any third party which might have received the information that it is to be suppressed; and
- Suppress the information in a manner that such information will not be recovered under any technique.
- Right to oppose
The owner of the information has the right to oppose the use of his/her personal data by the third party.
Cancellation
Personal data may not be cancelled when the following occurs:
- The personal data relates to the parties of a private agreement and is is needed for the agreement’s purpose.
- It must be handled by legal disposition.
- It obstructs judicial and administrative procedures relating from tax obligations, investigation and prosecution of felonies, among others.
- It is necessary to protect the judicial interests of the owner of the information.
- It is necessary for an action in the public interest.
- It is necessary to comply with a legal obligation acquired by the owner of the information.
- It is handled for a medical prevention or for a medical detection as long as the handling of the personal data is made by a healthcare professional which is under an obligation of secrecy.
Complying with the law
What we have seen in our practice is that small and medium companies in Mexico are willing to comply with the law, but they do not understand the process enough to fully implement its data privacy policies. They may draft a data privacy notice without any real policy to back it up, or they do not fully understand what type of information is considered personal data when drafting the notice.
To implement a data privacy policy, the first step is to categorise the information that is collected and classify it as business information and personal information.
Already registered?
Login to your account
If you don't have a login or your access has expired, you will need to purchase a subscription to gain access to this article, including all our online content.
For more information on individual annual subscriptions for full paid access and corporate subscription options please contact us.
To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.
For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Adrian Tapping at atapping@newtonmedia.co.uk