• Federal Law of Protection of Personal Data in Power of Private Entities.
  • July 7, 2012 | Author: Carlos A. Trosino L. de G.
  • Law Firm: ACM Legal - Queretaro Office
  • Parting from the first question: What is personal data? Is that we shall start this brief bulletin, since pursuant to such law, personal data is any information related to individuals, for example, name, telephone number, domicile, photographs or fingerprints, as well as any other information which may be useful to identify them. This type of data allows, in addition, the interaction with one or more organizations, as well as enabling them to become subjects of rights.

    What is the importance of Personal Data?
    In the era of communications, the management and exchange of data has become a usual practice, both for the public sector as well as for companies, which use them for the development of their day to day activities such as:
    • Sale of goods (i.e.: internet book sales or a car at a dealership)
    • Hiring of services (clinical analyzes, life insurance or enrollment at a school)
    • Job offers (when presenting labor resume or filling out a work application form.)
     
    That is why article 16 of our Constitution acknowledges such fundamental right in order to have personal data protected. And therefore, all entities and individuals who have databases (schools, hospitals, doctors, insurance companies, companies in general, etc.,) are bound to follow certain regulations to guarantee their safe and appropriate use.
     
    Who can manage personal data?
    Any private entity or individual; for example, a school, a hospital, a doctor, an insurance company, a bank, a telephone company, a convenience store or a gym. All must observe and abide to the provisions set forth in the Law.

    The following are not subject of this law:
     
    I) Credit information entities (credit bureau) due to the fact that they are regulated under the Law of Credit Information Entities.
    II) Those who manage (either individuals or entities) the data for exclusively personal purposes, without seeking to spread or use them in a commercial manner; for example, telephone directory of friends and personal contacts.
     
    Of recent enforcement, the Law, triggers a broad spectrum of protection for the information of individuals in power of private entities or other individuals, however, in addition to the security factor it triggers, the latter also imposes a higher administrative charge on companies due to the following matters that must be carried out:
    • Appoint a responsible individual who attends access, rectification, cancellation and opposition of personal data requests.
    • Implement and have the necessary security measures to guarantee the data against an improper or illegal use, non-authorized access or loss, alteration, theft or amendment to the personal information.
    • Train its personnel.
    • Inform the owners about the use their information will be subject to.
    Upon the entering into force of the Law, Companies shall issue their Privacy Notices.
    The Privacy Notice shall specify the individual or area in charge of attending access, rectification, cancellation or opposition to the use of personal data requests (ARCO rights).
    Will companies receive any penalties in the case they fail to comply with the Law?
    The Federal Institute of Access to Information and Data Protection, as the guarantor authority, has the ability to impose penalties upon those companies who fail to comply with any provision of the Law. Below there are some of the possible penalties:
    1. Warning;
    2. Fine from 100 up to 160,000 days of minimum wage in force in the Federal District when the company acts negligently or on purpose with regard to the personal information, fails to observe the protection principles of data as set forth in the law or omits information in its Privacy Notice;
    3. Fine from 200 up to 320,000 days of minimum wage in force in the Federal District, when the confidentiality duty in the management of data is breached, the purpose of the management is changed without noticing the owner, transfers the data to third parties, obstructs acts of verification from the Institute or carries out an illegal use of the data.
    4. In the case that these infringements remain on an elapsed fashion, the Institute may impose an additional fine that shall go from a 100 to 320,000 days of minimum wage in force in the Federal District.

    When infringements are committed regarding sensitive data, the penalties may increase up to a double.

    The penalties above are indicated without prejudice of those which may be imposed due to the crimes committed in the field of managing personal data and which involve incarceration penalties which go from three months up to ten years.

    At ACM Legal, we are ready to provide you with the support you require in this and in any other corporate application you may require, please bear in mind we are just a phone call away in order for us to keep your company updated and in that manner, avoid possible legal, financial or business contingencies.