The purpose of this GT Alert is to inform our friends and clients about the latest developments regarding the Mexican Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (hereinafter the “Law”).
The main purpose of the Law is to protect the personal data that individuals provide to third parties (both entities and individuals) (“Responsible Entity”) by imposing several obligations to the recipients, such as creating and communicating a privacy notice.
The Mexican Federal Institute of Access to Information and Data Protection (Insituto Federal de Acceso a la Información y Protección de Datos) or IFAI, which is the Mexican agency with powers to ensure compliance with the Law, has conducted several investigations, verification visits and ruled in a number of cases.
On December 3, 2012, the IFAI published an official communication regarding the issuance of a resolution imposing fines to a Responsible Entity in the pharmaceutical industry in the amount of more than two million Mexican pesos (around US$160,000 dollars). The IFAI´s communication can be accessed in Spanish here.
The IFAI concluded that the Responsible Entity in this case breached the Law by (i) conditioning the sale of certain medication upon including in the corresponding prescription personal data, such as name and domicile of the patient, without providing such customers with a privacy notice as required by the Law; and (ii) failing to identify the Responsible Entity in the privacy notice published on its webpage.
The aforementioned evidences that the IFAI is showing a lot of interest in the enforcement of the Law. Thus, it should not be a surprise if more resolutions imposing fines of this nature are issued. We strongly recommend reviewing your data protection policy with an expert in the field to assure that your operations are being carried out in compliance with the Law.