Federal Law on Personal Data

Protection of Private Ownership

Ley Federal de Protección de Datos

Personales en Posesión de los Particulares

26/Agosto/10

What is this law looking for

• Protect personal data held by companies.

• Control legitimate treatment, monitoring and reporting, in order to ensure privacy and the right to informational self-determination of individuals.

Access

• The owner could request which personal data is processed by the controller and how is it treated.

Rectify

• The owner can request the change of inaccurate or incomplete data.

• If the data was transmitted to a third party, the responsible should notify its rectification.

Deletion

• Right to request that data is blocked for a period of time in which it can not be given any treatment. After this period, it should be abolished.

Opposition

• Is given as long as there is a legitimate cause. If so, the responsible has to exclude the data from any type of treatment.

ARCO: By its spanish acronym

Which rights are covered by the law

What is the core of the law

• The client, employee or vendor has the right of auto determination at all times.

• In the case of sensitive data treatment the authorization needs to be explicit.• The data classification and protection of personal data is a function that any

company must comply.• Personal sensitive data is consider: ethnicity or racial origins, health status

(present and future), genetic information, religious, philosophical and moral believes, union affiliation, political views and sexual orientation or any data that could cause high risk to the owner of the data.

Classification and Data Protection

Establish, document and maintain security measures

Privacy Notice

Communicate data transfer to third parties

Appointment of a Chief Privacy Officer

Treatment authorization from clients, customers or employees

What do companies need to do

Deadlines to comply with the law

• Mexican federal government issued the law on July 5, 2010

• Clients, employees or vendors could request their ARCO rights starting January 6, 2012

• Important deadlines :– July 6, 2011:

• Companies must appoint a Privacy Officer.

• Companies must issue privacy notices

• Warnings• Fines from $5,584* to

$17,868,800*• Additional fines from $5,584* to

$17,868,800* (when the fine happens more than once)

• All fines may increase a 100% if personal data is sensible

• Jail up to 10 years

* Mexican pesos

Sanctions / Penalties

Mexico’s personal data law

ü üü ü ü

Create privacy policies and programs

Train all the employees about the privacy

programs

Establish a privacy monitoring process

Assign resources to implement the privacy

programs

Establish a procedure to manage the privacy risk

Review the privacy program periodically

Implement the procedures to receive the concerns and complaints about

privacy

Implement the mechanisms to sanction in

the case of a noncompliance situation

What do companies need to do

Inventory of personal data

Inventory of the treatment systems

Roles and responsibilities of

persons who process personal

data

Risk analysis of personal data

Security measures for personal data

Gap analysis of security measures

Roadmap for the implementation of security measures

Reviews and / or audits

Train staff which processes personal

data

Registration of cancellations or destruction of personal data

Record the mass storage of personal

data

What do companies need to create

Privacy is not only about Compliance!

Through Privacy we guarantee individual rights.

By doing so, we increase stakeholder trust and

increase our competitiveness.