The International Comparative Legal Guide to: Data Protection 2014

Data Protection 2014The International Comparative Legal Guide to:

BANNING Barrera, Siqueiros y Torres Landa, S.C.CMS Reich-Rohrwig HainzDittmar & Indrenius DLA PiperECIJA ABOGADOSEvershedsGilbert + Tobin LawyersHerbst Kinsky Rechtsanwälte GmbHHunton & WilliamsKALO & ASSOCIATESKoep & Partners

Marrugo Rivera & Asociados, Estudio JurídicoMathesonMori Hamada & MatsumotoOpice Blum, Bruno, Abrusio e Vainzof Advogados AssociadosOsler, Hoskin & Harcourt LLPPachiu & AssociatesPestalozziPortolano Cavallo Studio LegaleRaja, Darryl & LohSubramaniam & Associates (SNA)Wigley & CompanyWikborg, Rein & Co. Advokatfirma DA

Published by Global Legal Group, with contributions from:

A practical cross-border insight into data protection law

1st Edition

General Chapter:

1 Data Protection – a Key Business Risk – Bridget Treacy, Hunton & Williams 1

www.ICLG.co.uk

DisclaimerThis publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice.

Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication.

This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified

professional when dealing with specific situations.

Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720

The International Comparative Legal Guide to: Data Protection 2014

Contributing EditorBridget Treacy,

Hunton & Williams

Account ManagersEdmond Atta, BethBassett, Antony Dine,Susan Glinska, Dror Levy,Maria Lopez, FlorjanOsmani, Paul Regan,Gordon Sambrooks,Oliver Smith, Rory Smith

Sales Support ManagerToni Wyatt

Sub EditorsNicholas CatlinAmy Hirst

Editors Beatriz ArroyoGemma Bridge

Senior EditorSuzie Kidd

Global Head of SalesSimon Lemos

Group Consulting EditorAlan Falach

Group PublisherRichard Firth

Published byGlobal Legal Group Ltd.59 Tanner StreetLondon SE1 3PL, UKTel: +44 20 7367 0720Fax: +44 20 7407 5255Email: [email protected]: www.glgroup.co.uk

GLG Cover DesignF&F Studio Design

GLG Cover Image SourceiStockphoto

Printed byAshford Colour Press Ltd.May 2014

Copyright © 2014Global Legal Group Ltd. All rights reservedNo photocopying

ISBN 978-1-908070-98-2ISSN 2054-3786

Strategic Partners

Country Question and Answer Chapters:

2 Albania KALO & ASSOCIATES: Eni Kalo 7

3 Australia Gilbert + Tobin Lawyers: Peter Leonard & Ewan Scobie 15

4 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit

& Dr. Isabel Funk-Leisch 24

5 Belgium Hunton & Williams: Wim Nauwelaerts & Laura De Boel 34

6 Brazil Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados:

Renato Opice Blum 42

7 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Bridget McIlveen 49

8 China Hunton & Williams LLP Beijing Representative Office: Manuel E. Maisog

& Zhang Wei 57

9 Colombia Marrugo Rivera & Asociados, Estudio Jurídico:

Ivan Dario Marrugo Jimenez 63

10 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 69

11 France Hunton & Williams: Claire François 77

12 Germany Hunton & Williams: Dr. Jörg Hladjk & Johannes Jördens 85

13 India Subramaniam & Associates (SNA): Hari Subramaniam

& Aditi Subramaniam 94

14 Ireland Matheson: John O’Connor & Anne-Marie Bohan 105

15 Italy Portolano Cavallo Studio Legale: Laura Liguori & Federica De Santis 115

16 Japan Mori Hamada & Matsumoto: Akira Marumo & Hiromi Hayashi 123

17 Kosovo KALO & ASSOCIATES: Loriana Robo & Atdhe Dika 132

18 Malaysia Raja, Darryl & Loh: Tong Lai Ling & Roland Richard Kual 140

19 Mexico Barrera, Siqueiros y Torres Landa, S.C.: Mario Jorge Yanez V.

& Federico de Noriega O. 149

20 Namibia Koep & Partners: Hugo Meyer van den Berg & Chastin Bassingthwaighte 157

21 Netherlands BANNING: Monique Hennekens & Chantal Grouls 163

22 New Zealand Wigley & Company: Michael Wigley 175

23 Norway Wikborg, Rein & Co. Advokatfirma DA: Dr. Rolf Riisnæs

& Dr. Emily M. Weitzenboeck 181

24 Romania Pachiu & Associates: Mihaela Cracea & Ioana Iovanesc 191

25 Slovenia CMS Reich-Rohrwig Hainz: Luka Fabiani & Ela Omersa 200

26 South Africa Eversheds: Tanya Waksman 210

27 Spain ECIJA ABOGADOS: Carlos Pérez Sanz 217

28 Switzerland Pestalozzi: Clara-Ann Gordon & Dr. Michael Reinle 226

29 United Kingdom Hunton & Williams: Bridget Treacy & Naomi McBride 234

30 USA DLA Piper: Jim Halpert & Kate Lucente 242

EDITORIAL

Welcome to the first edition of The International Comparative Legal Guide to:Data Protection.

This guide provides the international practitioner and in-house counsel with acomprehensive worldwide legal analysis of the laws and regulations of dataprotection.

It is divided into two main sections:

One general chapter entitled Data Protection – a Key Business Risk.

Country question and answer chapters. These provide a broad overview ofcommon issues in data protection laws and regulations in 29 jurisdictions.

All chapters are written by leading data protection lawyers and industryspecialists and we are extremely grateful for their excellent contributions.

Special thanks are reserved for the contributing editor Bridget Treacy ofHunton & Williams for her invaluable assistance.

Global Legal Group hopes that you find this guide practical and interesting.

The International Comparative Legal Guide series is also available online atwww.iclg.co.uk.

Alan Falach LL.M.Group Consulting EditorGlobal Legal [email protected]

WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014© Published and reproduced with kind permission by Global Legal Group Ltd, London

Chapter 19

149

Barrera, Siqueiros y Torres Landa, S.C.

Mexico

1 Relevant Legislation and Competent Authorities

1.1 What is the principal data protection legislation?

In Mexico, the Mexican Federal Constitution (Constitucíon Políticade los Estados Unidos Mexicanos) provides the right of data

protection and grants Congress the power to issue federal laws

related to protection of personal information. In an effort to unify,

clarify and extend data protection, and in compliance with its

constitutional mandate to issue a federal data protection law,

Congress enacted the Federal Law on Protection of Personal Data

held by Private Parties (Ley Federal de Protección de DatosPersonales en Posesión de los Particulares) (the “Data Protection

Law”), which is the main data protection law in Mexico.

The Data Protection Law was published in the Official Gazette of the

Federation on July 5, 2010 and became effective on July 6, 2010. The

Regulations of the Data Protection Law were published on December

21, 2011 (Reglamento de la Ley Federal de Protección de DatosPersonales en Posesión de los Particulares (the “Data Protection

Regulations”)). Thereafter, the regulator issued on January 17, 2013

certain rules for drafting privacy notices (Lineamientos del Aviso dePrivacidad) (the “Privacy Notice Guidelines”).

In addition to the foregoing, the regulator has issued several

recommendations and guidelines with respect to the appointment of

data privacy officers and security measures.

1.2 Is there any other general legislation that impacts dataprotection?

There are industry-specific laws that have an impact on data

protection such as the Banking Law (Ley de Instituciones deCrédito), the Law for the Transparency and Order of Financial

Services (Ley para la Tranparencia y Ordenamiento de losServicios Financieros) and the Federal Law of Consumer

Protection (Ley Federal de Protección al Consumidor).

The Federal Copyright Law (Ley Federal del Derecho de Autor)

also regulates ownership and use of databases.

1.3 Is there any sector specific legislation that impacts dataprotection?

The consumer sector is directly impacted by the general data

protection provisions in the Federal Law of Consumer Protection

(Ley Federal de Protección al Consumidor) that contain some data

privacy provisions.

There are plenty of financial laws that impact data protection,

including the Banking Law (Ley de Instituciones de Crédito), the

Law for the Transparency and Order of Financial Services (Leypara la Tranparencia y Ordenamiento de los ServiciosFinancieros), the Investment Funds Law (Ley de Fondos deInversión), and the Law to Protect and Defend the User of Financial

Services (Ley para la Protección y Defensa del Usuario deServicios Financieros).

The Federal Copyright Law (Ley Federal del Derecho de Autor)

contains some as well.

1.4 The Data Protection Law applies to every private party(natural person or entity) that collects, uses, transfers orstores Personal Data. What is the relevant data protectionregulatory authority(ies)?

The Federal Institute for Access to Public Information and Data

Protection (Instituto Federal de Acceso a la Información Pública yProtección de Datos) (“IFAI”) has the authority, to investigate

compliance and penalise infringements of personal data protection

laws by both government agencies and private parties (the latter

when violating the Data Protection Law).

2 Definitions

2.1 Please provide the key definitions used in the relevantlegislation:

“Consent”

Expression of the will of the Data Owner by which data

processing is enabled.

“Data Controller”

Individual or private legal entity that decides on the

processing of personal data.

“Data Owner”

The natural person to whom the personal data corresponds.

“Data Processor”

The natural person or entity that individually or jointly with

other natural person(s) or entities processes the Personal

Data on behalf of the Data Controller.

“Dissociation”

The procedure through which personal data cannot be

associated with the data owner nor allow, by way of its

structure, content or degree of disaggregation, identification

thereof.

Federico de Noriega O.

Mario Jorge Yanez V.

ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London

Mex

ico

150

Barrera, Siqueiros y Torres Landa, S.C. Mexico

“Financial or Patrimonial Data”

Financial and Patrimonial Data is mentioned as a concept but

is not a defined term in the Data Protection Law. However,

financial data has been recently defined in a resolution of the

privacy regulator (Instituto Federal de Acceso a laInformación Pública y Protección de Datos) [File

PS.0004/13, Defendant: Seguros Banamex, S.A. de C.V.] as

the credit history, revenues, expenses, bank accounts,

insurance, bonds, bank services or any other data that is part

of an individual’s estate.

“Personal Data”

Any information pertaining to a natural person that is

identified or identifiable.

“Public Access Source”

Databases whose information may be accessed by any

person, without further requirement except, where

appropriate, the payment of a fee, in accordance with the

Data Protection Regulations.

“Processing”

The collection, use, disclosure or storage of Personal Data by

any means. Use includes access, management, exploitation,

transfer or disposal of Personal Data.

“Sensitive Personal Data”

Personal Data touching on the most private areas of the data

owner’s life, or which misuse might lead to discrimination or

involve a serious risk for said data owner. In particular,

sensitive data is considered that which may reveal items such

as racial or ethnic origin, present and future health status,

genetic information, religious, philosophical and moral

beliefs, union membership, political views and sexual

preference.

“Third Party”

A Mexican or foreign individual or legal entity other than the

Data Owner or the Data Controller.

3 Key Principles

3.1 What are the key principles that apply to the processingof personal data?

Consent

The Data Controller shall obtain the consent of the Data

Owner for processing his/her Personal Data for determined

purposes.

Data Quality

The Data Controller shall process the exact, complete,

correct, strictly necessary and updated Personal Data in order

to achieve the purposes for which the data is processed.

Information

Prior to the collection and use of the Data Owner’s Personal

Data, the Data Controller has to make available a privacy

notice disclosing the purposes for which the data is being

collected and meeting several other statutory requirements.

Lawful basis for processing

The Data Controller shall process Personal Data in

accordance with national and international laws.

Loyalty

Data Controller has the obligation to process Personal Data

privileging the protection of Data Owner’s interests and a

reasonable expectation of privacy.

Proportionality

The Data Controller may only process Personal Data that is

necessary, adequate and relevant for the purposes disclosed

when collecting it, applying a minimisation criterion in

accordance with such purposes.

Purpose limitation

Personal Data may only be processed to comply with the

purposes disclosed in the privacy notices.

Responsibility

The Data Controller is liable and accountable for the

Processing of Personal Data kept by the Data Controller as

well as for the Personal Data shared with its Data Processors.

4 Individual Rights

4.1 What are the key rights that individuals have in relation tothe processing of their personal data?

Access to data

Data Owners have the right to access their Personal Data and

to review the privacy notice applicable to the processing of

their Personal Data.

Rectify data

Data Owners have the right to rectify whenever their

Personal Data is incomplete, out-dated or imprecise.

Cancel data

Data Owners have the right to cancel their Personal Data in

case such data is not required for the purposes set forth in the

privacy notice, or if such Personal Data is being used for

purposes not consented to.

Objection to data processing

Data Owners have the right to object to the Processing of

their Personal Data for purposes beyond what is necessary

for the origination and maintenance of the relationship with

the Data Controller.

Revoke the consent or limit the use or disclosure of

Personal Data

Data Owners are entitled to, at any time, revoke the consent

granted for the processing of their Personal Data or partially

or completely limit the use or disclosure of it, for the

purposes that are not necessary for the origination and

maintenance of the legal relationship between the Data

Controller and him/her, and be included in an exclusion list,

for purposes such as requesting to not be contacted (i.e.

marketing purposes).

File complaints with relevant data protection

authority(ies)

Data Owners have the right to complain before the IFAI in

case any private party does not answer his/her request to

exercise access, rectification, cancellation, objection or

revocation rights in the manner and within the term provided

by the Data Protection Law and the Data Protection

Regulations.

5 Registration Formalities and Prior Approval

5.1 In what circumstances is registration or notificationrequired to the relevant data protection regulatoryauthority(ies)? (E.g., general notification requirement,notification required for specific processing activities.)

The Data Protection Law does not provide any registration or

notification to the data protection regulator.


151


5.2 On what basis are registrations/notifications made? (E.g.,per legal entity, per processing purpose, per datacategory, per system or database.)

Registrations and notifications are not applicable.

5.3 Who must register with/notify the relevant data protectionauthority(ies)? (E.g., local legal entities, foreign legalentities subject to the relevant data protection legislation,representative or branch offices of foreign legal entitiessubject to the relevant data protection legislation.)


5.4 What information must be included in theregistration/notification? (E.g., details of the notifyingentity, affected categories of individuals, affectedcategories of personal data, processing purposes.)


5.5 What are the sanctions for failure to register/notify whererequired?


5.6 What is the fee per registration (if applicable)?


5.7 How frequently must registrations/notifications berenewed (if applicable)?


5.8 For what types of processing activities is prior approvalrequired from the data protection regulator?

Prior approval from the data protection regulator is not required for

any type of processing.

5.9 Describe the procedure for obtaining prior approval, andthe applicable timeframe.

Approval is not applicable.

6 Appointment of a Data Protection Officer

6.1 Is the appointment of a Data Protection Officer mandatoryor optional?

In accordance to the Data Protection Law, every Data Controller

must appoint a person or department in charge of Personal Data

(“Data Protection Officer” or “DPO”). The main functions of the

DPO are to process requests from Data Owners about exercise of

their access, rectification, cancellation, revocation and objection

rights of privacy and to promote the protection of Personal Data

within their companies or organisations.

The Data Protection Law is relatively ambiguous with respect to the

appointment of a DPO within an organisation and fails to provide

specific criteria, methods or mechanisms for companies or

organisations to follow for this purpose.

The IFAI has published certain non-mandatory guidelines and

recommendations for the appointment of the DPO.

6.2 What are the sanctions for failing to appoint a mandatoryData Protection Officer where required?

The Data Protection Law does not provide a specific sanction for

failing to appoint a DPO.

6.3 What are the advantages of voluntarily appointing a DataProtection Officer (if applicable)?

This is not applicable since it is required to appoint a DPO.

6.4 Please describe any specific qualifications for the DataProtection Officer required by law.

There are no specific qualifications for the DPO in the Data

Protection Law.

Pursuant to the recommendations of the IFAI, the following are a

few of the ideal characteristics of the profile for a DPO:

Experience in Personal Data protection or knowledge of the

subject.

Vision and leadership.

Organisational and communication skills.

Resource availability and exploitability.

Due position and hierarchy within the entity.

6.5 What are the responsibilities of the Data ProtectionOfficer, as required by law or typical in practice?

Some of the specific duties/tasks of the DPO are the following:

Setting forth and managing procedures for the reception,

processing and timely attention of requests made by Personal

Data Owners in the exercise of their access, rectification,

cancellation and/or objection rights.

Monitoring developments and changes in law regarding

Personal Data protection and privacy that may affect the

actions performed within the organisation at any given time

and taking the necessary steps to adjust them.

Drafting, publishing, delivering and executing Personal Data

protection practices and policies within the organisation or

otherwise adjusting the current ones with the applicable legal

framework.

Developing instruments to assess the efficiency and

effectiveness of such practices and policies.

Surveying and reviewing the internal procedures of the

organisation regarding collection, use, exploitation, storage,

cancellation, application and transfer of Personal Data in

order to ensure its protection and strict compliance with the

principles stated in the Data Protection Law.

Coordinating and training the other areas or departments of

the organisation for them to acknowledge the practices and

policies issued as well as the compliance with such.

Promoting internal and external data protection as well as

taking on the position of Personal Data representative of the

entity.

Mex

ico


Mex

ico

152


6.6 Must the appointment of a Data Protection Officer beregistered/notified to the relevant data protectionauthority(ies)?

The appointment does not need to be registered or notified with any

data protection authorities.

7 Marketing and Cookies

7.1 Please describe any legislative restrictions on the sendingof marketing communications by post, telephone, e-mail,or SMS text message. (E.g., requirement to obtain prioropt-in consent or to provide a simple and free means ofopt-out.)

The Data Protection Law and the Data Protection

Regulations provide that processing for marketing,

advertising or commercial promotion purposes needs to be

expressly and specifically included as one of the “purposes

of processing” in the privacy notice.

Such rules provide the creation of exclusion lists, which are

databases intended to record the refusal of the Data Owner

concerning the processing of his/her personal data for

marketing and/or offering and promoting goods, products

and services by any physical or technological means.

Consent is required but it may be implied consent.

Therefore, it is an opt-out system. Opt-out mechanisms shall

be expressly included in the privacy notice.

The Federal Law of Consumer Protection (Ley Federal deProtección al Consumidor), sets forth rules aimed to protect

private consumer data and data exchanged in consumer

transactions and specifically in electronic transactions. It

provides the registration of consumers on the Public Registry

of Consumers, which will be integrated by a list of

consumers that do not want to be contacted to receive any

kind of marketing communications. Up to this date, the

Public Registry of Consumers only allows to list a phone

number to avoid receiving marketing phone calls. This law

provides for an opt-out system.

The Federal Law to Protect and Defend Users of Financial

Services (Ley de Protección y Defensa al Usuario deServicios Financieros), provides that financial institutions

regulated thereunder shall not contact their consumers for

marketing or advertising purposes when they have expressly

asked not to be contacted or if they are registered in the no-

call registry of the National Commission for the Defense of

Financial Consumers. This law provides for an opt-out

system.

Federal Law of Transparency and Order of Financial

Services (Ley Federal para la Transparencia yOrdenamiento de Servicios Financieros), provides that

clients of banks and loan companies may only be contacted

to offer them financial products if they expressly accepted to

be contacted and only through their business address, phone

or email. This law provides for an opt-in system.

Credit Institutions Law (Ley de Instituciones de Crédito),

includes rules protecting the use of information provided by

bank consumers for advertising or marketing purposes

without authorisation. Users of financial services may

register their email addresses and phone numbers in order to

avoid unwanted advertising.

Regulatory Law of Credit Reporting Companies (Ley paraRegular las Sociedades de Información Crediticia), provides

that Credit Reporting Companies may not use the data

contained in credit reports in marketing or advertising

promotions.

7.2 Is the relevant data protection authority(ies) active inenforcement of breaches of marketing restrictions?

The IFAI has been very active in the enforcement of data protection

rules. Recently the IFAI has imposed severe fines ton diverse

private parties, in particular the regulator has imposed fines on

financial entities derived from infringement on marketing

restrictions.

7.3 What are the maximum penalties for sending marketingcommunications in breach of applicable restrictions?

A fine of up to 320,000 days of the minimum daily wage in Mexico

City (approximately €1,200,000) may be imposed for sending

unsolicited marketing communications.

Fines may be doubled when dealing with Sensitive Data.

7.4 What types of cookies require explicit opt-in consent, asmandated by law or binding guidance issued by therelevant data protection authority(ies)?

Currently neither the Data Protection Law nor the Data Protection

Regulations provide the requirement of explicit opt-in consent for

the collection of Personal Data through cookies.

On the other hand, the Privacy Notice Guidelines provide that in

case the Data Controller uses mechanisms through remote or local

electronic means that allow automatic collection of Personal Data,

Data Controllers shall inform the Data Owner conspicuously about

the use of such technologies and the manner to disable such

methods.

7.5 For what types of cookies is implied consent acceptable,under relevant national legislation or binding guidanceissued by the relevant data protection authority(ies)?

Please see answer above.

7.6 To date, has the relevant data protection authority(ies)taken any enforcement action in relation to cookies?

Currently, we have no notice of any sanction or proceeding initiated

by the regulator regarding to this matter.

7.7 What are the maximum penalties for breaches ofapplicable cookie restrictions?

By the interpretation of the Data Protection Law, consent being an

essential principle protected by the law, if a Data Controller collects

and processes Personal Data without consent or without informed

consent (i.e., failing to include cookie warnings), a Data Controller

maybe sanctioned with a fine from 200 to 320,000 days of the

General Minimum Wage in Mexico City (approximately €750 to

€1,200,000), and likewise, such fine may be doubled when dealing

with Sensitive Data.

8 Restrictions on International Data Transfers

8.1 Please describe any restrictions on the transfer ofpersonal data abroad.

Personal Data may be transferred to third parties in Mexico or


153


abroad as long as: (i) such transfer was disclosed in the privacy

notice; (ii) the transferee receives a copy of the privacy notice; and

(iii) the transferee uses the Personal Data for the purposes disclosed

in the privacy notice.

The privacy notice must contain a specific clause indicating that the

Data Owner authorises transfer to third parties.

The transferee or recipient shall be liable for the same obligations

as those imposed on the Data Controller.

Transfers may be made without the Data Owner’s consent when the

transfer is: (i) required by law or an international treaty; (ii)

required for medical treatment or services; (iii) to affiliates,

subsidiaries or controlling companies; (iv) required by a contract to

be executed or executed between the transferee and the Data

Owner; (v) required for public interest or for administration of

justice; (vi) required for the recognition, exercise or defence of a

right in a judicial procedure; or (vii) required to maintain or perform

an agreement between the Data Controller and the Data Owner.

8.2 Please describe the mechanisms companies typicallyutilise to transfer personal data abroad in compliance withapplicable transfer restrictions.

Companies typically execute a Data Transfer Agreement, which

states all the responsibilities that the Data Controller and transferee

will have in order to comply with the Mexican laws.

8.3 Do transfers of personal data abroad requireregistration/notification or prior approval from the relevantdata protection authority(ies)? Describe whichmechanisms require approval or notification, what thosesteps involve, and how long they take.

There is no registration or notification requirement for data

transfers.

9 Whistle-blower Hotlines

9.1 What is the permitted scope of corporate whistle-blowerhotlines under applicable law or binding guidance issuedby the relevant data protection authority(ies)? (E.g.,restrictions on the scope of issues that may be reported,the persons who may submit a report, the persons whoma report may concern.)

Whistle blowing is not expressly regulated by the Data Protection

Law or the Data Protection Regulations, and currently the authority

has not published any guidance related to this matter. Note,

however, that whenever Personal Data is collected, processed

and/or transferred, a privacy notice shall be provided by the Data

Controller to the Data Owners prior his/her data Processing.

9.2 Is anonymous reporting strictly prohibited, or stronglydiscouraged, under applicable law or binding guidanceissued by the relevant data protection authority(ies)? Ifso, how do companies typically address this issue?

As mentioned on our answer above, whistle blowing is not

expressly regulated by the Data Protection Law or the Data

Protection Regulations and currently the authority has not published

any guidance related to this matter. Typically, and for the purposes

of a whistle-blowing system, companies inform its employees (on

their Privacy Notice), that their Personal Data may be used for

anonymous reporting and investigation or for the implementation of

a whistle-blowing system.

9.3 Do corporate whistle-blower hotlines require separateregistration/notification or prior approval from the relevantdata protection authority(ies)? Please explain theprocess, how long it typically takes, and any availableexemptions.

There is no registration or notification requirement for whistle-

blower hotlines.

10 CCTV and Employee Monitoring

10.1 Does the use of CCTV require separateregistration/notification or prior approval from the relevantdata protection authority(ies)?

As mentioned before, Data Protection Law does not provide any

registration or notification to the Data Protection Regulator.

10.2 What types of employee monitoring are permitted (if any),and in what circumstances?

Employee monitoring is not regulated on the Data Protection Law.

However, any methods used to collect Personal Data shall be

informed to the Data Owners in the privacy notice.

10.3 Is consent or notice required? Describe how employerstypically obtain consent or provide notice.

Typically employers inform their employees of the collection of

their Personal Data through the Privacy Notice. The form of

consent varies depending on whether the Personal Data is Sensitive

Data, Financial Data or any other data. If Sensitive Data is

processed, expressly written consent is required. Express consent is

required for the processing of Financial Data and implied consent is

required for the processing any other Personal Data.

In the case of CCTV systems, we understand that only ordinary

Personal Data is collected, so implied consent is enough. The IFAI

has issued some recommendations on short-form privacy notices to

be used for CCTV systems.

In the case of employee monitoring and collection of Sensitive Data

or Financial Data, employers will require express written consent

from the employee.

10.4 To what extent do works councils/trade unions/employeerepresentatives need to be notified or consulted?

No notice to unions or employees’ representatives is required.

10.5 Does employee monitoring require separateregistration/notification or prior approval from the relevantdata protection authority(ies)?

Data Protection Law does not provide any registration or

notification to the data protection regulator in this regard.

Mex

ico


Mex

ico

154


11 Processing Data in the Cloud

11.1 Is it permitted to process personal data in the cloud? If so,what specific due diligence must be performed, underapplicable law or binding guidance issued by the relevantdata protection authority(ies)?

The Data Protection Regulations regulate cloud computing. The

Data Protection Regulations provide that Data Controllers shall

only contract cloud-computing services from a provider that meets

the following requirements:

(i) have policies and procedures similar to those contemplated

by the Data Protection Law and the Data Protection

Regulations;

(ii) disclose the fact that it subcontracts third parties;

(iii) not condition the service upon becoming the owner or

acquiring any right over the Personal Data;

(iv) maintain the confidentiality of Personal Data; and

(v) have mechanisms to: (a) notify changes in their privacy

policies; (b) allow the Data Controller to limit the processing

of the Personal Data; (c) have security measures that are

reasonable with respect to the service; (d) guarantee the

cancellation of data once the service is terminated; and (e)

block access to the Personal Data to those persons that do not

have access privileges except when ordered by a competent

authority and the Data Controller is informed of such order.

The Data Protection Regulations state that Data Controllers shall

not contract cloud-computing services that do not guarantee

adequate data protection.

11.2 What specific contractual obligations must be imposed ona processor providing cloud-based services, underapplicable law or binding guidance issued by the relevantdata protection authority(ies)?

Please refer to the answer above.

12 Big Data and Analytics

12.1 Is the utilisation of big data and analytics permitted? If so,what due diligence is required, under applicable law orbinding guidance issued by the relevant data protectionauthority(ies)?

Data Protection Law does not regulate the utilisation of big data or

analytics and the IFAI has not issued any guidance on this matter.

13 Data Security and Data Breach

13.1 What data security standards (e.g., encryption) arerequired, under applicable law or binding guidance issuedby the relevant data protection authority(ies)?

Data Controllers shall adopt the security measures and procedures

that are necessary to protect the Personal Data against damage, loss,

alteration, destruction and unauthorised use, access or processing.

These measures shall at least be equal to the measures that the Data

Controller uses to protect its own information.

Regarding to the foregoing, IFAI published on October 30, 2013 in

the Official Gazette of the Federation the “Recommendations on

Security of Personal Data”, in order to provide Data Controllers

with some guidance with respect to the minimum actions

considered necessary for the security of Personal Data.

Adoption of the foregoing recommendations is voluntary and

monitoring thereof does not exempt Data Controllers of their

liability for any breach of their databases.

In this regard, IFAI has expressed as a general recommendation to

adopt a Security Management System of Personal Data (“SGSDP”),

which the Institute has defined as a “general management system toestablish, implement, operate, monitor, review, maintain andimprove processing and security of personal data on the basis of therisk of the assets and of the basic principles of legality, consent,information, quality, purpose, loyalty, proportionality and liabilityprovided for in the Data Protection Law, its regulations, secondaryregulations and any other principle which provided goodinternational practice in the matter”.

The recommended SGSDP has four cycles with different phases

and activities known as Plan-Do-Check-Act.

13.2 Is there a legal requirement to report data breaches to therelevant data protection authority(ies)? If so, describewhat details must be reported, to whom, and within whattimeframe. If no legal requirement exists, describe underwhat circumstances the relevant data protectionauthority(ies) expects voluntary breach reporting.

Data Protection Law does not require the reporting or notification

of data breaches to the IFAI.

13.3 Is there a legal requirement to report data breaches toindividuals? If so, describe what details must be reported,to whom, and within what timeframe. If no legalrequirement exists, describe under what circumstancesthe relevant data protection authority(ies) expectsvoluntary breach reporting.

Yes. Data breaches need to be notified to the Data Owners but only

those that significantly affect the patrimonial or moral rights of the

Data Owners. Data Controllers must send the notice immediately

after becoming aware of the data breach.

The notification must include: (a) the nature of the incident; (b) the

compromised data; (c) the recommendations to the Data Owners as

to what measures he/she may take to protect his/her interests; (d)

corrective actions taken by the Data Controller; and (e) how he/she

can get more information on the matter.

14 Enforcement and Sanctions

14.1 Describe the enforcement powers of the data protectionauthority(ies):

Investigatory PowerCivil/Administrative

SanctionCriminal Sanction

Federal Institute for

Access to Public

Information and Data

Protection (InstitutoFederal de Acceso a laInformación Pública yProtección de Datos;“IFAI”).

Administrative

Sanctions.


155


14.2 Describe the data protection authority’s approach toexercising those powers, with examples of recent cases.

Infringements of the Data Protection Law are subject to sanctions

by the regulator (administrative fines) and to civil and criminal

liability by the corresponding authorities (mentioned above).

Administrative fines may be from 100 to 320,000 times the daily

minimum wage (approximately €375 to €1,200,000), and doubled

when dealing with Sensitive Personal Data; criminal liability may

also be found in the event of illegal handling of personal data.

Precedents regarding sanctions applied to private parties are: (i) a

bank infringed several provisions of the Data Protection Law

arising from a request of exercise of access, rectification,

cancellation and objection rights; the authority sanctioned the bank

with a fine of €900,00 approx.; (ii) a sports club failed to include in

its privacy notice the options and means by which the data owner

could limit the use or disclosure of their personal data, and was

sanctioned by our regulator with a fine of €72,000 approx.; and (iii)

a savings bank that did not have a privacy policy and collected

personal financial and economic data without the express consent of

the Data Owner was sanctioned with a fine of €72,000 approx.

15 E-discovery / Disclosure to Foreign Law Enforcement Agencies

15.1 How do companies within Mexico respond to foreign e-discovery requests, or requests for disclosure fromforeign law enforcement agencies?

Mexican companies typically request that for any disclosure of

Personal Data, such request shall be supported by a legal valid

document or judicial order provided by the foreign competent

authority and delivered through appropriate diplomatic or judicial

channels.

15.2 What guidance has the data protection authority(ies)issued?

The IFAI has failed to issue any guidance on this matter.

Acknowledgment

The authors would like to acknowledge the assistance of their

colleague Rodrigo Méndez S. in the preparation of this chapter.

Mex

ico

Investigatory PowerCivil/Administrative

SanctionCriminal Sanction

Public Prosecutor’s

Office.

Corporal penalties from

six months to five years

imprisonment.

Civil Courts.

Civil Sanctions (tort

liability/claim of

damages/honour and

reputation).


Mex

ico

156


Mario Jorge Yanez V.

Barrera, Siqueiros y Torres Landa, S.C.Paseo de Tamarindos 150 PBBosques de las LomasMexico City, D.F., 05120Mexico

Tel: +52 55 5091 0165 Fax: +52 55 5091 0123 Email: [email protected]: www.bstl.com.mx/en

Mr. Yanez received his law degree at Universidad NacionalAutónoma de México (1986-1991), followed by a Masters degreeat Columbia University in New York (1992-1993). Mr. Yanez hasexcelled in different practice areas like Mergers and Acquisitions;Foreign Trade (Anti-dumping Investigations and NAFTADisputes); Environmental; Data Protection; Entertainment andGaming; Nationality/Immigration. Mr. Yanez clerked at Barrera,Siqueiros y Torres Landa (BSTL) from 1988-1991, becoming afull-time associate in 1992. Mr. Yanez moved to the UnitedStates to earn his Masters degree at Columbia University (1992-1993) and to occupy a foreign associate position at Vial,Hamilton, Koch & Knox LLP (Dallas, Texas; 1993-1994). Mr.Yanez returned to BSTL to resume his position as associate,becoming partner in 2000. Mr. Yanez has received recognitionsfrom Chambers Global, Chambers Latin America, Latin America’sLeading Lawyers for Business, Latin Lawyer 250, and otherpublications. Mr. Yanez is admitted to practice law in Mexico. Mr.Yanez is also available at: Barrera, Siqueiros y Torres Landa,S.C., Av. Ricardo Margáin 444, Torre Norte, Mezzanine “A”, Valledel Campestre, San Pedro Garza Garcia, N.L., 66265, Mexico,Tel: +52 (81) 8220 1500, Fax: +52 (81) 8220 1529.

Federico de Noriega O.

Barrera, Siqueiros y Torres Landa, S.C.Paseo de Tamarindos 150 PBBosques de las LomasMexico City, D.F., 05120Mexico

Tel: +52 55 5091 0154Fax: +52 55 5091 0123Email: [email protected]: www.bstl.com.mx/en

Mr. Noriega completed his law degree at UniversidadIberoamericana (2000-2005), followed by a Masters degree atHarvard Law School (2006-2007). Mr. Noriega’s areas ofpractice include Commercial Law, Mergers and Acquisitions,Corporate Financing and Data Protection. Mr. Noriega was aforeign associate at Sidley Austin LLP (New York office) in 2007and 2008, after which he re-joined Barrera, Siqueiros y TorresLanda. Mr. Noriega elevated to partnership at BSTL in 2014. Mr.Noriega was awarded Academic Excellence by the UniversidadIberoamericana for scoring the Highest GPA of his class.Chambers & Partners Latin America 2012 and 2013 editionsranked Mr. Noriega as an “Associate to watch” in “Banking andFinance”. Mr. Noriega is admitted to practice law in Mexico andin the State of New York.

BSTL is one of leading firms in Mexico with more than 65 years of experience. BSTL is a full-service firm with the necessaryresources to meet the challenges our clients face in some of the most important transactions in their history as well as on a day-by-day basis. Moreover, the diversity of our firm allows us to provide comprehensive legal advice in any particular transaction,meeting all of our clients’ expectations.

BSTL is well recognised by its clients, peers and local authorities for its work in several areas of practice, including privacy,corporate services, mergers and acquisitions, real estate, antitrust, arbitration and litigation and government procurement.

Our privacy team has advised clients in issues related to compliance of general privacy laws and industry-specific privacy laws(labour, consumer-protection, financial and health laws). We analyse the data Processing activities carried out by our clients andprovide business-oriented solutions.

www.iclg.co.uk

59 Tanner Street, London SE1 3PL, United KingdomTel: +44 20 7367 0720 / Fax: +44 20 7407 5255

Email: [email protected]

Other titles in the ICLG series include:

Alternative Investment FundsAviation LawBusiness CrimeCartels & LeniencyClass & Group ActionsCompetition LitigationConstruction & Engineering LawCopyrightCorporate GovernanceCorporate ImmigrationCorporate Recovery & InsolvencyCorporate TaxData ProtectionEmployment & Labour LawEnvironment & Climate Change LawFranchiseInsurance & Reinsurance

International ArbitrationLending & Secured FinanceLitigation & Dispute ResolutionMerger ControlMergers & AcquisitionsMining LawOil & Gas RegulationPatentsPharmaceutical AdvertisingPrivate ClientProduct LiabilityProject FinancePublic ProcurementReal EstateSecuritisationShipping LawTelecoms, Media & Internet

The International Comparative Legal Guide to: Data Protection 2014

Law

Transcript of The International Comparative Legal Guide to: Data Protection 2014