The ICLG to: Data Protection Laws and Regulations covers relevant legislation and competent authorities, territorial scope, key principles, individual rights, registration formalities, appointment of a data protection officer and of processors - in 42 jurisdictions
Relevant Legislation and Competent Authorities
1.1 What is the principal data protection legislation?
The legal framework for data protection is found firstly in Articles 6 and 16 of the Mexican Constitution, as well as in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010, and its Regulations, published in December 2011 (hereinafter the "Law").
1.2 Is there any other general legislation that impacts data protection?
Yes: the General Law for the Protection of Personal Data in the Possession of Obliged Subjects (which regulates the processing of personal information in possession of any Federal, State or local authority); the Privacy Notice Rules, published in January 2013; and the Binding Self-Regulation Parameters, also published in January 2013. It is worth mentioning that Mexican data protection laws and general legislation follow international correlative laws, directives and statutes, and thus have similar principles, regulation scope and provisions.
Moreover, there are other laws such as the Criminal Code, the Law for the Regulation of Credit Information Companies; the Law for Regulating Financing Technology Institutions; provisions set forth in the Copyright Law, the Federal Consumers Law and some specific provisions set forth in the Civil Code and the Commerce Code.
1.3 Is there any sector-specific legislation that impacts data protection?
Mexican data protection legislation is not based on sectoral laws. The Law as described above regulates the collection and processing of any personal information ("PI") by any private entity acting as a Controller or Processor, which impacts any sector that implies any sort of personal data collection or processing.
1.4 What authority(ies) are responsible for data protection?
The National Institute of Transparency, Access to Information and Personal Data Protection ("INAI") is the authority responsible for overseeing the Law. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The INAI has the authority to conduct investigations; review and sanction data protection Controllers; and authorise, oversee and revoke certifying entities.
The Ministry of Economy is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice in cooperation with the INAI.
2.1 Please provide the key definitions used in the relevant legislation:
■ "Personal Data"
Any information concerning an individual that may be identified or identifiable.
The collection, use, disclosure or storage of personal data, by any means. The use covers any action of access, management, benefit, transfer or disposal of personal data.
The individual or private legal entity that determines the treatment of personal data.
The individual or legal entity that solely or jointly with another processes personal data on behalf of the Controller.
■ "Data Subject"
An identified or identifiable natural person.
■ "Sensitive Personal Data"
Personal data which concerns the private life of an individual, or the misuse of such information which may lead to discrimination or carry a serious risk to the individual. In particular, sensitive personal data are considered those that may reveal information such as ethnical or racial origin, a present or future medical condition, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions and sexual preference.
■ "Data Breach"
Data Breach means any security breach which occurred in any phase of the data collection, storage or use, which may affect in a significant manner the patrimonial or moral rights of individuals.
Other key definitions - please specify (e.g., "Pseudonymous Data", "Direct Personal Data", "Indirect Personal Data")
■ "ARCO rights"
Refers to the access, rectification, cancellation or opposition rights to the personal data processing.
An expression of will made by the data owner concerning data collection.
The processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information.
■ "Privacy Notice"
A document issued by the Controller either in physical, electronic or in any other format, which is made available to the data subject prior to processing his/her personal data, and whereby the Controller informs the data subject, among others, about: the terms for the collection of personal data; the identity of the Controller; the purpose of the data collection; the possible transfers of data; and the mechanisms for enforcing the ARCO rights.
Any data communication made to a different person other than the Collector or the Processor.
3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?
Businesses located outside Mexico will be subject to the terms of the Privacy Notice, and to the Law, only when the data controller transfers personal data collected in Mexico, in accordance with the provisions of the Law.
4.1 What are the key principles that apply to the processing of personal data?
This principle is not defined in the Law; however, the Law also makes clear that personal data can in no way be collected, stored or used through deceitful or fraudulent means.
■ Lawful basis for processing
The Collector is responsible for processing personal and/or sensitive data in accordance with the principles set forth in the Law and international treaties.
■ Purpose limitation
Personal data shall only be processed for the compliance of the purpose or purposes set forth in the Privacy Notice. Moreover, the purpose of the Privacy Notice must be certain, which is achieved by establishing the purpose for which the personal data will be processed in a clear, objective manner, not giving room for confusion.
■ Data minimisation
The Collector will be responsible and shall endeavour to make reasonable efforts so that the personal data processed are of the minimum necessary, according to the purpose that originated the collection of PI.
Data controllers can only collect personal data that are necessary, appropriate and relevant for the purpose(s) of the collection.
This translates into the obligation of the Collector to retain personal data only for the period of time necessary for complying with the purpose(s) for which the data was collected, with the obligation to block, cancel and suppress the personal data afterwards.
Other key principles - please specify
The Collector must safeguard and be accountable of any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any of the best international practices, corporate policies, self-regulatory schemes or any other suitable mechanism for this effect.
This principle is accomplished when personal data processed are accurate, complete, pertinent, correct and updated as required, in order to...