- Jaime Deschamps
Privacy Notice / Data protection obligations
Any company in Mexico that collects personal data for commercial or disclosure purposes is required to make a privacy notice available to data subjects.
The protection of personal data is regulated by the FEDERAL LAW FOR THE PROTECTION OF PERSONAL DATA HELD BY INDIVIDUALS, published on July 5, 2010.
What is the privacy notice?
A physical document, electronic or in any other format generated by the responsible that is made available to the owner, prior to the processing of personal data...
What is personal data?
Any information concerning an identified or identifiable individual...
What is sensitive personal data?
Those personal data that affect the most intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for the owner. In particular, sensitive data are considered those that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, sexual preference.
What should the privacy notice contain?
I. The identity and address of the person responsible for collecting them;
II. The purposes of data processing;
III. The options and means offered by the data controller to the owners to limit the use or disclosure of the data;
IV. The means to exercise the rights of access, rectification, cancellation or opposition, in accordance with the provisions of this Law;
V. If applicable, the data transfers to be carried out, and
VI. The procedure and means by which the data controller will inform the owners of changes to the privacy notice, in accordance with the provisions of this Law.
In the case of sensitive personal data, the privacy notice must expressly state that such data is concerned.
How should the owner of the personal data be informed?
The privacy notice must be made available to the holders through printed, digital, visual, sound or any other technology formats, as follows:
I. When the personal data has been obtained personally from the holder, the privacy notice must be provided at the time the data is collected in a clear and reliable manner, through the formats by which it is collected, unless the notice has been provided previously, and
II. When the personal data is obtained directly from the holder by any electronic, optical, sound, visual, or any other technology, the data controller must provide the holder immediately, at least the identity and address of the data controller, the purposes of the processing, as well as provide the mechanisms for the holder to know the full text of the privacy notice.