Employee Data Privacy

What are the penalties for noncompliance with any applicable data protection laws?

Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.

The frequency of assigning fines and penalties for violations of the Federal Law on Protection of Personal Data Held by Private Parties in Mexico has increased in recent years. Violations of the law can result in warnings or fines ranging from 100 to 320,000 Unidad de Medida y Actualización (UMA) (One UMA is equivalent to approximately $5 USD). Additional fines may be imposed for repeat violations. Fines can also double when sensitive personal data is involved.

Fines and penalties are determined based on:

• the nature of the data;
• the refusal of the employer to follow actions requested by the data subject, in violation of the law;
• whether the violation was intentional in nature, or an omission;
• the financial position of the employer (i.e. the size of the company); and,
• recurrence of violations.

Civil and criminal liabilities can also be incurred.

Imprisonment can occur when a person who is processing personal data for profit causes a data security breach. Imprisonment may also be imposed if an individual processes personal data deceitfully to obtain an unlawful profit. Terms are doubled in cases where sensitive personal data is involved.