Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
There are no specific requirements relating to international data transfers in Mexico. When personal data may be transferred to a third-party, employees in Mexico must be informed via a privacy notice, regardless of whether the data will be transferred inside or outside of the country. Privacy notices should outline how the data may be processed. Note that the third-parties who receive the data will be responsible for protecting the personal data and following the Mexican data protection Law.
Individuals can refuse to consent to having their data transferred. Consent is not required in certain cases, including when:
- data is being transferred to a controlling, subsidiary or affiliated company under the common control of a parent company, or a company who operates under the same internal processes and policies;
- necessary in order to fulfill a contract in the interest of the owner of the data;
- necessary to fulfill a legal agreement between the employer and the individual whose data was collected; or,
- the transfer is pursuant to a Law/Treaty to which Mexico is a party.
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data.
Generally, employers in Mexico must hold complete and accurate employee records at the place of employment. If the employer uses a third-party (in Mexico or abroad) and transfers employee related information for accounting or other processing purposes, those third party transferees need to be made aware of the terms and conditions under which the personal information was provided to the employer (e.g., under the applicable privacy notice), and the receiving third party will be subject to the same obligations as the employer in terms of treatment and safeguarding the personal data originally collected by the employer.