Do you know what to do with Personal Data once you are no longer entitled to store and/or keep such data?
This is a common question among our clients, since compliance with the Federal Law on Personal Data Protection Held by Private Parties (hereinafter, "Data Protection Law") does not only set forth the obligation to make available a Privacy Notice, but it also sets forth many other obligations related to the protection and processing of such information, among others, the obligation to delete or remove personal data when there are no valid, legitimate, or lawful reasons for its storage or processing.
It is important to emphasize on the importance of the above mentioned, , since storing personal data within physical or electronic databases when there is no longer an obligation to store such data, may be considered a breach of the Data Protection Law and, hence, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (the National Institute for Transparency, Information Access and Personal Data Protection (hereinafter, "INAI" for its acronym in Spanish) may impose a sanction.
So, what do you have to do to properly delete personal data?
The answer is not as easy as throwing to the garbage certain documents or as sending to the Recycle Bin the electronic files.
In order to provide specific information to Data Controllers about deletion and elimination of personal data, INAI published the "Guide for the Secure Deletion of Personal Data," which purpose is to guide Data Controllers during the deletion or elimination of personal data, establishing secure procedures to guarantee that personal data may not be retrieved and wrongfully used .
The Guide will help to comply with the quality principle of personal data, which establishes that personal data shall be deleted, destroyed, erased, or eliminated once there is no valid, legitimate or lawful reason for its storage or processing.
By deleting the personal data on a secure manner, incidents which may jeopardize confidentiality or integrity may be avoided, since there are methods and techniques which may be followed in order to definitively delete such information. This will decrease the possibility to retrieve such information or for being accessed by unauthorized third-parties, when there is no obligation to store them.
In this sense, by minimizing the risks of...