Mexico jurisdiction report: The treatment of personal data

19-02-2018

Emilio Garate

Mexico jurisdiction report: The treatment of personal data

scyther5 / iStockphoto.com

The Federal Law on the Protection of Personal Data in Possession of Third Parties 2010 sets a legal framework in which any third party that holds or intends to collect personal data must notify the intended use of that information to its owner.

The law defines “personal data” as any information by which a person is identified or might be identified. The law also establishes the term “sensible personal data”, which is defined as any personal data that affects the most intimate details of its owner, or data the wrong use of which can create situations such as discrimination or cause a grave risk for the owner.

Under the law, the racial or ethnic origin, present or future state of health, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual orientation are considered as sensible personal data.

This law establishes that the owner of the personal data has certain rights which are known as the ARCO rights (the initials in Spanish), which are:

  1. Right to access

The owner of the information has the right to access her/his personal data which is in possession of a third party and to be notified through the data privacy notice about the treatment given to the personal data.

  1. Right to rectification

The owner of the information has the right to correct the data when it is incomplete or incorrect.

  1. Right to cancellation

The owner of the information has the right to request the cancellation (removal) of personal data. This action will result in a blocking period, after which the suppression of the data will take place. If the cancellation request is applicable, the authority responsible for the treatment of the personal data will follow the next steps:

  1. Determine the period in which the information will be blocked. This period must be notified to the owner of the information;
  2. Block the information;
  3. Implement measures which, if applicable, will allow the information to be maintained without being exploited;
  4. Inform any third party which might have received the information that it is to be suppressed; and
  5. Suppress the information in a manner that such information will not be recovered under any technique.
  6. Right to oppose

The owner of the information has the right to oppose the use of his/her personal data by the third party.

Cancellation

Personal data may not be cancelled when the following occurs:

  1. The personal data relates to the parties of a private agreement and is is needed for the agreement’s purpose.
  2. It must be handled by legal disposition.
  3. It obstructs judicial and administrative procedures relating from tax obligations, investigation and prosecution of felonies, among others.
  4. It is necessary to protect the judicial interests of the owner of the information.
  5. It is necessary for an action in the public interest.
  6. It is necessary to comply with a legal obligation acquired by the owner of the information.
  7. It is handled for a medical prevention or for a medical detection as long as the handling of the personal data is made by a healthcare professional which is under an obligation of secrecy.

Complying with the law

What we have seen in our practice is that small and medium companies in Mexico are willing to comply with the law, but they do not understand the process enough to fully implement its data privacy policies. They may draft a data privacy notice without any real policy to back it up, or they do not fully understand what type of information is considered personal data when drafting the notice.

To implement a data privacy policy, the first step is to categorise the information that is collected and classify it as business information and personal information.

"the racial or ethnic origin, present or future state of health, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual orientation are considered as sensible personal data."

Then, it is necessary to identify how the personal data (email, fax, telephone, website or personal) is collected in order to determine 1. how to maintain the personal data securely; 2. who will act as the person responsible for handling the personal data; and 3. the usage to be given to such personal data.

It is worth mentioning that the person responsible for handling the personal data must comply with the law and with the legal rights that the owners of the personal data have.

Once the information and the required use are identified, companies must draft the data privacy notice, clearly stating the use that will be made of the personal data.

Emilio Garate is an associate at Becerril, Coca & Becerril. He can be contacted at: egarate@bcb.com.mx

personal data, Federal Law on the Protection of Personal Data in Possession of Third Parties, data

WIPR