1 RELEVANT LEGISLATION AND COMPETENT AUTHORITIES
1.1 What is the principal data protection legislation?
The legal framework for data protection is found in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010, and its Regulations, published in December 2011 (hereinafter the "Law").
1.2 Is there any other general legislation that impacts data protection?
Yes. General regulations such as the Privacy Notice Rules, published in January 2013, and the Binding Self-Regulation Parameters, also published in January 2013. Please be advised that Mexican data protection laws and general legislations follow international correlative laws, directives and statutes, and thus have similar principles, regulation scope and provisions.
Moreover, there are other laws such as the Criminal Code, the Law for the Regulation of Credit Information Companies, provisions set forth in the Copyright Law, General Law for the Protection of Personal Data in the possession of Obliged Subjects, the Federal Consumers Law and some specific provisions set forth in the Civil Code and the Commerce Code.
1.3 Is there any sector-specific legislation that impacts data protection?
Mexican data protection legislation is not based on sectoral laws. The Law as described above regulates the collection and processing of any personal information (PI) by any private entity acting as a Controller or Processor, which impacts any sector that implies any sort of personal data collection or processing.
1.4 What authority(ies) are responsible for data protection?
The National Institute of Transparency, Access to Information and Personal Data Protection (INAI) is the authority responsible for overseeing the Law. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The INAI has the authority to conduct investigations, review and sanction data protection Controllers, and authorise, oversee and revoke certifying entities.
The Ministry of Economy is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice in cooperation with the INAI.
2.1 Please provide the key definitions used in the relevant legislation:
"Personal Data" Any information concerning an individual that may be identified or identifiable.
"Processing" The collection, use, disclosure or storage of personal data, by any means. The use covers any action of access, management, benefit, transfer or disposal of personal data.
"Controller" Individual or private legal entity that determines the treatment of personal data.
"Processor" The individual or legal entity that solely or jointly with another processes personal data on behalf of the Controller.
"Data Subject" An identified or identifiable natural person.
"Sensitive Personal Data" Personal data which concerns the private life of an individual, or the misuse of such information which may lead to discrimination or carry a serious risk to the individual. In particular, sensitive personal data is considered those that may reveal information such as ethnical or racial origin, present or future medical condition, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions and sexual preference.
"Data Breach" Data Breach means any security breach which occurred in any phase of the data collection, storage or use, which may affect in a significant manner the patrimonial or moral rights of individuals.
Other key definitions - please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data") "ARCO rights"
Refers to the access, rectification, cancellation or opposition rights to the personal data processing.
Expression of will made by the data owner concerning data collection.
The processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information.
A document issued by the Controller either in physical, electronic or in any other format, which is made available to the data subject prior to processing his/her personal data, and whereby the Controller informs the data subject, among others, about: the terms for the collection of personal data; the identity of the Controller; the purpose of the data collection; the possible transfers of data; and the mechanisms for enforcing the ARCO rights.
Any data communication made to a different person other than the Collector or the Processor.
3 TERRITORIAL SCOPE
3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?
Businesses located out of Mexico will be subject to the terms of the Privacy Notice, and to the Law, only when the data controller transfers personal data collected in Mexico, in accordance with the provisions of the Law.
4 Key Principles
4.1 What are the key principles that apply to the processing of personal data?
Transparency This principle is not defined in the Law; however, the Law also makes clear that personal data can in no way be collected, stored or used through deceitful or fraudulent means.
Lawful basis for processing The Collector is responsible for processing personal and/or sensitive data in accordance with the principles set forth in the Law and international treaties.
Purpose limitation Personal data shall only be processed for the compliance of the purpose or purposes set forth in the Privacy Notice. Moreover, the purpose of the Privacy Notice must be certain, which is achieved by establishing the purpose for which the personal data will be processed in a clear, objective manner, not giving room for confusion.
Data minimisation The Collector will be responsible and shall endeavour to make reasonable efforts so that the personal data processed are of the minimum necessary, according to the purpose that originated the collection of PI.
Proportionality Data controllers can only collect personal data that is necessary, appropriate and relevant for the purpose(s) of the collection.
Retention This translates into the obligation of the Collector to retain personal data only for the period of time necessary for complying with the purpose(s) for which the data was collected, with the obligation to block, cancel and suppress the personal data afterwards.
Other key principles - please specify "Responsibility"
The Collector must safeguard and be accountable of any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any of the best international practices, corporate policies, self-regulatory schemes or any other suitable mechanism for this effect.
This principle is accomplished when personal data processed are accurate, complete, pertinent, correct...