Nowadays, the treatment and processing of personal data and consequently, its regulation, have taken great relevance both in Mexico and in the rest of the world.
An event that has caused a high impact in this matter is the entry into force of the General Data Protection Regulation, also known as GDPR. This regulation has been issued in Europe. It provides that any entity or individual, who treats or processes personal data of European Union residents, must comply with the provisions of the GDPR, among other obligations, regardless of whether these entities or individuals are established within the European Union or in any other territory.
In Mexico, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (Transparency, Access, information and Data Protection National Institute) or INAI is the authority in charge of monitoring the compliance with personal data protection regulation. Among others, the following laws regulate the protection of personal data in Mexico:
(i) the federal law on the protection of personal data held by private parties ("Private Parties Law"),
(ii) the regulations of the federal law on the protection of personal data held by private parties, and
(iii) the general law on the protection of personal data held by government agencies.
Firstly it is important to determine who is bound to elaborate and implement a complete personal data protection program/policy. According to the Private Parties Law, the legal figures that must cover this obligation are: the Data Controller, which is defined as the individual or private legal entity that decides on the processing of personal data, and the Data Processor, which is defined as the individual or entity that, alone or jointly with others, processes personal data on behalf of the Data Controller as a consequence of a legal relationship between them that defines the scope of these data processing activities to the provision of a service..
Secondly, it is essential to then integrate a complete personal data protection program/policy. In this sense, I have found people thinking that in order to comply with the data protection regulation in Mexico, it is only necessary to count with a privacy notice. Nothing farther from the truth. Therefore, a complete personal data protection program/policy must include, at least, the following points:
Privacy notices. The company or individual must elaborate and notify privacy notices to each of the...