Does your company need to comply with the new Mexican Federal Law for the Protection of Personal Information in Possession of Private Parties?


The Federal Law for the Protection of Personal Information in Possession of Private Parties (the “Law”) was published in the Official Federal Gazette on July 5, 2010, however, its full effects became legally effective on July 6, 2011.

The publication of the Regulations of the Law is still pending. Such should be published in the coming weeks.

Below is a Q&A on the most important aspects of the Law.

1. Who is required to comply with the Law?

Response.- Any individual or entity who obtains, uses, divulges or stores personal information by any means. The word “use” includes access, handling, transfer or disposal of personal information.

2. Are there any exemptions?

Response.- Yes. Credit Bureaus and individuals or entities that collect and store personal information for their own exclusive use, without divulging or using it for commercial purposes.

3. If a company collects personal information from employees or any other individuals, is it required to comply with the Law?

Response.- No, provided that the company uses the information for its own exclusive personal use. However, if such information is shared or divulged to any third party, then the company must comply with the Law.

4. If a company shares personal information of employees or any other individual, with banks, insurance companies, credit companies, etc., is it required to comply with the Law?

Response.- Yes. As stated before, only those companies who gather information for their own exclusive personal use, without divulging or using it for commercial purposes, are outside of the scope of the Law. If a company shares the personal information of employees, for any reason, with any third party, it will be required to comply with the Law. Therefore, if, for example, a company shares information of its employees with a banking institution in order to open employee’s bank account for a direct deposit, it will be required to comply with the Law.

5. If a company is required to comply with the Law, what are the principal obligations?

The consent is deemed to have been secured once the company provides a privacy statement to whom the information is collected, and the owner of the personal information does not express opposition to the terms of the statement. The privacy statement must include, among other requirements, the purpose for which the information is being collected and whether the company will share such information with third parties.
For “sensible personal information”, which the Law considers to be the information which use may derive in discrimination or risk to the owner of the personal information in view of his/her race, health, religion, etc., a written or express consent is required. Such consent may be granted orally, verbally, by electronic or optical means, or by any other unequivocal means. With certain exemptions, express consent is also required to use or share financial information.
Also, any company that is required to comply with the Law, will be required to protect the personal information that it gathers, and to appoint someone, preferably within the company, as responsible for the handling of any request that is made by the owners of the personal information.

6. What information should the privacy statement include?

Response.- The Law states that the privacy statement should include: (a) the name and address of the person or entity who is gathering the personal information (e.g. you company’s name and address); (b) the purpose for the gathering of the personal information; (c) the options and means offered to the owner of the information in order to limit the use or sharing of the personal information; (d) the procedure to exercise the rights of access, rectification, cancelation or opposition (ARCO rights); (e) the transfers of information that will be made, if any; (f) the procedures that the company will use in order to notify any changes that are made to the privacy statement.

7. How should the privacy statement be made public to the owner of the information?

Response.- The Law states that the privacy statement can be made public to the owner of the information through printed, digitalized, visual and sound formats, or by using any other technology that is available.
Thus, the privacy statement can be made available through a webpage, it can be printed out or it can be recorded. Also, when the personal information is being gathered directly from the owner of the information, the privacy statement must be made available at the time that the information is being gathered, in the formats by which the information is collected, unless the notice has been delivered before.
When the personal information is gathered by any electronic, optical, sound, visual or any other means, the company must inform to the owner of the information the name and address of the person or entity securing the personal information (e.g. you company’s name and address); the purpose for securing the personal information, and; the mechanism through which the owner of the information may have access to the privacy statement.

8. So, do we have to deliver or make a privacy statement available to employees?

Response.- Yes, if your company shares personal information of its employees with any third party (including the parent company). For example, with any potential employee, the privacy statement must be delivered when he or she is filing out the employment application, or prior to such time.
A privacy statement should be made available to existing employees.

9. What are the rights of the individuals from whom the information is gathered?

Response.- In general terms, the owners of the personal information have four rights. They are known as the ARCO rights. The owner of the information can exercise the rights of access, rectification, cancelation or opposition (ARCO rights) of the personal information.
There are certain cases in which the company may deny the access, rectification or cancellation of the personal information.

10. Are there any penalties associated with non-compliance of the Law?

Response.- The Law establishes administrative sanctions that range from 100 to 320,000 days worth of the current minimum wage applicable in Mexico City (approximately US$5.50 per day). Additionally, the Law considers as crimes the unlawful use of personal information, particularly, when such use is made for an economic benefit provoking the security violation of the databases or when in order to secure an economic benefit personal, information is secured through deception.

For the later cases, the Law establishes imprisonment from three months up to five years (a double sentence applicable in cases of sensible personal information).

By: Leobardo Tenorio-Malof, Partner, Tenorio, Torres, Pedrin & Tortolero
www.tplegal.net, ltenorio@tplegal.net

 

  

Articles
Home
Effective (and non-creepy) Ways to Stalk People on LinkedIn
Mexico, a Step Away from the Main Stage
BIP Services
2011 Mexico Salary Guide

Events

July 2011
December 2011

Contact us

Barbachano International, Inc.
2531 Windward Way
Chula Vista, CA 91914

Phone: 619-427-2310
Fax: 619-427-2312

Contact: Customer Service Department
barbachano@bipsearch.com
www.bipsearch.com
 

©2011 Barbachano International, Inc. All rights reserved.

 

 

 

 

 

 

 

 

 

 
Barbachano International Home