ley protección de datos personales
DESCRIPTION
Mexico privacy lawTRANSCRIPT
Federal Law on Personal Data
Protection of Private Ownership
Ley Federal de Protección de Datos
Personales en Posesión de los Particulares
26/Agosto/10
What is this law looking for
• Protect personal data held by companies.
• Control legitimate treatment, monitoring and reporting, in order to ensure privacy and the right to informational self-determination of individuals.
Access
• The owner could request which personal data is processed by the controller and how is it treated.
Rectify
• The owner can request the change of inaccurate or incomplete data.
• If the data was transmitted to a third party, the responsible should notify its rectification.
Deletion
• Right to request that data is blocked for a period of time in which it can not be given any treatment. After this period, it should be abolished.
Opposition
• Is given as long as there is a legitimate cause. If so, the responsible has to exclude the data from any type of treatment.
ARCO: By its spanish acronym
Which rights are covered by the law
What is the core of the law
• The client, employee or vendor has the right of auto determination at all times.
• In the case of sensitive data treatment the authorization needs to be explicit.• The data classification and protection of personal data is a function that any
company must comply.• Personal sensitive data is consider: ethnicity or racial origins, health status
(present and future), genetic information, religious, philosophical and moral believes, union affiliation, political views and sexual orientation or any data that could cause high risk to the owner of the data.
Classification and Data Protection
Establish, document and maintain security measures
Privacy Notice
Communicate data transfer to third parties
Appointment of a Chief Privacy Officer
Treatment authorization from clients, customers or employees
What do companies need to do
Deadlines to comply with the law
• Mexican federal government issued the law on July 5, 2010
• Clients, employees or vendors could request their ARCO rights starting January 6, 2012
• Important deadlines :– July 6, 2011:
• Companies must appoint a Privacy Officer.
• Companies must issue privacy notices
• Warnings• Fines from $5,584* to
$17,868,800*• Additional fines from $5,584* to
$17,868,800* (when the fine happens more than once)
• All fines may increase a 100% if personal data is sensible
• Jail up to 10 years
* Mexican pesos
Sanctions / Penalties
Mexico’s personal data law
ü üü ü ü
Create privacy policies and programs
Train all the employees about the privacy
programs
Establish a privacy monitoring process
Assign resources to implement the privacy
programs
Establish a procedure to manage the privacy risk
Review the privacy program periodically
Implement the procedures to receive the concerns and complaints about
privacy
Implement the mechanisms to sanction in
the case of a noncompliance situation
What do companies need to do
Inventory of personal data
Inventory of the treatment systems
Roles and responsibilities of
persons who process personal
data
Risk analysis of personal data
Security measures for personal data
Gap analysis of security measures
Roadmap for the implementation of security measures
Reviews and / or audits
Train staff which processes personal
data
Registration of cancellations or destruction of personal data
Record the mass storage of personal
data
What do companies need to create
Privacy is not only about Compliance!
Through Privacy we guarantee individual rights.
By doing so, we increase stakeholder trust and
increase our competitiveness.