Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
In Mexico, individuals and their legal representatives have the right to request information, access, correction and deletion of their personal information. They also have the right to oppose the data collection, limit the processing of their data when the data is processed for extraneous purposes or, revoke their consent for data processing (Federal Law on the Protection of Personal Data Held by Private Parties, 2010).
Employers must designate a person or department to handle personal data requests. Upon receiving a request from an individual, employers have 20 days to reply and 15 days from the date of reply to complete any requests (when applicable). This timeframe can be extended once for an equal period, as long as there is a justifiable circumstance.
When can employers refuse or temporarily deny requests?
Data processors can deny requests when:
- the individual is not the owner of the personal data (or the legal representative cannot be confirmed as authorized);
- no information is found on the employee;
- it would impact the rights of a third-party;
- there is a legal limitation to complying with the request;
- the action has been previously taken.
Employers can partially refuse requests where necessary. In the event a request is rejected, the employer must inform the individual of the reason of the refusal.
In the event that an individual requests the deletion of their personal data, the employer should first suspend the data prior to suppressing the information. Once the data has been deleted, notice should be given to the individual. An employer can deny a request to stop processing an employee’s personal information in certain circumstances, including when:
- the processing is necessary to comply with a contract;
- the collection is necessary for a legal obligation or requirement;
- the information is necessary for a tax obligation or investigation/prosecution of a crime;
- the processing is necessary to protect the legal interests of the individual.
HR Best Practices: When processing an access request from an employee, make sure not to disclose information connected to other individuals. Establish official procedures and contacts for employee requests, complaints and questions.