1. Federal Law on
Personal Data
Protection of Private
Ownership
Ley Federal de Protección de
Datos Personales en Posesión
de los Particulares
26/Agosto/10
2. What is this law looking
for
• Protect personal data held by companies.
• Control legitimate treatment, monitoring and reporting,
in order to ensure privacy and the right to informational
self-determination of individuals.
3. Which rights are
covered by the law
Opposition
Deletion
Rectify
Access
• The owner • The owner • Right to • Is given as
could request can request request that long as there
which the change of data is is a legitimate
personal data inaccurate or blocked for a cause. If
is processed incomplete period of time so, the
by the data. in which it can responsible
controller and • If the data not be given has to
how is it was any exclude the
treated. transmitted to treatment. data from any
a third After this type of
party, the period, it treatment.
responsible should be
should notify abolished.
its
rectification.
ARCO: By its spanish acronym
4. What is the core of
•
the law
The client, employee or vendor has the right of auto determination at all
times.
• In the case of sensitive data treatment the authorization needs to be explicit.
• The data classification and protection of personal data is a function that any
company must comply.
• Personal sensitive data is consider: ethnicity or racial origins, health status
(present and future), genetic information, religious, philosophical and moral
believes, union affiliation, political views and sexual orientation or any data
that could cause high risk to the owner of the data.
5. What do companies
need to do
Classification and Data Protection
Establish, document and maintain
security measures
Privacy Notice
Communicate data transfer to third
parties
Appointment of a Chief Privacy
Officer
Treatment authorization from
clients, customers or employees
6. Deadlines to comply
with the law
• Mexican federal government issued
the law on July 5, 2010
• Clients, employees or vendors could
request their ARCO rights starting
January 6, 2012
• Important deadlines :
– July 6, 2011:
• Companies must appoint a Privacy
Officer.
• Companies must issue privacy
notices
7. Sanctions / Penalties
• Warnings
• Fines from $5,584* to
$17,868,800*
• Additional fines from $5,584* to
$17,868,800* (when the fine
happens more than once)
• All fines may increase a 100% if
personal data is sensible
• Jail up to 10 years
* Mexican pesos
9. What do companies
need to do
Train all the employees
Create privacy policies Establish a privacy
about the privacy
and programs monitoring process
programs
Assign resources to
Establish a procedure to Review the privacy
implement the privacy
manage the privacy risk program periodically
programs
Implement the procedures Implement the
to receive the concerns mechanisms to sanction in
and complaints about the case of a
privacy noncompliance situation
10. What do companies
need to create
Roles and
responsibilities of
Inventory of Inventory of the Risk analysis of
persons who
personal data treatment systems personal data
process personal
data
Roadmap for the
Security measures Gap analysis of Reviews and / or
implementation of
for personal data security measures audits
security measures
Registration of
Train staff which Record the mass
cancellations or
processes personal storage of personal
destruction of
data data
personal data
11. Privacy is not only
about Compliance!
Through Privacy we guarantee
individual rights.
By doing so, we increase
stakeholder trust and increase
our competitiveness.