Federal Law on Protection of Personal Data Held by Individuals

The Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on Protection of Personal Data Held by Individuals; LFPDPPP), is a law of Mexico, approved by the Mexican Congress on April 27, 2010. The law aims to regulate the right to informational self-determination. The law was published on July 5, 2010, in the Official Gazette and entered into force on July 6, 2010. Its provisions apply to all natural or legal persons who carry out the processing of personal data in the applicable exercise of their activities. Companies such as banks, insurance companies, hospitals, schools, telecommunications companies, religious organizations, and professionals such as lawyers, doctors, and others, are required to comply with the provisions of this law.

Personal data, according to Article 3 Section V of the Act, is any information that could identify a person.

Regulatory background in Mexico

edit

Before issuing the LFPDPPP in Mexico this right was expressly recognized only by the Federal Law of Transparency and Access to Public Government Information (applying to the public sector) and in the Law on Protection of Personal Data in the State of Colima (public and private).

Due to the regulatory landscape needed to meet international commitments, it was considered necessary to issue a law on the matter, so there would be a backup in the information.

Constitutional reforms of personal data

edit

Chapter III, of the rights of the holders of personal data

edit

Law takes the contents of the second paragraph of Article 16 of the Constitution and grant holders called "ARCO rights" whose acronym corresponds to:

  • Access : holders can know if their data is being processed.
  • Correction : the right to request that their data be modified.
  • Cancellation : holders may request that their data be canceled from the database for good cause.
  • Opposition : the right of individuals to prevent use of their information.

Chapter IV Exercise of the rights of access, rectification, cancellation and opposition

edit

Those responsible are obliged to process the requests for access, rectification, cancellation and opposition that made the headlines, for which purpose shall appoint a person or creating a department of personal data, which is responsible for responding to requests within the time prescribed by law. In this chapter the ways in which it can be fulfilled with these rights are also noted, and the reasons why some of them may be denied.

Chapter V, the transfer of data

edit

When the responsible party intends to transfer the data holder shall inform this fact in its privacy notice, requiring the consent of the holder, unless you apply any of the exceptions contemplated by this chapter.

The amendment of Article 6 of the Constitution

edit

The first record is in the reform in 2007 to Article 6 of the Constitution, in which a second paragraph is adicionaba this paragraph, laying the groundwork regarding the right to information (transparency), including the protection of personal data from public institutions, recognizing the rights of access and rectification. 3

The amendment to article 16 of the Constitution

edit

In this reform 4 a second paragraph to Article 16 is added, and states that everyone has the right to protection of personal data and to exercise the rights called "ARC" (access, rectification, cancellation and opposition).

The Constitution also states that right may only be limited for reasons of national security provisions of public policy, public security or public health or to protect the rights of others. The LFPDPPP meanwhile, collects these assumptions within Article 4.

The amendment to article 73 of the Constitution

edit

In this reform in May it empowered the Congress to legislate on the protection of personal data held by individuals, through the addition of the XXIX-O moiety. The justification for granting that power to the Federal Legislature was that personal data are used in various commercial transactions and trade is regulated at the federal level.

Contents of the Federal Data Protection Act

edit

Chapter I, General Provisions

edit

Articles 1 and 2 of the LFPDPPP point out that the objectives of it are ensuring the privacy of persons (natural) and their right to informational self-determination, and that its provisions apply to non-automated or automated processing of personal information perform (the "Responsible") individuals or companies, with certain exceptions (personal purposes and carrying on the credit information). In this chapter the central terms of this regulation, among which are fundamental concepts of sensitive personal data, head, head, manager, third and treatment are defined.

Model legislation on the protection of personal data

edit

Globally it recognized the existence of two models in terms of protection of personal data : general and sector.

The general model is adopted by most countries, especially the European Union and among its features are:

There is only one regulatory body in the field and an authority responsible for compliance. Provided the consent of the holders for the processing of data is required. Transfers to countries without an adequate level of protection is prohibited. For its part, the industry model is applied by the United States and has the following characteristics:

There is no single legal instrument governing the matter, the various agencies can issue regulations as they deem appropriate for their industry. Various authorities, within the scope of their competence. They are responsible for ensuring the protection of this right. The consent of the holders for the treatment of the data is presumed unless they express their refusal. This scheme operates under self-regulation.

Chapter II, of the principles of personal data protection

edit

The law takes the general model of the principles of legality, consent, information, quality, purpose, loyalty, proportionality and accountability.

Are important principles of consent, information and purpose, under which managers can only make the processing of personal data if owning them give their consent for the purposes outlined in the privacy notice .

Chapter VI of the authorities

edit

The Act states that the IFAI (called Federal Institute of Access to Information and Data Protection from the reform of July 5, 2010 6 ) will be the authority to monitor and verify compliance with the Personal Data Act and as procedures to process rights protection, verification and sanction (Chapters VII, VIII and IX). In addition, the law states that the Ministries may issue provisions in this field, giving special powers to the Ministry of Economy .

Chapter VII, the procedure of protection of rights

edit

This procedure begins with an application by the owner of the data before the IFAI, if it considers that the charge unreasonably denied access, rectification, cancellation and opposition of their data. The section in question states the procedure and time limits in which this procedure will be the grounds for inadmissibility and dismissal as well as the appeal proceeding against the resolution issued by the institute.

Chapter X, Violations and Sanctions

edit

Within this chapter catalog of violations of the law and their correlative sanctions lists. The law provides for such sanctions, fines ranging from 100 to 320.000 days of minimum wage in the Federal District, which may be increased for repeated infringement, and will double when violations are related to the processing of sensitive personal data. In accordance with the minimum wage in Mexico City in 2013, the fines range from $6476.00 (minimum) and $20'723,200.00 (maximum). 7

Chapter VIII, the verification procedure

edit

This procedure will begin when those responsible fail to comply with the resolutions issued by the IFAI, or when the authority presumed the existence of some sort of default. The form and deadlines to substantiate this procedure is regulated by the rules of procedure.

Chapter IX, the procedure for imposing sanctions

edit

IFAI is empowered to initiate disciplinary proceedings in case, derived from processing of rights protection procedures and verification has detected a breach of the principles and provisions of the Act. The form and deadlines to substantiate This procedure is governed by the rules of procedure.

Chapter XI Offences in Respect of Personal Data Processing Drug

edit

The law provides for prison sentences ranging from three months to five years in prison, same may also be doubled when behaviors are related to sensitive personal data.

Privacy notice

edit

Privacy notice is a text that will explain to the data owner how the data will be used, and is generated in print or electronic (appears as a link on a Web page). The law and its regulations mentioned in several articles that will shape this privacy notice. Additionally, on January 17, 2013, the Ministry of Economy published in the Official Journal in August Federation guidelines for generating the Privacy Notice, in order to minimize the need for them to have recourse to private companies for advice in its creation. The publication of three forms differ Privacy Notice: Integral, Simplified and Short, depending on your application.

Conclusions

edit

The Personal Data Act passed by the Mexican Congress includes elements of general and sectoral models, and stands as a necessary policy instrument to protect the privacy of individuals with regard to treatment that they may give other individuals regarding their personal information. Of its provisions it shows that the data of individuals are protected from all angles, under which the information provided by individuals in their capacity as clients in hiring all kinds of services or as workers in their places of work, among many other aspects, are protected by the LFPDPPP.

edit