Mexico LFPDPPP 

What is Personal Information and what are other key definitions?

According to Mexico’s privacy law, personal data is “any information concerning an identified or identifiable individual” and sensitive personal data is “personal data touching on the most private areas of the data owner's life, or whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views, and sexual preference.”

It is interesting to notice that similar to the GDPR, this law offers a definition for data processor as “the individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller,” and for data controller defined as “an individual or private legal entity that decides on the processing of personal data.”

In addition to these, it also defines what a data owner is, namely, “the individual to whom personal data relates,” processing, which is the “retrieval, use, disclosure or storage of personal data by any means. Use covers any action of access, management, exploitation, transfer or disposal of personal data,” or transfer which is defined as “any data communication made to a person other than the data controller or data processor.”

Suggestion: 

According to Mexico’s privacy law, personal data is “any information concerning an identified or identifiable individual”. 

Sensitive personal data is “personal data touching on the most private areas of the data owner's life, or whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political views, and sexual preference”.

Similar to the GDPR, Mexican data protection law offers a definition for data processor as “the individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller,” and for data controller defined as “an individual or private legal entity that decides on the processing of personal data”.

The data owner or data subject is “the individual to whom personal data relates”. 

Actions such as retrieval, use, disclosure or storage of personal data by any means, as well as action of access, management, exploitation, transfer or disposal of personal data - would be considered a personal data processing. 

Data transfer is defined as “any data communication made to a person other than the data controller or data processor”. 

Who has to comply with the LFPDPPP?

LFPDPPP applies if: 

• processing done by a data controller established on the territory of Mexico;
• processing done by a data processor on behalf of a data controller that is located in Mexico (regardless of processor’s location);
• processing done by a data controller or data processor that are not located in Mexico but they are subject to the Mexican legislation following an agreement or the adherence of Mexico to an international convention;
• processing done on Mexican territory, on behalf of a data controller that is not permanently located in Mexico, unless the processing is done for the purpose of data transit.
  
  

Who is excluded from LFPDPPP compliance? 

There are two types of entities that are exempt from compliance with Mexico’s data privacy law: 

• Credit reporting companies, under the Law Regulating Credit Reporting Companies and other applicable laws; and 
• persons carrying out the collection and storage of personal information that is exclusively for personal use, and without purposes of disclosure or commercial use.

The law also excludes business to business data such as that of legal entities, the data of individuals that hold the status of merchant or professional, or the data of employees of a business where the data is limited to employment details and business contact data, and is processed only for the purpose of conducting business.

How can I keep my organization LFPDPPP compliant? 

As a data controller, you must “adhere to the principles of legality, consent, notice, quality, purpose, fidelity, proportionality and accountability.”

What this means in practice is that you have to respect the following:

• Collect and process data in a lawful manner, by informing the individuals to whom data related about the collection and further processing. 
• Do not collect data without informing first or through deceptive or fraudulent means. 
• Unless you have clearly established other legal grounds for data processing, ensure that individuals to whom data relates have provided their consent. Similarly to the GDPR, consent is considered to be valid only when such communicated verbally, in writing, by electronic or optical means or via any other technology, but it needs to be an unmistakable indication of consent regardless. Consent needs to be provided along with a privacy notice giving individuals clear understanding of what they are consenting to. And as any freely given consent, the individuals shall not suffer any inconveniences if they decide to withdraw it, establishing the mechanism to revoke consent and providing to individuals information about it is a responsibility of a controller.   
• In the case of sensitive personal data being processed, you must obtain express written consent from the data owner for processing, through said data owner's signature, electronic signature, or any authentication mechanism established for such a purpose. Databases containing sensitive personal data cannot be created without a justification of their creation for purposes that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
• You must ensure that the personal data contained in any databases you hold is relevant, correct and up-to-date for the purposes for which it has been collected. When the data is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and applicable law, it must be canceled.
• You have to limit the processing of personal data to the fulfillment of its purposes as you have set these out in the privacy notice, and done “as necessary, appropriate and relevant”. If you intend to process data for any other purpose, which is not compatible or analogous to the initial purposes, you are obliged to obtain consent from the data owner. For sensitive personal data, you must make reasonable efforts to limit the processing period to the minimum required.
• As a data controller, you are obliged to ensure compliance with the personal data protection principles established by this law, and must adopt all necessary measures for their application. This is true even when data has been processed by a third party at your request. Furthermore, you must take all necessary and sufficient action to ensure that the privacy notice given to the data owner is respected at all times by it or by any other parties with which it has any legal relationship.
• You have the obligation of providing data owners with information regarding what information is collected on them and why, through the privacy notice. The privacy notice must contain at least the following information:
• Your identity and domicile;
• The purposes of the data processing;
• The options and means offered to the data owners to limit the use or disclosure of data;
• The means for exercising rights of access, rectification, cancellation or objection, in accordance with the provisions of this Law;
• Where appropriate, the data transfers to be made, and
• The procedure and means by which you will notify the data owners of changes to the privacy notice, in accordance with the provisions of this Law.
• For sensitive personal data, your privacy notice must expressly state that it is dealing with this type of data.
• The privacy notice must be made available to data owners through print, digital, visual or audio formats or any other technology.
• All responsible parties that process personal data must establish and maintain physical and technical administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorized use, access or processing. You cannot adopt security measures inferior to those you keep to manage your own information. Moreover, risk involved, potential consequences for the data owners, sensitivity of the data, and technological development must be taken into account.
• In the event of a security breach, regardless of the stage of processing where this occurs, this has to be reported immediately to the owner of the compromised data, so they can take any necessary and appropriate action to defend their rights, if it will materially affect the property or moral rights of the individual in question.
• Under the law, you have to designate “a personal data person or department who will process requests from data owners” for the exercising of data subject access rights. 
  
  

What data access rights does LFPDPPP grant? 

Mexican Privacy Law grants individuals with four rights, “access, rectification, cancellation and objection.”

Right to Access: individuals have the right to access “their personal data held by the data controller as well as to be informed of the privacy notice to which processing is subject.”

Right to Rectification: individuals have the right to rectify their personal data “if it is inaccurate or incomplete.”

Right to Cancellation: an individual has “at all times have the right to cancel his personal data.”

Right to Objection: individuals, “at all times and for any legitimate reason, have the right to object to the processing of their data.”

How to address data subject access requests under LFPDPPP?

Individuals, or their legal representatives, can at any time submit a request for one of the four access rights mentioned above, however, their request has to include a series of details in order to be considered: 

• Their name or the name of the data owner on whose behalf the request is made and the address or any other means to notify the requester of the response the request;
• Documents establishing the identity or, where appropriate, legal representation of the data owner;
• A clear and precise description of the personal data with regard to which the data owner seeks to exercise any of the abovementioned rights.
• Any other item or document that facilitates locating the personal data.
  
  

Right to Access

Access to information is fulfilled when you make the personal data available to the data owner; or, by issuing uncertified copies, electronic documents or any other means that you established in the privacy notice. Providing the data should be free unless a justified cost applies, for example, for shipping or the cost of copying or providing data in other formats.

If the same person repeats her request within a period of twelve months, costs will not be greater than three days of the General Current Minimum Wage in Mexico City, unless there are material changes to the privacy notice that could result in a new request.

Right to Rectification

Individuals who submit a request for rectification have to provide, in addition to the details mentioned above, a list of changes that have to be made, and to provide supporting documentation for their request. If their personal data has been transmitted prior to rectification and will continue to be processed by any third party, you must inform said third party of the request for rectification, so they can also carry it out.

Right to Cancellation

Cancellation of personal data means that the data is first blocked for a period of time,in order for a controller to be able to determine possible responsibilities in relation to its processing, until the end of the legal or contractual limitation period of said responsibilities. During this period, personal data may not be processed, and, once the period has ended, the data shall be canceled in the relevant database. 

An exception would be if as a data controller, you have a need to retain the data under the applicable law, as an example, an employer is obliged to store data of employees and therefore would be unable to satisfy the request..Under some circumstances, you may block the data, but continue storing it, the blocking period will be equal to the limitation period for actions arising from the legal relationship governing processing pursuant to applicable law.

Once you have canceled the personal data, you must notify the owner of the data. If their personal data has been transmitted prior to cancellation and will continue to be processed by any third party, you must inform said third party of the request for cancellation, so they can also carry it out. 

There are a few exceptions to this right, according to the law, meaning you may refuse in cancelation of personal data if one of the below situations apply: 

• The data relates to the parties of a private or administrative contract or partnership agreement and is necessary for its performance and enforcement;
• The law requires that the data be processed;
• Such an action would hinder judicial or administrative proceedings relating to tax obligations, investigation and prosecution of crimes, or updating of administrative sanctions;
• It is necessary to protect the legally protected interests of the data owner;
• It is necessary to carry out an action in the public interest;
• It is necessary to fulfill an obligation legally undertaken by the data owner, and
• It is subject to processing for medical diagnosis or prevention or health services management, provided such processing is done by a health professional subject to a duty of secrecy.
  

Right to Object

Individuals have at all times a right to object to the processing of their personal data and if they do this, you can no longer process the data. 

There a few situations where you can deny access to personal data or refuse the rectification, cancellation or objection, such as: 

• Where the requesting party is not the subject of the personal data, or the legal representative is not duly accredited for such purposes;
• Where the requesting party's personal data is not found in the data controller's database;
• Where the rights of a third party are adversely affected;
• Where there is any legal impediment, or decision of a competent authority, restricting access to the personal data or not allowing the rectification, cancellation or objection with relation thereto, and
• Where the rectification, cancellation or objection has been previously performed.

In all of these cases you must notify the data owner, or, as appropriate, her legal representative, of your decision and the reason for it, within the period established and via the same means by which the request was made, attaching, where appropriate, any relevant evidence.

You have 20 days from the date of receipt of a request to provide your decision to the person that submitted the request, and 15 days from the date when the notice was received to follow through with the access, rectification, cancellation or objection implementation. These timeframes can be extended one time, by a period of equal length, if such an extension would be justified by the circumstances of the request.

Enforcement and penalties

The law is enforced by the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI), the National Institute for Transparency, Access to Information and Personal Data Protection in English, who oversees the compliance with Mexico’s data protection laws, investigates potential violations and imposes penalties.

For failure to satisfy a data subject access request without a well-founded reason: 

• A warning instructing you, the data controller, to handle the request, under the terms of the law.
• For other violations of the law, the INAI can impose monetary fines ranging from 100 to 320,000 times the equivalent amount of Mexico City’s minimum wage. At the moment, this is 
• MX 172.87 - $ 8.68, meaning fines will range from $ 868 to $2,777,600.
• For repeated violations or violations committed during the processing of sensitive data, the monetary penalties can increase up to double the established amounts.
  
  

Data Subject Rights - GDPR vs. LFPDPPP