On July 5th, 2010, The Mexican Ministry of the Interior (the "Ministry") published the Mexican Federal Law for the Protection of Personal Data in Control of Private Persons (the "Data Protection Law" or the "Law"), which became in force on July 6, 2010.

Subsequently, on December 21st, 2011, the Ministry published in the Official Gazette the Regulation of the Data Protection Law (the "Regulation") which became in force on December 22, 2011.

The Regulation aims at implementing the provisions of the Law and establishes additional duties to the individuals who fall within certain cases set forth in the Law.

We would be pleased to assist you with any further doubts or concerns that you may have as well as with defining the required internal and external processes to ensure that your company complies with the Law.

Which are the additional obligations that appear according to the data protection principles?

The Data Protection Law only mentions the principles according to which the treatment of personal data shall be given; the Regulation establishes additional obligations for the responsible person or the handler, according to each particular case. Below is an outline that sets forth the additional duties that complement each principle:

Click here to view the table.

Who is the handler?

The handler is the individual or corporation, public or private, different from the organization of the responsible person, that solely or jointly, handles personal data on behalf of the responsible person.

Which are the obligations of the responsible person and the handler in relation with the security measures in the handling of personal data?

There is an obligation for the responsible person, and where appropriate, for the handler of establishing and maintaining physical technical and administrative security measures for the protection of personal data, the responsible person may hire an individual or corporation for this purpose.

Which are the obligations of the responsible person in case of a security breach?

The responsible person is obliged to inform the data subject the nature of the incident, the personal data involved, the recommendations to the subject data of the measures that he can take in order to protect his interests, the immediate corrective actions taken and the locations where he can get more information about it.

Which are the obligations arising when a transfer of personal data, whether national or international, is conducted?

A data transfer occurs when communicating data in and out of Mexico, to a different person other than the subject data, responsible person or handler. When carrying out a national transference the recipient will be regulated by the Law and its Regulation and shall handle the personal data as agreed in the privacy notice.

As for international data transfers, these are possible when the receiver assumes the same obligations of the responsible person that transferred the personal data.

What is the purpose of the self-enforcement arrangements and how do they work?

Self-enforcement arrangements aim at harmonizing the handlings carried out by those who adhere to them and facilitate the enforcement of the rights of the data subjects.

Click here to view the table.

Additionally the schemes of self-enforcement arrangements may include the certification of the responsible person and if he passes it, he will have the duty to certify that the privacy politics implemented by the responsible person subject to their evaluation in order to ensure the lawful handling of personal data.

Which are the obligations of the responsible person when the data subject exercises his ARCO rights (access, rectification, cancellation and opposition)?

The responsible person will have to make available the means he considers necessary for the data subject to present his request to exercise his ARCO rights, which will be posted on the privacy notice.

Below we summarize each of the obligations related to the exercise of the ARCO rights.

Click here to view the table.

Which are the procedures governed by the Regulation?

The Regulation establishes guidelines to be followed by the data subject, the responsible person and when applicable, the handler, in the resolution of the following procedures:

  • Rights Protection Procedure
  • Verification Procedure
  • Procedure for imposing sanctions