What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
The data protection regime in Mexico is one of the most advanced regimes in Latin America, with a well-defined data protection law and clear data protection authority. The Mexican Constitution entitles all individuals with the right to the protection of their private life and personal data, including the right to access, correct and cancel this data.
The Federal Law on the Protection of Personal Data Held by Private Parties and the related Regulations to the Federal Law sets the requirements that private employers need to follow when ensuring employee data privacy in Mexico. The Law defines two types of protected data:
- personal data, and
- sensitive personal data
Personal data is broadly defined as any information concerning identified or identifiable individuals. Sensitive personal data is more strictly defined as the information that touches the most private areas of an individual’s life, including information which can reveal: race/ethnicity, health status, genetic information, religion/philosophical/moral beliefs, union membership, political views and sexual preference.
Consent is required when processing personal data, except when otherwise allowed through the law (such as when the employer is fulfilling obligations under a legal relationship with the data subject). Consent can be provided verbally, in writing or via any technology. Note that tacit consent is allowed under the law when the individual is provided with a privacy notice and has the option to opt-out of the collection. When processing sensitive data, written consent (electronic or otherwise) must be obtained.
Mexico is a member of APEC’s Cross Border Privacy Rules (CBPR), making it easier to transfer data between Mexico and other members (Canada, Japan, Singapore, the Republic of Korea and the United States).
The current authority responsible for enforcement of data privacy law and regulations in Mexico is the:
National Institute for Transparency, Access to Information and Personal Data Protection (INAI)
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.