Are you in Compliance with Mexico’s Personal Data Protection Requirements?
The “Federal Law of Protection of Personal Data held by Private Parties” (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or LPD) was published last year, establishing the scope and principles for the collection and processing of Personal Data, but the provisions described below only became effective on July 6, 2011, one year after its entry into force.
Scope and Definitions
The LPD governs every aspect of the use and storage of Personal Data and Sensitive Personal Data, including the purposes for which companies collect such information, the way they store it, with whom they share it, and when and how they delete the information after it is used.
The statute is very broad and affects all private companies or individuals doing business in Mexico.
As with similar data protection laws in other jurisdictions, like the U.S. and EU data protections acts, the LPD includes definitions of crucial terms including:
- Personal Data - any information related to an identified or identifiable individual (the “data owner”).
- Sensitive Personal Data - any information that could cause discrimination or a serious risk to the data owner, such as information related to race or ethnicity, current or future health situation, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions, and sexual preference.
- Processing - any collecting, use, disclosure or storage of personal data by any means, as well as access, management, transfer or disposal of personal data.
Any collecting of personal data must have a lawful justification and is subject to the consent of the data owner, except as otherwise provided by the LPD.
The provisions of the LPD that had to be implemented as of July 6, 2011, are:
- The designation of a person or creation of a department in charge of personal data responsible for handling all such data, including promoting protection within the company and managing the personal data rights according to the LPD; and
- The requirement to provide a Privacy Notice to each individual about whom personal data is being collected.
The Privacy Notice is a document in hard, electronic, or any other format that must be provided to the data owner, through print, digital, visual or audio formats, or any other technology, containing at least the following information:
- The identity and domicile of the entity collecting the data;
- The purposes for collecting the data;
- The options and means for the data owner to limit the use or disclosure of his/her data;
- The means for exercising the rights granted by the LPD of access, rectification, cancellation and/or objection (beginning on January 6, 2012);
- Whether data will be transferred; and
- The process and means by which the entity collecting the data will notify the data owner of any changes to the Privacy Notice.
In the case of Sensitive Personal Data, the Privacy Notice must expressly state that it is dealing with this type of data.
Lack of compliance with or violations of the LPD includes fines ranging from US $500 to US $1,600,000 per violation, and/or imprisonment for up to five years. In the case of Sensitive Personal Data or reoccurrence, sanctions are doubled.