Nowadays, the treatment and processing of personal data and consequently, its regulation, have taken great relevance. Our Junior Partner, Emilio Garate explores the relevance of complying with such regulations in Mexico, including the laws that regulate such topic and the points that a complete personal data protection program/policy must include.
Nowadays, the treatment and processing of personal data and consequently, its regulation, have taken great relevance both in Mexico and in the rest of the world.
An event that has caused a high impact in this matter is the entry into force of the General Data Protection Regulation, also known as GDPR. This regulation has been issued in Europe. It provides that any entity or individual, who treats or processes personal data of European Union residents, must comply with the provisions of the GDPR, among other obligations, regardless of whether these entities or individuals are established within the European Union or in any other territory.
In Mexico, the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (Transparency, Access, information and Data Protection National Institute) or INAI is the authority in charge of monitoring the compliance with personal data protection regulation. Among others, the following laws regulate the protection of personal data in Mexico:
(i) the federal law on the protection of personal data held by private parties (“Private Parties Law”),
(ii) the regulations of the federal law on the protection of personal data held by private parties, and
(iii) the general law on the protection of personal data held by government agencies.
Firstly it is important to determine who is bound to elaborate and implement a complete personal data protection program/policy. According to the Private Parties Law, the legal figures that must cover this obligation are: the Data Controller, which is defined as the individual or private legal entity that decides on the processing of personal data, and the Data Processor, which is defined as the individual or entity that, alone or jointly with others, processes personal data on behalf of the Data Controller as a consequence of a legal relationship between them that defines the scope of these data processing activities to the provision of a service..
Secondly, it is essential to then integrate a complete personal data protection program/policy. In this sense, I have found people thinking that in order to comply with the data protection regulation in Mexico, it is only necessary to count with a privacy notice. Nothing farther from the truth. Therefore, a complete personal data protection program/policy must include, at least, the following points:
1. Privacy notices. The company or individual must elaborate and notify privacy notices to each of the impacted personnel or individuals. That is to say, the company or individual must elaborate various privacy notices, which attend specific needs. For example, one privacy notice for employees, one for clients and other for suppliers must be elaborated.
2. The appointment of a privacy officer or committee. This must be done through an internal assembly which formalizes the appointment of the data protection officer or committee. For example, a shareholders’ general meeting.
3. Agreements for personal data processing, as well as clauses to transfer them.
4. Policies and procedures for the exercising of ARCO rights. It is advisable to elaborate formats for requesting the exercising of ARCO (Access, Rectification, Cancellation and Opposition) rights, as well as formats for notifying the corresponding resolutions.
5. Policies for the protection of personal data.
6. Inventories that indicate the type of personal data that is being collected by the company or individual.
7. Data breach notification and response plan, including breach notification procedure. It is advisable to also elaborate a breach notification form.
8. Training programs for management and employees.
9. List of functions and responsibilities of personnel in charge of personal data.
10. Manual that specifies the security measures that will be applied by the company or individual. It is advisable to elaborate storage media records, including a list of security measures applicable to every personal data database.
It is worth to mention that failing to comply with the Private Parties Law may result in significant sanctions, like fines up to US$1.5 million.
In conclusion, in order to avoid being subject to the above mentioned sanctions, it is important to elaborate and implement a complete and accurate personal data protection program/policy, which covers not less than these 10 points.