Adriana Contreras, Mexican Privacy Rules: The Time That Comes

In a globalized world where our economy revolves around information and its proper use and implementation, in Mexico it became necessary to create a legal system to protect personal data/information by following the steps of countries like the US, Canada, Spain, which are distinguished by their legal structure in this area.

Seeking to be a competitive country under a modern legal system during the administration of former President Felipe Calderón, on April 27, 2010 Mexican Congress approved the “Federal Law of Protection of Personal Data Held by Individuals” having as its main objective the protection of personal data held by individuals and regulate their legitimate treatment. This Law was published on July 5, 2010 in the Official Gazette of the Federation, effective on July 6, 2010. As expected the process to adapt to this new legislation would not be easy, knowing this the federal government gave the companies proper time to train regarding the legal scope and implementation of technology in order comply with such regulations.

It is worth mentioning  that our legislators set about to create the guidelines and regulations that  gave certainty, shape and truthfulness to this law and as result on January 17 of last year resulted in the publication of the regulations in order to define and clarify the following aspects:

  1. Legal aspects that must be contained in a Privacy Notice.
  2. Characteristics of the Privacy Notice that the law allows to make available to individuals (Integral notice, simplified notice and short notice, depending on its application) and the modalities to make available to individuals.
  3. Define who is obligated to issue the privacy notice.
  4. Means to obtain personal data/information personally from the holder.
  5. Modalities for the implementation of the Privacy Notice.
  6. Handling of Information referred to as sensitive data.
  7. Transfer of personal data as well as the means to limit the use or disclosure of such personal data.
  8. Means to exercise ARCO rights whereby individuals have the right to access, rectify and cancel his/her personal information held by third parties and object to its use.

It is important to consider that in practice companies have gone through a somewhat complex process with respect to the implementation of the privacy notice especially in the case of handling personal data of its employees, since analyzing the law currently in effect it is understood that companies must maintain strict control and implementation of technology that ensures the protection of sensitive data, such as the case of: information related to its racial or ethnic origin, present or future health status, genetic information, religious beliefs, political views, sexual preference to mention a few. As well defined by the Law these concepts are considered for use and sensitive treatment; however, historically by need or habit the data is requested as part of the company’s employees’ files, during their recruitment and / or hiring.

Currently in Mexico there exists a high percentage of companies that have postponed their actions with respect to the implementation of the privacy notice in their workplaces. We recommend mainly to representatives of the Human Resources and Finance departments to reach out to their legal department in order to carry out the corresponding changes in documentation of your company (individual labor agreements, job applications, website) as well as generating privacy notice under the characteristics that are considered relevant in accordance to each particular case. Fortunately as of this date the IFA, the competent authority to monitor the proper compliance with the legal provisions of the Federal Law of the Protection of Personal Data Held by Individuals in Mexico, has been very flexible with respect to the application of sanctions; however, we must realize the aggregate value that it represents for your company to maintain control of the information flow avoiding that this information comes to circulate in the wrong place and with the wrong people seeking to fraudulently use it for their companies and employees.


Adriana Contreras

Mexican  Attorney