Data protectioni Requirements for registration
On 5 July 2010, the federal government published in the Federal Official Gazette the Federal Law for Personal Data Protection Possessed by Private Persons (DPL), which has been in force since 6 July 2010 and is intended to protect personal data held by private persons – either companies or individuals – in order to regulate the lawful, informed and controlled treatment of the data, with the objective of ensuring the right to privacy as well as the right of informational self-determination of persons. The DPL protects personal data that is subject to process, use or transfer, at a national and international level.
To clarify the content of the DPL, on 21 December 2011, the Ministry of the Economy published in the Federal Official Gazette the Regulations of the DPL (the Regulations), which have been mandatory since 22 December 2011. The Regulations provide in detail the conditions for the compliance and enforcement of the DPL to bring legal certainty to its regulated subjects.
Both regulatory instruments have a direct impact on employees, either by strengthening their right to privacy in relation to their employer and its subcontractors or to establish duties they must comply with in order to preserve the privacy of the personal data that is processed in the course of their activities.
In terms of the DPL and its Regulations, there is no obligation to register the company – in its role of data controller – with the Mexican data protection agency (the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI)) or any other government body. However, diverse obligations should be fulfilled in order to comply with the provisions of the DPL and its Regulations.
The Regulations compel employers to create an inventory of processed personal data to identify its nature – as sensitive, financial or economic personal data requires the written express consent of the data subject to be collected and processed, and should be protected by stronger measures than 'ordinary' personal data. In addition, the inventory may determine the form of the processed data (i.e., whether it is expressed or contained in a digital format, in printed form, or in visual or audio format).
For the collection and processing of personal data, the general rule is that the data subject must be informed by means of a privacy notice about the collected data, the purposes for the processing and the data transfers, and the means to exercise the right to access, rectify, cancel and oppose the data processing, as well as the means to express his or her consent to authorise the data processing and transfers. However, the data subject's consent is not required for the processing of personal data to be lawful if it is necessary to comply with obligations derived from a legal relationship, such as a labour contract, entered into by the data subject (employee) and the data controller (employer). Candidates for employment do not fall within this exception as they do not have any legal relationship with the employer, so their consent is required to transfer their personal data to a third party.
The Regulations compel companies to limit access to personal data only to authorised employees owing to their position or functions. The DPL also provides that companies must implement and maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction, use, access or unauthorised use (Article 19 of the DPL and Chapter III of the Regulations).
Under Article 48 of the Regulations, the employer is compelled to implement a range of actions to ensure that their employees comply with the DPL and its Regulations such as:
- developing binding and enforceable privacy policies and programmes within the organisation;
- implementing a training and staff awareness programme on the obligations regarding personal data protection, including any modifications that are made;
- establishing an internal system for supervision and monitoring, verification or external audits to test compliance with privacy policies;
- allocating resources for the implementation of privacy programmes and policies;
- providing mechanisms for the enforcement of privacy policies and programmes, as well as for sanctioning lack of compliance;
- establishing measures for tracking personal data during its processing;
- establishing procedures to receive and respond to doubts and complaints from the personal data holder;
- establishing measures for the assurance of personal data, in other words a set of technical and administrative actions that guarantee the responsible party's compliance with the principles and obligations set forth by the DPL and its Regulations; and
- establishing measures for the traceability of personal data, that is, actions, measures and technical procedures that allow for the tracking of personal data while it is being processed.
Privacy regulations should be related to a company's internal labour regulations in order to enforce sanctions for infringement.ii Cross-border data transfers
In terms of the DPL and its Regulations, companies are not compelled to register their data transfers at the INAI or at any other government agency and, as a general rule, data transfers are subject to the consent of the data subjects (generally granted through the privacy notice). However, the DPL provides for a few exceptions in which the employee's consent is not required for the data transfer:
- the transfer is necessary for preventive treatment or medical diagnosis, the delivery of healthcare, medical treatment or the management of health services;
- the transfer is to companies under the same corporate control (subsidiaries and affiliates under the common control of the data controller), or to a parent company or an associated company that operates under the same processes and internal policies;
- the transfer is necessary under a contract that has been concluded, or a contract to be concluded, in the interest of the employee by the employer and a third party; or
- the transfer is necessary for the maintenance or fulfilment of a legal relationship between the company and the employee (Article 37 of the DPL).
Neither the DPL nor the Regulations require safe harbour registration for data transfers or for carrying out an onward transfer.iii Sensitive data
In terms of the DPL, sensitive data is defined as data that pertains to the data subject's most intimate sphere, or data that, if misused, could lead to discrimination or cause a serious risk to the data subject. In particular, personal data is considered to be sensitive if it relates to racial or ethnic origin, current or future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, and sexual preference (Article 3, Section VI of the DPL).
Financial and economic data is not included within the category of sensitive data; however, the processing of this data requires the express consent of the data subject, except as provided by law (Article 8, Section IV of the DPL).
The requirement for consent for the collection of sensitive data is more stringent than in the case of non-sensitive data. When sensitive personal data is collected, the privacy notice must address explicitly that it deals with this type of data (Article 16 of the DPL). No databases that contain sensitive data should be created without justifying their creation for legitimate purposes, concrete and consistent actions, or explicit purposes pursued by the regulated subject (Article 9 of the DPL).
If infringements to the DPL are committed in the processing of sensitive data, the penalties can be increased to twice the established amounts (Article 64, Section IV of the DPL).iv Background checks
Under the DPL and its Regulations, background checks, credit checks and criminal record checks are allowed if the candidate for employment has granted his or her express consent, as such records include sensitive data.
Employers must be aware of processing personal data under the principles of lawfulness, consent, information, loyalty, proportionality, confidentiality and accountability, and must be aware of processing the candidate's or employee's personal data or information on a non-discriminatory basis.