On April 18, 2012, there were published in the Federal Official Gazette GUIDELINES FOR IMPLEMENTING COMPENSATORY MEASURES WITHOUT THE NEED FOR AN EXPRESS APPROVAL FROM THE FEDERAL INSTITUTE FOR ACCESS TO PUBLIC INFORMATION AND DATA PROTECTION (the “Guidelines”), which became effective the following day. The official Spanish version is available on:

http://dof.gob.mx/nota_detalle.php?codigo=5244229&fecha=18/04/2012

The purpose of these Guidelines is to establish the terms and conditions under which data controllers may implement, without the need for an express approval from the Federal Institute for Access to Public Information and Data Protection (“IFAI”), alternative measures (implemented by way of exception) to provide a privacy notice to data subjects through mass media or other means of communication, such as: national newspapers, local newspapers or specialized magazines, data controller’s web site, hyperlinks found on the IFAI’s website, posters and radio spots. These measures are known as “compensatory measures” (medidas compensatorias).

The Guidelines will only be applicable when the data controller obtained the personal data before the due date set by the Federal Law on the Protection of Personal Data Held by Private Parties to provide privacy notices, that is, before July 6, 2011. Furthermore, for the Guidelines to be applicable it will be necessary that:  

  1. The data controller be prevented from providing each data subject with the privacy notice, when the data controller does not have contact information of the data subjects, either because such data is not to be found in its files or databases or that such data is incorrect, incomplete, inexact or not updated, or
  2. Providing each data subject with a privacy notice would require disproportionate efforts, if the data controller does not maintain any contact with the data subjects and providing the privacy notice to each data subject would imply an excessive cost, taking into account the number of data subjects involved and the economic resources of the data controller, thus compromising its financial stability, its normal course of business, the viability of its budget or when such activity would be significantly disruptive of its daily operations.  

Also, the purpose of the processing of personal data must remain the same, analogous or compatible with that for which the personal data was originally obtained.

The Guidelines may be applied to the processing of sensitive, property or financial personal data, only when such processing does not require the consent of the data subject.