The International Comparative Legal Guide to: Data Protection 2014
Click here to load reader
-
Upload
hogan-lovells-bstl -
Category
Law
-
view
273 -
download
0
description
Transcript of The International Comparative Legal Guide to: Data Protection 2014
Data Protection 2014The International Comparative Legal Guide to:
BANNING Barrera, Siqueiros y Torres Landa, S.C.CMS Reich-Rohrwig HainzDittmar & Indrenius DLA PiperECIJA ABOGADOSEvershedsGilbert + Tobin LawyersHerbst Kinsky Rechtsanwälte GmbHHunton & WilliamsKALO & ASSOCIATESKoep & Partners
Marrugo Rivera & Asociados, Estudio JurídicoMathesonMori Hamada & MatsumotoOpice Blum, Bruno, Abrusio e Vainzof Advogados AssociadosOsler, Hoskin & Harcourt LLPPachiu & AssociatesPestalozziPortolano Cavallo Studio LegaleRaja, Darryl & LohSubramaniam & Associates (SNA)Wigley & CompanyWikborg, Rein & Co. Advokatfirma DA
Published by Global Legal Group, with contributions from:
A practical cross-border insight into data protection law
1st Edition
General Chapter:
1 Data Protection – a Key Business Risk – Bridget Treacy, Hunton & Williams 1
www.ICLG.co.uk
DisclaimerThis publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice.
Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication.
This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified
professional when dealing with specific situations.
Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720
The International Comparative Legal Guide to: Data Protection 2014
Contributing EditorBridget Treacy,
Hunton & Williams
Account ManagersEdmond Atta, BethBassett, Antony Dine,Susan Glinska, Dror Levy,Maria Lopez, FlorjanOsmani, Paul Regan,Gordon Sambrooks,Oliver Smith, Rory Smith
Sales Support ManagerToni Wyatt
Sub EditorsNicholas CatlinAmy Hirst
Editors Beatriz ArroyoGemma Bridge
Senior EditorSuzie Kidd
Global Head of SalesSimon Lemos
Group Consulting EditorAlan Falach
Group PublisherRichard Firth
Published byGlobal Legal Group Ltd.59 Tanner StreetLondon SE1 3PL, UKTel: +44 20 7367 0720Fax: +44 20 7407 5255Email: [email protected]: www.glgroup.co.uk
GLG Cover DesignF&F Studio Design
GLG Cover Image SourceiStockphoto
Printed byAshford Colour Press Ltd.May 2014
Copyright © 2014Global Legal Group Ltd. All rights reservedNo photocopying
ISBN 978-1-908070-98-2ISSN 2054-3786
Strategic Partners
Country Question and Answer Chapters:
2 Albania KALO & ASSOCIATES: Eni Kalo 7
3 Australia Gilbert + Tobin Lawyers: Peter Leonard & Ewan Scobie 15
4 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit
& Dr. Isabel Funk-Leisch 24
5 Belgium Hunton & Williams: Wim Nauwelaerts & Laura De Boel 34
6 Brazil Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados:
Renato Opice Blum 42
7 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Bridget McIlveen 49
8 China Hunton & Williams LLP Beijing Representative Office: Manuel E. Maisog
& Zhang Wei 57
9 Colombia Marrugo Rivera & Asociados, Estudio Jurídico:
Ivan Dario Marrugo Jimenez 63
10 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 69
11 France Hunton & Williams: Claire François 77
12 Germany Hunton & Williams: Dr. Jörg Hladjk & Johannes Jördens 85
13 India Subramaniam & Associates (SNA): Hari Subramaniam
& Aditi Subramaniam 94
14 Ireland Matheson: John O’Connor & Anne-Marie Bohan 105
15 Italy Portolano Cavallo Studio Legale: Laura Liguori & Federica De Santis 115
16 Japan Mori Hamada & Matsumoto: Akira Marumo & Hiromi Hayashi 123
17 Kosovo KALO & ASSOCIATES: Loriana Robo & Atdhe Dika 132
18 Malaysia Raja, Darryl & Loh: Tong Lai Ling & Roland Richard Kual 140
19 Mexico Barrera, Siqueiros y Torres Landa, S.C.: Mario Jorge Yanez V.
& Federico de Noriega O. 149
20 Namibia Koep & Partners: Hugo Meyer van den Berg & Chastin Bassingthwaighte 157
21 Netherlands BANNING: Monique Hennekens & Chantal Grouls 163
22 New Zealand Wigley & Company: Michael Wigley 175
23 Norway Wikborg, Rein & Co. Advokatfirma DA: Dr. Rolf Riisnæs
& Dr. Emily M. Weitzenboeck 181
24 Romania Pachiu & Associates: Mihaela Cracea & Ioana Iovanesc 191
25 Slovenia CMS Reich-Rohrwig Hainz: Luka Fabiani & Ela Omersa 200
26 South Africa Eversheds: Tanya Waksman 210
27 Spain ECIJA ABOGADOS: Carlos Pérez Sanz 217
28 Switzerland Pestalozzi: Clara-Ann Gordon & Dr. Michael Reinle 226
29 United Kingdom Hunton & Williams: Bridget Treacy & Naomi McBride 234
30 USA DLA Piper: Jim Halpert & Kate Lucente 242
EDITORIAL
Welcome to the first edition of The International Comparative Legal Guide to:Data Protection.
This guide provides the international practitioner and in-house counsel with acomprehensive worldwide legal analysis of the laws and regulations of dataprotection.
It is divided into two main sections:
One general chapter entitled Data Protection – a Key Business Risk.
Country question and answer chapters. These provide a broad overview ofcommon issues in data protection laws and regulations in 29 jurisdictions.
All chapters are written by leading data protection lawyers and industryspecialists and we are extremely grateful for their excellent contributions.
Special thanks are reserved for the contributing editor Bridget Treacy ofHunton & Williams for her invaluable assistance.
Global Legal Group hopes that you find this guide practical and interesting.
The International Comparative Legal Guide series is also available online atwww.iclg.co.uk.
Alan Falach LL.M.Group Consulting EditorGlobal Legal [email protected]
WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014© Published and reproduced with kind permission by Global Legal Group Ltd, London
Chapter 19
149
Barrera, Siqueiros y Torres Landa, S.C.
Mexico
1 Relevant Legislation and Competent Authorities
1.1 What is the principal data protection legislation?
In Mexico, the Mexican Federal Constitution (Constitucíon Políticade los Estados Unidos Mexicanos) provides the right of data
protection and grants Congress the power to issue federal laws
related to protection of personal information. In an effort to unify,
clarify and extend data protection, and in compliance with its
constitutional mandate to issue a federal data protection law,
Congress enacted the Federal Law on Protection of Personal Data
held by Private Parties (Ley Federal de Protección de DatosPersonales en Posesión de los Particulares) (the “Data Protection
Law”), which is the main data protection law in Mexico.
The Data Protection Law was published in the Official Gazette of the
Federation on July 5, 2010 and became effective on July 6, 2010. The
Regulations of the Data Protection Law were published on December
21, 2011 (Reglamento de la Ley Federal de Protección de DatosPersonales en Posesión de los Particulares (the “Data Protection
Regulations”)). Thereafter, the regulator issued on January 17, 2013
certain rules for drafting privacy notices (Lineamientos del Aviso dePrivacidad) (the “Privacy Notice Guidelines”).
In addition to the foregoing, the regulator has issued several
recommendations and guidelines with respect to the appointment of
data privacy officers and security measures.
1.2 Is there any other general legislation that impacts dataprotection?
There are industry-specific laws that have an impact on data
protection such as the Banking Law (Ley de Instituciones deCrédito), the Law for the Transparency and Order of Financial
Services (Ley para la Tranparencia y Ordenamiento de losServicios Financieros) and the Federal Law of Consumer
Protection (Ley Federal de Protección al Consumidor).
The Federal Copyright Law (Ley Federal del Derecho de Autor)
also regulates ownership and use of databases.
1.3 Is there any sector specific legislation that impacts dataprotection?
The consumer sector is directly impacted by the general data
protection provisions in the Federal Law of Consumer Protection
(Ley Federal de Protección al Consumidor) that contain some data
privacy provisions.
There are plenty of financial laws that impact data protection,
including the Banking Law (Ley de Instituciones de Crédito), the
Law for the Transparency and Order of Financial Services (Leypara la Tranparencia y Ordenamiento de los ServiciosFinancieros), the Investment Funds Law (Ley de Fondos deInversión), and the Law to Protect and Defend the User of Financial
Services (Ley para la Protección y Defensa del Usuario deServicios Financieros).
The Federal Copyright Law (Ley Federal del Derecho de Autor)
contains some as well.
1.4 The Data Protection Law applies to every private party(natural person or entity) that collects, uses, transfers orstores Personal Data. What is the relevant data protectionregulatory authority(ies)?
The Federal Institute for Access to Public Information and Data
Protection (Instituto Federal de Acceso a la Información Pública yProtección de Datos) (“IFAI”) has the authority, to investigate
compliance and penalise infringements of personal data protection
laws by both government agencies and private parties (the latter
when violating the Data Protection Law).
2 Definitions
2.1 Please provide the key definitions used in the relevantlegislation:
“Consent”
Expression of the will of the Data Owner by which data
processing is enabled.
“Data Controller”
Individual or private legal entity that decides on the
processing of personal data.
“Data Owner”
The natural person to whom the personal data corresponds.
“Data Processor”
The natural person or entity that individually or jointly with
other natural person(s) or entities processes the Personal
Data on behalf of the Data Controller.
“Dissociation”
The procedure through which personal data cannot be
associated with the data owner nor allow, by way of its
structure, content or degree of disaggregation, identification
thereof.
Federico de Noriega O.
Mario Jorge Yanez V.
ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London
Mex
ico
150
Barrera, Siqueiros y Torres Landa, S.C. Mexico
“Financial or Patrimonial Data”
Financial and Patrimonial Data is mentioned as a concept but
is not a defined term in the Data Protection Law. However,
financial data has been recently defined in a resolution of the
privacy regulator (Instituto Federal de Acceso a laInformación Pública y Protección de Datos) [File
PS.0004/13, Defendant: Seguros Banamex, S.A. de C.V.] as
the credit history, revenues, expenses, bank accounts,
insurance, bonds, bank services or any other data that is part
of an individual’s estate.
“Personal Data”
Any information pertaining to a natural person that is
identified or identifiable.
“Public Access Source”
Databases whose information may be accessed by any
person, without further requirement except, where
appropriate, the payment of a fee, in accordance with the
Data Protection Regulations.
“Processing”
The collection, use, disclosure or storage of Personal Data by
any means. Use includes access, management, exploitation,
transfer or disposal of Personal Data.
“Sensitive Personal Data”
Personal Data touching on the most private areas of the data
owner’s life, or which misuse might lead to discrimination or
involve a serious risk for said data owner. In particular,
sensitive data is considered that which may reveal items such
as racial or ethnic origin, present and future health status,
genetic information, religious, philosophical and moral
beliefs, union membership, political views and sexual
preference.
“Third Party”
A Mexican or foreign individual or legal entity other than the
Data Owner or the Data Controller.
3 Key Principles
3.1 What are the key principles that apply to the processingof personal data?
Consent
The Data Controller shall obtain the consent of the Data
Owner for processing his/her Personal Data for determined
purposes.
Data Quality
The Data Controller shall process the exact, complete,
correct, strictly necessary and updated Personal Data in order
to achieve the purposes for which the data is processed.
Information
Prior to the collection and use of the Data Owner’s Personal
Data, the Data Controller has to make available a privacy
notice disclosing the purposes for which the data is being
collected and meeting several other statutory requirements.
Lawful basis for processing
The Data Controller shall process Personal Data in
accordance with national and international laws.
Loyalty
Data Controller has the obligation to process Personal Data
privileging the protection of Data Owner’s interests and a
reasonable expectation of privacy.
Proportionality
The Data Controller may only process Personal Data that is
necessary, adequate and relevant for the purposes disclosed
when collecting it, applying a minimisation criterion in
accordance with such purposes.
Purpose limitation
Personal Data may only be processed to comply with the
purposes disclosed in the privacy notices.
Responsibility
The Data Controller is liable and accountable for the
Processing of Personal Data kept by the Data Controller as
well as for the Personal Data shared with its Data Processors.
4 Individual Rights
4.1 What are the key rights that individuals have in relation tothe processing of their personal data?
Access to data
Data Owners have the right to access their Personal Data and
to review the privacy notice applicable to the processing of
their Personal Data.
Rectify data
Data Owners have the right to rectify whenever their
Personal Data is incomplete, out-dated or imprecise.
Cancel data
Data Owners have the right to cancel their Personal Data in
case such data is not required for the purposes set forth in the
privacy notice, or if such Personal Data is being used for
purposes not consented to.
Objection to data processing
Data Owners have the right to object to the Processing of
their Personal Data for purposes beyond what is necessary
for the origination and maintenance of the relationship with
the Data Controller.
Revoke the consent or limit the use or disclosure of
Personal Data
Data Owners are entitled to, at any time, revoke the consent
granted for the processing of their Personal Data or partially
or completely limit the use or disclosure of it, for the
purposes that are not necessary for the origination and
maintenance of the legal relationship between the Data
Controller and him/her, and be included in an exclusion list,
for purposes such as requesting to not be contacted (i.e.
marketing purposes).
File complaints with relevant data protection
authority(ies)
Data Owners have the right to complain before the IFAI in
case any private party does not answer his/her request to
exercise access, rectification, cancellation, objection or
revocation rights in the manner and within the term provided
by the Data Protection Law and the Data Protection
Regulations.
5 Registration Formalities and Prior Approval
5.1 In what circumstances is registration or notificationrequired to the relevant data protection regulatoryauthority(ies)? (E.g., general notification requirement,notification required for specific processing activities.)
The Data Protection Law does not provide any registration or
notification to the data protection regulator.
WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014© Published and reproduced with kind permission by Global Legal Group Ltd, London
151
Barrera, Siqueiros y Torres Landa, S.C. Mexico
5.2 On what basis are registrations/notifications made? (E.g.,per legal entity, per processing purpose, per datacategory, per system or database.)
Registrations and notifications are not applicable.
5.3 Who must register with/notify the relevant data protectionauthority(ies)? (E.g., local legal entities, foreign legalentities subject to the relevant data protection legislation,representative or branch offices of foreign legal entitiessubject to the relevant data protection legislation.)
Registrations and notifications are not applicable.
5.4 What information must be included in theregistration/notification? (E.g., details of the notifyingentity, affected categories of individuals, affectedcategories of personal data, processing purposes.)
Registrations and notifications are not applicable.
5.5 What are the sanctions for failure to register/notify whererequired?
Registrations and notifications are not applicable.
5.6 What is the fee per registration (if applicable)?
Registrations and notifications are not applicable.
5.7 How frequently must registrations/notifications berenewed (if applicable)?
Registrations and notifications are not applicable.
5.8 For what types of processing activities is prior approvalrequired from the data protection regulator?
Prior approval from the data protection regulator is not required for
any type of processing.
5.9 Describe the procedure for obtaining prior approval, andthe applicable timeframe.
Approval is not applicable.
6 Appointment of a Data Protection Officer
6.1 Is the appointment of a Data Protection Officer mandatoryor optional?
In accordance to the Data Protection Law, every Data Controller
must appoint a person or department in charge of Personal Data
(“Data Protection Officer” or “DPO”). The main functions of the
DPO are to process requests from Data Owners about exercise of
their access, rectification, cancellation, revocation and objection
rights of privacy and to promote the protection of Personal Data
within their companies or organisations.
The Data Protection Law is relatively ambiguous with respect to the
appointment of a DPO within an organisation and fails to provide
specific criteria, methods or mechanisms for companies or
organisations to follow for this purpose.
The IFAI has published certain non-mandatory guidelines and
recommendations for the appointment of the DPO.
6.2 What are the sanctions for failing to appoint a mandatoryData Protection Officer where required?
The Data Protection Law does not provide a specific sanction for
failing to appoint a DPO.
6.3 What are the advantages of voluntarily appointing a DataProtection Officer (if applicable)?
This is not applicable since it is required to appoint a DPO.
6.4 Please describe any specific qualifications for the DataProtection Officer required by law.
There are no specific qualifications for the DPO in the Data
Protection Law.
Pursuant to the recommendations of the IFAI, the following are a
few of the ideal characteristics of the profile for a DPO:
Experience in Personal Data protection or knowledge of the
subject.
Vision and leadership.
Organisational and communication skills.
Resource availability and exploitability.
Due position and hierarchy within the entity.
6.5 What are the responsibilities of the Data ProtectionOfficer, as required by law or typical in practice?
Some of the specific duties/tasks of the DPO are the following:
Setting forth and managing procedures for the reception,
processing and timely attention of requests made by Personal
Data Owners in the exercise of their access, rectification,
cancellation and/or objection rights.
Monitoring developments and changes in law regarding
Personal Data protection and privacy that may affect the
actions performed within the organisation at any given time
and taking the necessary steps to adjust them.
Drafting, publishing, delivering and executing Personal Data
protection practices and policies within the organisation or
otherwise adjusting the current ones with the applicable legal
framework.
Developing instruments to assess the efficiency and
effectiveness of such practices and policies.
Surveying and reviewing the internal procedures of the
organisation regarding collection, use, exploitation, storage,
cancellation, application and transfer of Personal Data in
order to ensure its protection and strict compliance with the
principles stated in the Data Protection Law.
Coordinating and training the other areas or departments of
the organisation for them to acknowledge the practices and
policies issued as well as the compliance with such.
Promoting internal and external data protection as well as
taking on the position of Personal Data representative of the
entity.
Mex
ico
ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London
Mex
ico
152
Barrera, Siqueiros y Torres Landa, S.C. Mexico
6.6 Must the appointment of a Data Protection Officer beregistered/notified to the relevant data protectionauthority(ies)?
The appointment does not need to be registered or notified with any
data protection authorities.
7 Marketing and Cookies
7.1 Please describe any legislative restrictions on the sendingof marketing communications by post, telephone, e-mail,or SMS text message. (E.g., requirement to obtain prioropt-in consent or to provide a simple and free means ofopt-out.)
The Data Protection Law and the Data Protection
Regulations provide that processing for marketing,
advertising or commercial promotion purposes needs to be
expressly and specifically included as one of the “purposes
of processing” in the privacy notice.
Such rules provide the creation of exclusion lists, which are
databases intended to record the refusal of the Data Owner
concerning the processing of his/her personal data for
marketing and/or offering and promoting goods, products
and services by any physical or technological means.
Consent is required but it may be implied consent.
Therefore, it is an opt-out system. Opt-out mechanisms shall
be expressly included in the privacy notice.
The Federal Law of Consumer Protection (Ley Federal deProtección al Consumidor), sets forth rules aimed to protect
private consumer data and data exchanged in consumer
transactions and specifically in electronic transactions. It
provides the registration of consumers on the Public Registry
of Consumers, which will be integrated by a list of
consumers that do not want to be contacted to receive any
kind of marketing communications. Up to this date, the
Public Registry of Consumers only allows to list a phone
number to avoid receiving marketing phone calls. This law
provides for an opt-out system.
The Federal Law to Protect and Defend Users of Financial
Services (Ley de Protección y Defensa al Usuario deServicios Financieros), provides that financial institutions
regulated thereunder shall not contact their consumers for
marketing or advertising purposes when they have expressly
asked not to be contacted or if they are registered in the no-
call registry of the National Commission for the Defense of
Financial Consumers. This law provides for an opt-out
system.
Federal Law of Transparency and Order of Financial
Services (Ley Federal para la Transparencia yOrdenamiento de Servicios Financieros), provides that
clients of banks and loan companies may only be contacted
to offer them financial products if they expressly accepted to
be contacted and only through their business address, phone
or email. This law provides for an opt-in system.
Credit Institutions Law (Ley de Instituciones de Crédito),
includes rules protecting the use of information provided by
bank consumers for advertising or marketing purposes
without authorisation. Users of financial services may
register their email addresses and phone numbers in order to
avoid unwanted advertising.
Regulatory Law of Credit Reporting Companies (Ley paraRegular las Sociedades de Información Crediticia), provides
that Credit Reporting Companies may not use the data
contained in credit reports in marketing or advertising
promotions.
7.2 Is the relevant data protection authority(ies) active inenforcement of breaches of marketing restrictions?
The IFAI has been very active in the enforcement of data protection
rules. Recently the IFAI has imposed severe fines ton diverse
private parties, in particular the regulator has imposed fines on
financial entities derived from infringement on marketing
restrictions.
7.3 What are the maximum penalties for sending marketingcommunications in breach of applicable restrictions?
A fine of up to 320,000 days of the minimum daily wage in Mexico
City (approximately €1,200,000) may be imposed for sending
unsolicited marketing communications.
Fines may be doubled when dealing with Sensitive Data.
7.4 What types of cookies require explicit opt-in consent, asmandated by law or binding guidance issued by therelevant data protection authority(ies)?
Currently neither the Data Protection Law nor the Data Protection
Regulations provide the requirement of explicit opt-in consent for
the collection of Personal Data through cookies.
On the other hand, the Privacy Notice Guidelines provide that in
case the Data Controller uses mechanisms through remote or local
electronic means that allow automatic collection of Personal Data,
Data Controllers shall inform the Data Owner conspicuously about
the use of such technologies and the manner to disable such
methods.
7.5 For what types of cookies is implied consent acceptable,under relevant national legislation or binding guidanceissued by the relevant data protection authority(ies)?
Please see answer above.
7.6 To date, has the relevant data protection authority(ies)taken any enforcement action in relation to cookies?
Currently, we have no notice of any sanction or proceeding initiated
by the regulator regarding to this matter.
7.7 What are the maximum penalties for breaches ofapplicable cookie restrictions?
By the interpretation of the Data Protection Law, consent being an
essential principle protected by the law, if a Data Controller collects
and processes Personal Data without consent or without informed
consent (i.e., failing to include cookie warnings), a Data Controller
maybe sanctioned with a fine from 200 to 320,000 days of the
General Minimum Wage in Mexico City (approximately €750 to
€1,200,000), and likewise, such fine may be doubled when dealing
with Sensitive Data.
8 Restrictions on International Data Transfers
8.1 Please describe any restrictions on the transfer ofpersonal data abroad.
Personal Data may be transferred to third parties in Mexico or
WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014© Published and reproduced with kind permission by Global Legal Group Ltd, London
153
Barrera, Siqueiros y Torres Landa, S.C. Mexico
abroad as long as: (i) such transfer was disclosed in the privacy
notice; (ii) the transferee receives a copy of the privacy notice; and
(iii) the transferee uses the Personal Data for the purposes disclosed
in the privacy notice.
The privacy notice must contain a specific clause indicating that the
Data Owner authorises transfer to third parties.
The transferee or recipient shall be liable for the same obligations
as those imposed on the Data Controller.
Transfers may be made without the Data Owner’s consent when the
transfer is: (i) required by law or an international treaty; (ii)
required for medical treatment or services; (iii) to affiliates,
subsidiaries or controlling companies; (iv) required by a contract to
be executed or executed between the transferee and the Data
Owner; (v) required for public interest or for administration of
justice; (vi) required for the recognition, exercise or defence of a
right in a judicial procedure; or (vii) required to maintain or perform
an agreement between the Data Controller and the Data Owner.
8.2 Please describe the mechanisms companies typicallyutilise to transfer personal data abroad in compliance withapplicable transfer restrictions.
Companies typically execute a Data Transfer Agreement, which
states all the responsibilities that the Data Controller and transferee
will have in order to comply with the Mexican laws.
8.3 Do transfers of personal data abroad requireregistration/notification or prior approval from the relevantdata protection authority(ies)? Describe whichmechanisms require approval or notification, what thosesteps involve, and how long they take.
There is no registration or notification requirement for data
transfers.
9 Whistle-blower Hotlines
9.1 What is the permitted scope of corporate whistle-blowerhotlines under applicable law or binding guidance issuedby the relevant data protection authority(ies)? (E.g.,restrictions on the scope of issues that may be reported,the persons who may submit a report, the persons whoma report may concern.)
Whistle blowing is not expressly regulated by the Data Protection
Law or the Data Protection Regulations, and currently the authority
has not published any guidance related to this matter. Note,
however, that whenever Personal Data is collected, processed
and/or transferred, a privacy notice shall be provided by the Data
Controller to the Data Owners prior his/her data Processing.
9.2 Is anonymous reporting strictly prohibited, or stronglydiscouraged, under applicable law or binding guidanceissued by the relevant data protection authority(ies)? Ifso, how do companies typically address this issue?
As mentioned on our answer above, whistle blowing is not
expressly regulated by the Data Protection Law or the Data
Protection Regulations and currently the authority has not published
any guidance related to this matter. Typically, and for the purposes
of a whistle-blowing system, companies inform its employees (on
their Privacy Notice), that their Personal Data may be used for
anonymous reporting and investigation or for the implementation of
a whistle-blowing system.
9.3 Do corporate whistle-blower hotlines require separateregistration/notification or prior approval from the relevantdata protection authority(ies)? Please explain theprocess, how long it typically takes, and any availableexemptions.
There is no registration or notification requirement for whistle-
blower hotlines.
10 CCTV and Employee Monitoring
10.1 Does the use of CCTV require separateregistration/notification or prior approval from the relevantdata protection authority(ies)?
As mentioned before, Data Protection Law does not provide any
registration or notification to the Data Protection Regulator.
10.2 What types of employee monitoring are permitted (if any),and in what circumstances?
Employee monitoring is not regulated on the Data Protection Law.
However, any methods used to collect Personal Data shall be
informed to the Data Owners in the privacy notice.
10.3 Is consent or notice required? Describe how employerstypically obtain consent or provide notice.
Typically employers inform their employees of the collection of
their Personal Data through the Privacy Notice. The form of
consent varies depending on whether the Personal Data is Sensitive
Data, Financial Data or any other data. If Sensitive Data is
processed, expressly written consent is required. Express consent is
required for the processing of Financial Data and implied consent is
required for the processing any other Personal Data.
In the case of CCTV systems, we understand that only ordinary
Personal Data is collected, so implied consent is enough. The IFAI
has issued some recommendations on short-form privacy notices to
be used for CCTV systems.
In the case of employee monitoring and collection of Sensitive Data
or Financial Data, employers will require express written consent
from the employee.
10.4 To what extent do works councils/trade unions/employeerepresentatives need to be notified or consulted?
No notice to unions or employees’ representatives is required.
10.5 Does employee monitoring require separateregistration/notification or prior approval from the relevantdata protection authority(ies)?
Data Protection Law does not provide any registration or
notification to the data protection regulator in this regard.
Mex
ico
ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London
Mex
ico
154
Barrera, Siqueiros y Torres Landa, S.C. Mexico
11 Processing Data in the Cloud
11.1 Is it permitted to process personal data in the cloud? If so,what specific due diligence must be performed, underapplicable law or binding guidance issued by the relevantdata protection authority(ies)?
The Data Protection Regulations regulate cloud computing. The
Data Protection Regulations provide that Data Controllers shall
only contract cloud-computing services from a provider that meets
the following requirements:
(i) have policies and procedures similar to those contemplated
by the Data Protection Law and the Data Protection
Regulations;
(ii) disclose the fact that it subcontracts third parties;
(iii) not condition the service upon becoming the owner or
acquiring any right over the Personal Data;
(iv) maintain the confidentiality of Personal Data; and
(v) have mechanisms to: (a) notify changes in their privacy
policies; (b) allow the Data Controller to limit the processing
of the Personal Data; (c) have security measures that are
reasonable with respect to the service; (d) guarantee the
cancellation of data once the service is terminated; and (e)
block access to the Personal Data to those persons that do not
have access privileges except when ordered by a competent
authority and the Data Controller is informed of such order.
The Data Protection Regulations state that Data Controllers shall
not contract cloud-computing services that do not guarantee
adequate data protection.
11.2 What specific contractual obligations must be imposed ona processor providing cloud-based services, underapplicable law or binding guidance issued by the relevantdata protection authority(ies)?
Please refer to the answer above.
12 Big Data and Analytics
12.1 Is the utilisation of big data and analytics permitted? If so,what due diligence is required, under applicable law orbinding guidance issued by the relevant data protectionauthority(ies)?
Data Protection Law does not regulate the utilisation of big data or
analytics and the IFAI has not issued any guidance on this matter.
13 Data Security and Data Breach
13.1 What data security standards (e.g., encryption) arerequired, under applicable law or binding guidance issuedby the relevant data protection authority(ies)?
Data Controllers shall adopt the security measures and procedures
that are necessary to protect the Personal Data against damage, loss,
alteration, destruction and unauthorised use, access or processing.
These measures shall at least be equal to the measures that the Data
Controller uses to protect its own information.
Regarding to the foregoing, IFAI published on October 30, 2013 in
the Official Gazette of the Federation the “Recommendations on
Security of Personal Data”, in order to provide Data Controllers
with some guidance with respect to the minimum actions
considered necessary for the security of Personal Data.
Adoption of the foregoing recommendations is voluntary and
monitoring thereof does not exempt Data Controllers of their
liability for any breach of their databases.
In this regard, IFAI has expressed as a general recommendation to
adopt a Security Management System of Personal Data (“SGSDP”),
which the Institute has defined as a “general management system toestablish, implement, operate, monitor, review, maintain andimprove processing and security of personal data on the basis of therisk of the assets and of the basic principles of legality, consent,information, quality, purpose, loyalty, proportionality and liabilityprovided for in the Data Protection Law, its regulations, secondaryregulations and any other principle which provided goodinternational practice in the matter”.
The recommended SGSDP has four cycles with different phases
and activities known as Plan-Do-Check-Act.
13.2 Is there a legal requirement to report data breaches to therelevant data protection authority(ies)? If so, describewhat details must be reported, to whom, and within whattimeframe. If no legal requirement exists, describe underwhat circumstances the relevant data protectionauthority(ies) expects voluntary breach reporting.
Data Protection Law does not require the reporting or notification
of data breaches to the IFAI.
13.3 Is there a legal requirement to report data breaches toindividuals? If so, describe what details must be reported,to whom, and within what timeframe. If no legalrequirement exists, describe under what circumstancesthe relevant data protection authority(ies) expectsvoluntary breach reporting.
Yes. Data breaches need to be notified to the Data Owners but only
those that significantly affect the patrimonial or moral rights of the
Data Owners. Data Controllers must send the notice immediately
after becoming aware of the data breach.
The notification must include: (a) the nature of the incident; (b) the
compromised data; (c) the recommendations to the Data Owners as
to what measures he/she may take to protect his/her interests; (d)
corrective actions taken by the Data Controller; and (e) how he/she
can get more information on the matter.
14 Enforcement and Sanctions
14.1 Describe the enforcement powers of the data protectionauthority(ies):
Investigatory PowerCivil/Administrative
SanctionCriminal Sanction
Federal Institute for
Access to Public
Information and Data
Protection (InstitutoFederal de Acceso a laInformación Pública yProtección de Datos;“IFAI”).
Administrative
Sanctions.
WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014© Published and reproduced with kind permission by Global Legal Group Ltd, London
155
Barrera, Siqueiros y Torres Landa, S.C. Mexico
14.2 Describe the data protection authority’s approach toexercising those powers, with examples of recent cases.
Infringements of the Data Protection Law are subject to sanctions
by the regulator (administrative fines) and to civil and criminal
liability by the corresponding authorities (mentioned above).
Administrative fines may be from 100 to 320,000 times the daily
minimum wage (approximately €375 to €1,200,000), and doubled
when dealing with Sensitive Personal Data; criminal liability may
also be found in the event of illegal handling of personal data.
Precedents regarding sanctions applied to private parties are: (i) a
bank infringed several provisions of the Data Protection Law
arising from a request of exercise of access, rectification,
cancellation and objection rights; the authority sanctioned the bank
with a fine of €900,00 approx.; (ii) a sports club failed to include in
its privacy notice the options and means by which the data owner
could limit the use or disclosure of their personal data, and was
sanctioned by our regulator with a fine of €72,000 approx.; and (iii)
a savings bank that did not have a privacy policy and collected
personal financial and economic data without the express consent of
the Data Owner was sanctioned with a fine of €72,000 approx.
15 E-discovery / Disclosure to Foreign Law Enforcement Agencies
15.1 How do companies within Mexico respond to foreign e-discovery requests, or requests for disclosure fromforeign law enforcement agencies?
Mexican companies typically request that for any disclosure of
Personal Data, such request shall be supported by a legal valid
document or judicial order provided by the foreign competent
authority and delivered through appropriate diplomatic or judicial
channels.
15.2 What guidance has the data protection authority(ies)issued?
The IFAI has failed to issue any guidance on this matter.
Acknowledgment
The authors would like to acknowledge the assistance of their
colleague Rodrigo Méndez S. in the preparation of this chapter.
Mex
ico
Investigatory PowerCivil/Administrative
SanctionCriminal Sanction
Public Prosecutor’s
Office.
Corporal penalties from
six months to five years
imprisonment.
Civil Courts.
Civil Sanctions (tort
liability/claim of
damages/honour and
reputation).
ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK© Published and reproduced with kind permission by Global Legal Group Ltd, London
Mex
ico
156
Barrera, Siqueiros y Torres Landa, S.C. Mexico
Mario Jorge Yanez V.
Barrera, Siqueiros y Torres Landa, S.C.Paseo de Tamarindos 150 PBBosques de las LomasMexico City, D.F., 05120Mexico
Tel: +52 55 5091 0165 Fax: +52 55 5091 0123 Email: [email protected]: www.bstl.com.mx/en
Mr. Yanez received his law degree at Universidad NacionalAutónoma de México (1986-1991), followed by a Masters degreeat Columbia University in New York (1992-1993). Mr. Yanez hasexcelled in different practice areas like Mergers and Acquisitions;Foreign Trade (Anti-dumping Investigations and NAFTADisputes); Environmental; Data Protection; Entertainment andGaming; Nationality/Immigration. Mr. Yanez clerked at Barrera,Siqueiros y Torres Landa (BSTL) from 1988-1991, becoming afull-time associate in 1992. Mr. Yanez moved to the UnitedStates to earn his Masters degree at Columbia University (1992-1993) and to occupy a foreign associate position at Vial,Hamilton, Koch & Knox LLP (Dallas, Texas; 1993-1994). Mr.Yanez returned to BSTL to resume his position as associate,becoming partner in 2000. Mr. Yanez has received recognitionsfrom Chambers Global, Chambers Latin America, Latin America’sLeading Lawyers for Business, Latin Lawyer 250, and otherpublications. Mr. Yanez is admitted to practice law in Mexico. Mr.Yanez is also available at: Barrera, Siqueiros y Torres Landa,S.C., Av. Ricardo Margáin 444, Torre Norte, Mezzanine “A”, Valledel Campestre, San Pedro Garza Garcia, N.L., 66265, Mexico,Tel: +52 (81) 8220 1500, Fax: +52 (81) 8220 1529.
Federico de Noriega O.
Barrera, Siqueiros y Torres Landa, S.C.Paseo de Tamarindos 150 PBBosques de las LomasMexico City, D.F., 05120Mexico
Tel: +52 55 5091 0154Fax: +52 55 5091 0123Email: [email protected]: www.bstl.com.mx/en
Mr. Noriega completed his law degree at UniversidadIberoamericana (2000-2005), followed by a Masters degree atHarvard Law School (2006-2007). Mr. Noriega’s areas ofpractice include Commercial Law, Mergers and Acquisitions,Corporate Financing and Data Protection. Mr. Noriega was aforeign associate at Sidley Austin LLP (New York office) in 2007and 2008, after which he re-joined Barrera, Siqueiros y TorresLanda. Mr. Noriega elevated to partnership at BSTL in 2014. Mr.Noriega was awarded Academic Excellence by the UniversidadIberoamericana for scoring the Highest GPA of his class.Chambers & Partners Latin America 2012 and 2013 editionsranked Mr. Noriega as an “Associate to watch” in “Banking andFinance”. Mr. Noriega is admitted to practice law in Mexico andin the State of New York.
BSTL is one of leading firms in Mexico with more than 65 years of experience. BSTL is a full-service firm with the necessaryresources to meet the challenges our clients face in some of the most important transactions in their history as well as on a day-by-day basis. Moreover, the diversity of our firm allows us to provide comprehensive legal advice in any particular transaction,meeting all of our clients’ expectations.
BSTL is well recognised by its clients, peers and local authorities for its work in several areas of practice, including privacy,corporate services, mergers and acquisitions, real estate, antitrust, arbitration and litigation and government procurement.
Our privacy team has advised clients in issues related to compliance of general privacy laws and industry-specific privacy laws(labour, consumer-protection, financial and health laws). We analyse the data Processing activities carried out by our clients andprovide business-oriented solutions.
www.iclg.co.uk
59 Tanner Street, London SE1 3PL, United KingdomTel: +44 20 7367 0720 / Fax: +44 20 7407 5255
Email: [email protected]
Other titles in the ICLG series include:
Alternative Investment FundsAviation LawBusiness CrimeCartels & LeniencyClass & Group ActionsCompetition LitigationConstruction & Engineering LawCopyrightCorporate GovernanceCorporate ImmigrationCorporate Recovery & InsolvencyCorporate TaxData ProtectionEmployment & Labour LawEnvironment & Climate Change LawFranchiseInsurance & Reinsurance
International ArbitrationLending & Secured FinanceLitigation & Dispute ResolutionMerger ControlMergers & AcquisitionsMining LawOil & Gas RegulationPatentsPharmaceutical AdvertisingPrivate ClientProduct LiabilityProject FinancePublic ProcurementReal EstateSecuritisationShipping LawTelecoms, Media & Internet