The processing of any personal data may impose obligations to the individuals the data is related to, the data subjects. Some jurisdictions only recognize processing personal data as lawful if the data subject has provided express consent. Other jurisdictions require a legal obligation to process the data, and may not require consent. The processing of HR personal data has raised questions and court decisions in a few countries, and interpretations may vary based on data privacy and labor law requirements. The concept of employee consent has been increasingly criticized because there is doubt as to whether consent can be given freely in the subordinate employee/employer relationship.
In order to collect employees’ personal data in Mexico, consent is generally required, with a few exceptions (Federal Law on the Protection of Personal Data Held by Private Parties). Consent can be provided verbally, in writing or via any technology. With the exception of sensitive personal data and financial data (which require explicit consent), tacit consent is allowed under the law when the individual is provided with a privacy notice and has the option to opt-out of the collection. Employers must also give individuals the option to opt-out of consent at a later date via the privacy notice (note: the revocation would not be retroactive). Consent to collect personal information is not necessary when:
The personal data that is collected must be limited to the purpose outlined in the privacy notice. If the data is being processed for a new purpose, the employer must obtain new consent from the employee.
When collecting sensitive personal data, express written consent must be obtained and the notice must specifically state that sensitive personal data is being handled. Sensitive personal data includes information that affects the most intimate sphere of the individual as well as personal information that could cause serious risk or discrimination if revealed. This includes personal information such as: race/ethnicity, health status, genetic information, religious/philosophical/moral beliefs, union affiliations, political opinion and sexual preference.
Privacy Notices
HR teams should provide individuals with a privacy notice prior to collecting personal information. Notices should include:
HR Best Practices: Limit the collection of employees’ personal data to information that is clearly outlined in employee privacy notices. When consent is used, ensure there is a way for employees to revoke their consent at a later date and that employees are notified of the revocation process.