By Adina Moloman
Mexico’s Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It took effect July 6, 2010, but the rules where started to be implemented this July 6, 2011.
First there are two important definitions to start with. “Personal data” is any information concerning a physical person and whose inappropriate use may result in discrimination. “Sensitive personal data” is information that may be used for discriminatory purposes and is information that may reveal aspects such as: a person’s race, ethnicity, sex, medical condition, religion, philosophies and morals, political opinions, and sexual preferences, union affiliations, genetic information.
Any type of use of sensitive personal data must be expressly authorized by its owner through a privacy notice. In case the information is used with other purposes there are penalties and Severe Sanctions. Financial penalties are not clearly established, depending of the gravity of the situation, the fines range are from 100 to 360,000 days of minimum wage or twice the above mentioned when the offenses are committed over sensitive personal data. It also provides a criminal penalty from 3 month and up to five years imprisonment, when it comes to violations for unauthorized transfer of sensitive personal data.
The individual which is the owner of the information has the right to decide who can access his/her personal information data. This very individual has the right to correct such information, control the transfer of the information and block or cancel its use. Another right of the individual (the owner) is to access his own information regardless of the holder.
Another information that come in hand for Mexico Corporation involves the stipulation of the cross border transfer of data. There are a few exceptions when personal data that may be transferred nationally or internationally without authorization of the individual (the owner) when:
- is the situation when the transfer is made to parent companies, subsidiaries or affiliates that uses the same procedures and internal policies;
- the transfer is provided for in a treaty that Mexico is a part of;
- in the case of medical emergencies
- the transfer is necessary to prevent disease or for medical diagnosis, medical care, or medical treatment;
- the transfer is necessary pursuant to a contract between the data controller and the transferee, provided that the transfer is in the best interest of the individual;
there is a judicial decree involving the subject data.