0A4F4F9BD490A749D5437F821CF06DF1
Federal Law for the Protection of Personal Data in the Possession of Private Individuals
https://www.duanemorris.com/site/static/Mexico_Federal_Protection_Law_Personal_Data.pdf
http://leaux.net/URLS/ConvertAPI Text Files/DA878E1940F64B439E5195B3A6D2195A.en.txt
Examining the file media/Synopses/DA878E1940F64B439E5195B3A6D2195A.html:
This file was generated: 2020-07-14 06:10:05
| Indicators in focus are typically shown highlighted in yellow; |
Peer Indicators (that share the same Vulnerability association) are shown highlighted in pink; |
"Outside" Indicators (those that do NOT share the same Vulnerability association) are shown highlighted in green; |
Trigger Words/Phrases are shown highlighted in gray. |
Link to Orphaned Trigger Words (Appendix (Indicator List, Indicator Peers, Trigger Words, Type/Vulnerability/Indicator Overlay)
Applicable Type / Vulnerability / Indicator Overlay for this Input
Political / Illegal Activity
Searching for indicator unlawful:
(return to top)
p.000011: the terms established by this Law, in the cases described in section I of the preceding article;
p.000011: II. A fine from 100 to 160,000 days of the Mexico City minimum wage, in the cases described in sections II to
p.000011: VII of the preceding article;
p.000011: III. A fine from 200 to 320,000 days of the Mexico City minimum wage, in the cases described in sections VIII
p.000011: to XVIII of the preceding article; and
p.000011: IV. In the event of repeated occurrences of the violations described in the preceding paragraphs, an
p.000011: additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage. With
p.000011: regard to violations committed in processing sensitive data, sanctions may be increased up to double the
p.000011: established amounts.
p.000011:
p.000011: Article 65. The Institute will ground its decisions in law and fact, considering:
p.000011:
p.000011: I. The nature of the data;
p.000011: II. The evident impropriety of the refusal of the data controller to perform the actions requested by the
p.000011: data owner in the terms of this Law;
p.000011: III. The intentional or unintentional nature of the action or omission constituting the violation;
p.000011: IV. The financial position of the data controller, and
p.000011: V. Recurrence.
p.000011:
p.000011: Article 66. The penalties specified in this chapter will be imposed without prejudice to any applicable civil or
p.000011: criminal liability.
p.000011:
p.000011: CHAPTER XI
p.000011: Crimes Relating to Unlawful Processing of Personal Data
p.000011: Article 67. Three months to three years imprisonment will be imposed on any person who, authorized to process personal
p.000011: data, for profit, causes a security breach affecting the databases under his custody.
p.000011: Article 68. Six months to five years imprisonment will be imposed on any person who, with the aim of
p.000011: achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data owner or the
p.000011: person authorized to transmit such data.
p.000011: Article 69. With regard to sensitive personal data, the penalties referred to in this chapter will be doubled.
p.000011:
p.000011: TRANSITORY PROVISIONS
p.000011:
p.000011: ONE. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000011:
p.000011: TWO. The Federal Executive will issue the Regulations to this Law within one year following its entry into force.
p.000011:
p.000011: THREE. Data controllers shall designate the personal data person or department referred to in Article 30 of the Law,
p.000011: and shall issue their privacy notices to personal data owners in accordance with the provisions of articles 16 and 17
p.000011: within one year after this Law enters into force.
p.000011:
p.000011: FOUR. Data owners may exercise, with data controllers, their rights of access, rectification, cancellation and
p.000011: objection, as set forth in Chapter IV of this Law; they may also initiate, as necessary, the rights protection
p.000011: procedure established in Chapter VII hereof, eighteen months after the entry into force of the Law.
p.000011:
p.000011: FIVE. Pursuant to the provisions of Transitory Article Three of the Decree, adding section XXIX-O to
p.000011: Article 73 of the Political Constitution of the United Mexican States, published in the Federal Official Gazette on
p.000011: April 30, 2009, local regulations regarding the protection of personal data held by private parties are annulled, and
...
Political / criminal
Searching for indicator criminal:
(return to top)
p.000011: (First Section) 13
p.000011:
p.000011: I. A warning instructing the data controller to carry out the actions requested by the data owner, under
p.000011: the terms established by this Law, in the cases described in section I of the preceding article;
p.000011: II. A fine from 100 to 160,000 days of the Mexico City minimum wage, in the cases described in sections II to
p.000011: VII of the preceding article;
p.000011: III. A fine from 200 to 320,000 days of the Mexico City minimum wage, in the cases described in sections VIII
p.000011: to XVIII of the preceding article; and
p.000011: IV. In the event of repeated occurrences of the violations described in the preceding paragraphs, an
p.000011: additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage. With
p.000011: regard to violations committed in processing sensitive data, sanctions may be increased up to double the
p.000011: established amounts.
p.000011:
p.000011: Article 65. The Institute will ground its decisions in law and fact, considering:
p.000011:
p.000011: I. The nature of the data;
p.000011: II. The evident impropriety of the refusal of the data controller to perform the actions requested by the
p.000011: data owner in the terms of this Law;
p.000011: III. The intentional or unintentional nature of the action or omission constituting the violation;
p.000011: IV. The financial position of the data controller, and
p.000011: V. Recurrence.
p.000011:
p.000011: Article 66. The penalties specified in this chapter will be imposed without prejudice to any applicable civil or
p.000011: criminal liability.
p.000011:
p.000011: CHAPTER XI
p.000011: Crimes Relating to Unlawful Processing of Personal Data
p.000011: Article 67. Three months to three years imprisonment will be imposed on any person who, authorized to process personal
p.000011: data, for profit, causes a security breach affecting the databases under his custody.
p.000011: Article 68. Six months to five years imprisonment will be imposed on any person who, with the aim of
p.000011: achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data owner or the
p.000011: person authorized to transmit such data.
p.000011: Article 69. With regard to sensitive personal data, the penalties referred to in this chapter will be doubled.
p.000011:
p.000011: TRANSITORY PROVISIONS
p.000011:
p.000011: ONE. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000011:
p.000011: TWO. The Federal Executive will issue the Regulations to this Law within one year following its entry into force.
p.000011:
p.000011: THREE. Data controllers shall designate the personal data person or department referred to in Article 30 of the Law,
p.000011: and shall issue their privacy notices to personal data owners in accordance with the provisions of articles 16 and 17
p.000011: within one year after this Law enters into force.
p.000011:
p.000011: FOUR. Data owners may exercise, with data controllers, their rights of access, rectification, cancellation and
p.000011: objection, as set forth in Chapter IV of this Law; they may also initiate, as necessary, the rights protection
...
Political / political affiliation
Searching for indicator party:
(return to top)
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIV. Data controller: Individual or private legal entity that decides on the processing of personal data.
p.000003: XV. Ministry: Ministry of Economy.
p.000003: XVI. Third party: Mexican or foreign individual or legal entity other than the data owner or data
p.000003: controller.
p.000003: XVII. Data owner: The individual to whom personal data relates.
p.000003: XVIII. Processing: Retrieval, use, disclosure or storage of personal data by any means. Use covers any action of
p.000003: access, management, exploitation, transfer or disposal of personal data.
p.000003: XIX. Transfer: Any data communication made to a person other than the data controller or data
p.000003: processor.
p.000003:
p.000003: Article 4. The principles and rights under this Law will have, as a limit with regard to their observance and exercise,
p.000003: protection of national security, public order, health and safety as well as the rights of third parties.
p.000003:
p.000003: Article 5. Where not expressly provided in this Law, the provisions of the Federal Code of Civil Procedure and the
p.000003: Federal Administrative Procedure Law will apply supplementarily.
p.000003:
p.000003: For the substantiation of rights protection, verification and penalty procedures, the provisions contained in the
p.000003: Federal Administrative Procedure Law will be observed.
p.000003:
p.000003: CHAPTER II
p.000003: Principles of Personal Data Protection
p.000003:
p.000003: Article 6. Data controllers must adhere to the principles of legality, consent, notice, quality, purpose,
p.000003: fidelity, proportionality and accountability under the Law.
p.000003:
p.000003: Article 7. Personal data must be collected and processed in a lawful manner in accordance with the
...
p.000003: technology, or by unmistakable indications.
p.000003:
p.000003: It will be understood that the data owner tacitly consents to the processing of his data when, once the privacy
p.000003: notice has been made available to him, he does not express objection.
p.000003:
p.000003:
p.000003:
p.000003: 3
p.000003:
p.000003: 4 (First Section) OFFICIAL GAZETTE
p.000003: Monday, July 5, 2010
p.000003:
p.000003: Financial or asset data will require the express consent of the data owner, except as provided in Articles 10 and 37 of
p.000003: this Law.
p.000003:
p.000003: Consent may be revoked at any time without retroactive effects being attributed thereto. For revocation of consent,
p.000003: the data controller must, in the privacy notice, establish the mechanisms and procedures for such action.
p.000003:
p.000003: Article 9. In the case of sensitive personal data, the data controller must obtain express written consent from the
p.000003: data owner for processing, through said data owner's signature, electronic signature, or any authentication
p.000003: mechanism established for such a purpose.
p.000003:
p.000003: Databases containing sensitive personal data may not be created without justification of their creation for purposes
p.000003: that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
p.000003:
p.000003: Article 10. Consent for processing of personal data will not be necessary where:
p.000003:
p.000003: I. Any Law so provides;
p.000003: II. The data is contained in publicly available sources;
p.000003: III. The personal data is subject to a prior dissociation procedure;
p.000003: IV. It has the purpose of fulfilling obligations under a legal relationship between the data owner and the
p.000003: data controller;
p.000003: V. There is an emergency situation that could potentially harm an individual in his person or property;
p.000003: VI. It is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or
p.000003: health services management, where the data owner is unable to give consent in the terms established by
p.000003: the General Health Law and other applicable laws, and said processing of data is carried out by a person subject to a
p.000003: duty of professional secrecy or an equivalent obligation, or
p.000003: VII. A resolution is issued by a competent authority.
p.000003:
p.000003: Article 11. The data controller shall ensure that personal data contained in databases is relevant, correct and
p.000003: up-to-date for the purposes for which it has been collected.
p.000003:
p.000003: When the personal data is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and
p.000003: applicable law, it must be cancelled.
p.000003:
p.000003: The controller of the database will be required to remove information relating to nonperformance of
p.000003: contractual obligations, after a period of seventy-two months counted from the calendar day on which
p.000003: said nonperformance arose.
p.000003:
p.000003: Article 12. Processing of personal data must be limited to fulfillment of the purposes set out in the privacy notice.
p.000003: If the data controller intends to process data for another purpose which is not compatible or analogous to the purposes
p.000003: set out in the privacy notice, the data owner's consent must be obtained again.
p.000003:
p.000003: Article 13. Processing of personal data will be done as necessary, appropriate and relevant with relation to the
p.000003: purposes set out in the privacy notice. In particular, for sensitive personal data, the data controller must make
p.000003: reasonable efforts to limit the processing period thereof to the minimum required.
p.000003:
p.000003: Article 14. The data controller shall ensure compliance with the personal data protection principles
p.000003: established by this Law, and shall adopt all necessary measures for their application. The foregoing will apply even
p.000003: when this data has been processed by a third party at the request of the data controller. The data
p.000003: controller must take all necessary and sufficient action to ensure that the privacy notice given to the data owner is
p.000003: respected at all times by it or by any other parties with which it has any legal relationship.
p.000003:
p.000003: Article 15. The data controller will have the obligation of providing data owners with information regarding what
p.000003: information is collected on them and why, through the privacy notice.
p.000003:
p.000003: Article 16. The privacy notice must contain at least the following information:
p.000003:
p.000003: I. The identity and domicile of the data controller collecting the data;
p.000003: II. The purposes of the data processing;
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 5
p.000003:
p.000003: III. The options and means offered by the data controller to the data owners to limit the use
p.000003: or disclosure of data;
p.000003: IV. The means for exercising rights of access, rectification, cancellation or objection, in accordance with
p.000003: the provisions of this Law;
p.000003: V. Where appropriate, the data transfers to be made, and
p.000003: VI. The procedure and means by which the data controller will notify the data owners of changes to the privacy
p.000003: notice, in accordance with the provisions of this Law.
p.000003:
p.000003: For sensitive personal data, the privacy notice must expressly state that it is dealing with this type of data.
p.000003:
p.000003: Article 17. The privacy notice must be made available to data owners through print, digital, visual or audio formats
...
p.000005:
p.000005: I. The data owner's name and address or other means to notify him of the response to his request;
p.000005: II. Documents establishing the identity or, where appropriate, legal representation of the data
p.000005: owner;
p.000005: III. A clear and precise description of the personal data with regard to which the data owner seeks to
p.000005: exercise any of the abovementioned rights.
p.000005: IV. Any other item or document that facilitates locating the personal data.
p.000005:
p.000005: Article 30. All data controllers must designate a personal data person or department who will process
p.000005: requests from data owners for the exercise of the rights referred to in this Law. In addition, data controllers will
p.000005: promote protection of personal data within their organizations.
p.000005:
p.000005: Article 31. In the case of requests for rectification of personal data, the data owner must indicate, in
p.000005: addition to that which is specified in the preceding article of this Law, the changes to be made, and provide
p.000005: documentation supporting the request.
p.000005:
p.000005: Article 32. The data controller will notify the data owner, within a maximum of twenty days counted from the date of
p.000005: receipt of the request for access, rectification, cancellation or objection, of the determination made, so that, where
p.000005: appropriate, same will become effective within fifteen days from the date on which the notice is provided. For
p.000005: personal data access requests, delivery will be made upon proof of identity of the requesting party or legal
p.000005: representative.
p.000005:
p.000005: The aforementioned time periods may be extended a single time by a period of equal length, provided that such action is
p.000005: justified by the circumstances of the case.
p.000005:
p.000005: Article 33. The obligation to provide access to information will be fulfilled when the personal data is made
p.000005:
p.000005: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000005: (First Section) 7
p.000005:
p.000005: available to the data owner; or, by issuing uncertified copies, electronic documents or any other means
p.000005: established by the data controller in the privacy notice.
p.000005:
p.000005: In the event that the data owner requests access to data from a person or entity who he presumes is the data controller
p.000005: and said person or entity proves not to be such, it will be sufficient for said person or entity to so indicate to the
p.000005: data owner by any of the means referred to in the preceding paragraph, for the request to be considered properly
p.000005: fulfilled.
p.000005:
p.000005: Article 34. The data controller may deny access to personal data or refuse the rectification, cancellation or objection
p.000005: with relation thereto in the following cases:
p.000005:
p.000005: I. Where the requesting party is not the subject of the personal data, or the legal representative is not
p.000005: duly accredited for such purposes;
p.000005: II. Where the requesting party's personal data is not found in the data controller's database;
p.000005: III. Where the rights of a third party are adversely affected;
p.000005: IV. Where there is any legal impediment, or decision of a competent authority, restricting access to the
p.000005: personal data or not allowing the rectification, cancellation or objection with relation thereto, and
p.000005: V. Where the rectification, cancellation or objection has been previously performed.
p.000005:
p.000005: The refusal referred to in this article may be partial, in which case the data controller will carry out the
p.000005: access, rectification, cancellation or objection requested by the data owner.
p.000005:
p.000005: In all of the aforementioned cases, the data controller must notify the data owner, or, as appropriate, his legal
p.000005: representative, of its decision and the reason for such decision, within the periods established for such purposes, via
p.000005: the same means by which the request was made, attaching, where appropriate, any relevant evidence.
p.000005:
p.000005: Article 35. The action of providing personal data will be free, and the data owner must only pay justified expenses of
p.000005: shipping or the cost of copying or providing data in other formats.
p.000005:
p.000005: This right will be exercised by the data owner free of charge, upon proof of his identity to the
p.000005: data controller. However, if the same person repeats his request within a period of twelve months, costs will not be
p.000005: greater than three days of the General Current Minimum Wage in Mexico City, unless there are material
p.000005: changes to the privacy notice that prompt new queries.
p.000005:
p.000005: The data owner may file a data protection request due to the response received or lack of response from the data
p.000005: controller, in accordance with the provisions of the following Chapter.
p.000005:
p.000005: CHAPTER V
p.000005: Data Transfer
p.000005:
p.000005: Article 36. Where the data controller intends to transfer personal data to domestic or foreign third parties other
p.000005: than the data processor, it must provide them with the privacy notice and the purposes to which the data owner has
p.000005: limited data processing.
p.000005:
p.000005: Data processing will be done as agreed in the privacy notice, which shall contain a clause indicating
p.000005: whether or not the data owner agrees to the transfer of his data; moreover, the third party receiver will assume the
p.000005: same obligations as the data controller that has transferred the data.
p.000005:
p.000005: Article 37. Domestic or international transfers of data may be carried out without the consent of the data owner in the
p.000005: following cases:
p.000005:
p.000005: I. Where the transfer is pursuant to a Law or Treaty to which Mexico is party;
p.000005: II. Where the transfer is necessary for medical diagnosis or prevention, health care delivery,
p.000005: medical treatment or health services management;
p.000005: III. Where the transfer is made to holding companies, subsidiaries or affiliates under common control of the
p.000005: data controller, or to a parent company or any company of the same group as the data controller, operating under the
p.000005: same internal processes and policies;
p.000005: IV. Where the transfer is necessary by virtue of a contract executed or to be executed in the interest of the
p.000005: data owner between the data controller and a third party;
p.000005:
p.000005:
p.000005:
p.000007: 7
p.000007:
p.000007: 8 (First Section) OFFICIAL GAZETTE
p.000007: Monday, July 5, 2010
p.000007:
p.000007: V. Where the transfer is necessary or legally required to safeguard public interest or for the
p.000007: administration of justice;
p.000007: VI. Where the transfer is necessary for the recognition, exercise or defense of a right in a judicial
p.000007: proceeding, and
p.000007: VII. Where the transfer is necessary to maintain or fulfill a legal relationship between the data
p.000007: controller and the data owner.
p.000007:
p.000007: CHAPTER VI AUTHORITIES
p.000007:
p.000007: SECTION I
p.000007: The Institute
p.000007:
p.000007: Article 38. The Institute, for the purposes of this Law, will have the purpose of disseminating information on the
p.000007: right to personal data protection in Mexican society, promoting its exercise, and overseeing the due
p.000007: observance of the provisions of this Law and those arising herefrom; particularly those related to the fulfillment of
p.000007: obligations by the parties regulated by this Law.
p.000007:
p.000007: Article 39. The Institute has the following responsibilities:
p.000007:
p.000007: I. To oversee and verify compliance with the provisions of this Law, within the scope of its
p.000007: competence, with the exceptions provided by the law;
p.000007: II. To interpret this Law in the administrative system;
p.000007: III. To provide technical support to the data controllers who so request for fulfillment of the
p.000007: obligations established by this Law;
...
p.000007: considers it is incomplete or does not match the information requested.
p.000007:
p.000007: Upon receipt of the data protection request by the Institute, said request will be sent to the data controller, for
p.000007: said controller to, within fifteen days, issue a response, provide any evidence it deems relevant and make its formal
p.000007: arguments in writing.
p.000007:
p.000007: The Institute will admit any evidence it deems relevant and introduce it. It may also request any
p.000007: other evidence it deems necessary from the data controller. After introduction of evidence, the Institute will notify
p.000007: the data controller of its right to, if it so considers necessary, present its arguments within five days of
p.000007: notification.
p.000007:
p.000007: As required under the procedure, the Institute will issue a decision on the data protection request filed, after
p.000007: analyzing the evidence and other elements of proof it deems appropriate, as may be those that arise from the hearing(s)
p.000007: held with the parties.
p.000007:
p.000007: The Regulations to the Law will establish the manner, conditions and periods under which the rights
p.000007: protection procedure will be carried out.
p.000007:
p.000007: Article 46. The data protection request may be filed in writing or using the electronic system forms
p.000007: provided by the Institute for such a purpose, and must contain the following information:
p.000007:
p.000007: I. The name of the data owner or, where applicable, his legal representative, as well as that of any third
p.000007: party to the request;
p.000007:
p.000007:
p.000009: 9
p.000009:
p.000009: 10 (First Section) OFFICIAL GAZETTE
p.000009: Monday, July 5, 2010
p.000009:
p.000009: II. The name of the data controller to whom the request for personal data access,
p.000009: rectification, cancellation or objection was sent;
p.000009: III. Address to hear and receive notifications;
p.000009: IV. The date on which the response from the data controller was received, except where the
p.000009: procedure begins pursuant to the provisions of Article 50;
p.000009: V. The acts giving rise to the data protection request, and
p.000009: VI. Any other items considered appropriate to bring to the attention of the Institute.
p.000009:
p.000009: The manner and terms in which the identity of the data owner or, as the case may be, the legal
p.000009: representative, must be documented will be established in the Regulations.
p.000009:
p.000009: Furthermore, the data protection request will include the request and response being challenged or, where appropriate,
p.000009: any information enabling its identification. Where there has been no response, it will only be necessary
p.000009: to submit the request.
p.000009:
p.000009: Where the data protection request is filed through non-electronic means, it must include sufficient copies for
p.000009: notification.
p.000009:
p.000009: Article 47. The decision in the rights protection procedure must be issued within fifty days counted from the date of
...
p.000009: the Institute must dismiss it.
p.000009:
p.000009: In this latter case, the Institute will issue its decision based on the content of the original request and the
p.000009: response of the data controller referred to in the preceding paragraph.
p.000009:
p.000009: If the decision of the Institute referred to in the preceding paragraph determines that the request has merit, the data
p.000009: controller will proceed to fulfill it, at no charge to the data owner, where the data controller must bear all costs
p.000009: generated by the corresponding reproduction.
p.000009:
p.000009: Article 56. Private parties may file a petition for annulment against decisions issued by the Institute with the
p.000009: Federal Tax and Administrative Court.
p.000009:
p.000009: Article 57. All decisions of the Institute may be publicly released in public versions, eliminating any
p.000009: references to the data owner which identify him or make him identifiable.
p.000009:
p.000009: Article 58. Data owners who feel they have suffered harm or damage to their property or rights as a result of a breach
p.000009: of the provisions of this Law by the data controller or data processor, may exercise the rights they deem appropriate
p.000009: for purposes of any applicable indemnity, in the terms of the relevant law.
p.000009:
p.000009: CHAPTER VIII
p.000009: Verification Procedure
p.000009:
p.000009: Article 59. The Institute will verify compliance with this Law and the regulations derived herefrom.
p.000009: Verification may be initiated of its own motion or by petition of an interested party.
p.000009:
p.000009: Verification of its own motion will be carried out in the event of nonfulfillment of decisions issued in rights
p.000009: protection procedures as referred to in the preceding Chapter, or where the existence of violations of this Law is
p.000009: presumed grounded in law and fact.
p.000009:
p.000009: Article 60. In the verification procedure, the Institute will have access to all information and documentation it deems
p.000009: necessary, in accordance with the respective decision.
p.000009:
p.000009: Federal public servants will be obliged to observe confidentiality of the information they have access to as a result
p.000009: of the relevant verification.
p.000009:
p.000009: The Regulations will describe the form, terms and periods for the procedure referred to in this article.
p.000009:
p.000009: CHAPTER IX
p.000009: Penalty Application Procedure
p.000009:
p.000009: Article 61. If, by virtue of a rights protection procedure or verification procedure carried out by the Institute, the
p.000009: Institute becomes aware of a presumed breach of any of the principles or provisions of this Law, it will
p.000009: initiate the procedure referred to in this Chapter in order to determine the appropriate penalty.
p.000009:
p.000009: Article 62. The penalty application procedure will begin with notice sent by the Institute to the alleged
p.000009: offender with regard to the facts that originated the procedure and will grant a period of fifteen days to present
p.000009: evidence and state formal arguments in writing. Where no evidence is presented, the Institute will arrive at a decision
p.000009: through the evidence at its disposal.
p.000009:
...
Searching for indicator political:
(return to top)
p.000003: III. Blocking: The labeling and retention of personal data once it has served the purpose for which it was
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIV. Data controller: Individual or private legal entity that decides on the processing of personal data.
p.000003: XV. Ministry: Ministry of Economy.
...
p.000011: to perform legally due rectifications or cancellations where the data owner's rights are affected;
p.000011: VII. Failure to comply with the notice referred to in section I of Article 64;
p.000011: VIII. Breaching the duty of confidentiality established in Article 21 of this Law;
p.000011: IX. Materially changing the original data processing purpose, without observing the provisions of
p.000011: Article 12;
p.000011: X. Transferring data to third parties without providing them with the privacy notice containing
p.000011: the limitations to which the data owner has conditioned data disclosure;
p.000011: XI. Compromising the security of databases, sites, programs or equipment, where attributable to the data
p.000011: controller;
p.000011: XII. Carrying out the transfer or assignment of personal data outside of the cases where it is
p.000011: permitted under this Law;
p.000011: XIII. Collecting or transferring personal data without the express consent of the data owner, in
p.000011: the cases where this is required;
p.000011: XIV. Obstructing verification actions of the authority;
p.000011: XV. Collecting data in a deceptive and fraudulent manner;
p.000011: XVI. Continuing with the illegitimate use of personal data when the Institute or the data owners have requested
p.000011: such use be ended;
p.000011: XVII. Processing personal data in a way that affects or impedes the exercise of the rights of access,
p.000011: rectification, cancellation and objection set forth in Article 16 of the Political Constitution of the United Mexican
p.000011: States;
p.000011: XVIII. Creating databases in violation of the provisions of Article 9, second paragraph, of this Law, and
p.000011: XIX. Any breach by the data controller of the obligations pertaining thereto as established in the
p.000011: provisions of this Law.
p.000011:
p.000011: Article 64. Violations of this Law will be punished by the Institute as follows:
p.000011:
p.000011: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000011: (First Section) 13
p.000011:
p.000011: I. A warning instructing the data controller to carry out the actions requested by the data owner, under
p.000011: the terms established by this Law, in the cases described in section I of the preceding article;
p.000011: II. A fine from 100 to 160,000 days of the Mexico City minimum wage, in the cases described in sections II to
p.000011: VII of the preceding article;
p.000011: III. A fine from 200 to 320,000 days of the Mexico City minimum wage, in the cases described in sections VIII
p.000011: to XVIII of the preceding article; and
p.000011: IV. In the event of repeated occurrences of the violations described in the preceding paragraphs, an
p.000011: additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage. With
p.000011: regard to violations committed in processing sensitive data, sanctions may be increased up to double the
p.000011: established amounts.
p.000011:
p.000011: Article 65. The Institute will ground its decisions in law and fact, considering:
p.000011:
p.000011: I. The nature of the data;
p.000011: II. The evident impropriety of the refusal of the data controller to perform the actions requested by the
...
p.000011: Article 68. Six months to five years imprisonment will be imposed on any person who, with the aim of
p.000011: achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data owner or the
p.000011: person authorized to transmit such data.
p.000011: Article 69. With regard to sensitive personal data, the penalties referred to in this chapter will be doubled.
p.000011:
p.000011: TRANSITORY PROVISIONS
p.000011:
p.000011: ONE. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000011:
p.000011: TWO. The Federal Executive will issue the Regulations to this Law within one year following its entry into force.
p.000011:
p.000011: THREE. Data controllers shall designate the personal data person or department referred to in Article 30 of the Law,
p.000011: and shall issue their privacy notices to personal data owners in accordance with the provisions of articles 16 and 17
p.000011: within one year after this Law enters into force.
p.000011:
p.000011: FOUR. Data owners may exercise, with data controllers, their rights of access, rectification, cancellation and
p.000011: objection, as set forth in Chapter IV of this Law; they may also initiate, as necessary, the rights protection
p.000011: procedure established in Chapter VII hereof, eighteen months after the entry into force of the Law.
p.000011:
p.000011: FIVE. Pursuant to the provisions of Transitory Article Three of the Decree, adding section XXIX-O to
p.000011: Article 73 of the Political Constitution of the United Mexican States, published in the Federal Official Gazette on
p.000011: April 30, 2009, local regulations regarding the protection of personal data held by private parties are annulled, and
p.000011: any other provisions contrary to this Law are repealed.
p.000011:
p.000011: SIX. References made prior to the entry into force of this Decree by laws, treaties and international
p.000011: agreements, regulations and other bodies of law to the Federal Institute of Access to Public Information, in the future
p.000011: will be understood as made to the Federal Institute for Access to Information and Protection of Personal Data.
p.000011:
p.000011:
p.000013: 13
p.000013:
p.000013: 14 (First Section) OFFICIAL GAZETTE
p.000013: Monday, July 5, 2010
p.000013:
p.000013:
p.000013: SEVEN. Actions that, pursuant to the provisions of the Federal Law on Protection of Personal Data held by Private
p.000013: Parties, are to be carried out by the Federal Executive, will be subject to the approved budgets of the institutions
p.000013: concerned and the provisions of the Federal Budget and Fiscal Responsibility Law.
p.000013:
p.000013: EIGHT. The Expenditure Budget of the Federation for Fiscal Year 2011 includes items deemed sufficient for the proper
p.000013: functioning of the Federal Institute for Access to Information and Data Protection with respect to this Law.
p.000013:
...
Health / patients in emergency situations
Searching for indicator emergency situation:
(return to top)
p.000003: this Law.
p.000003:
p.000003: Consent may be revoked at any time without retroactive effects being attributed thereto. For revocation of consent,
p.000003: the data controller must, in the privacy notice, establish the mechanisms and procedures for such action.
p.000003:
p.000003: Article 9. In the case of sensitive personal data, the data controller must obtain express written consent from the
p.000003: data owner for processing, through said data owner's signature, electronic signature, or any authentication
p.000003: mechanism established for such a purpose.
p.000003:
p.000003: Databases containing sensitive personal data may not be created without justification of their creation for purposes
p.000003: that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
p.000003:
p.000003: Article 10. Consent for processing of personal data will not be necessary where:
p.000003:
p.000003: I. Any Law so provides;
p.000003: II. The data is contained in publicly available sources;
p.000003: III. The personal data is subject to a prior dissociation procedure;
p.000003: IV. It has the purpose of fulfilling obligations under a legal relationship between the data owner and the
p.000003: data controller;
p.000003: V. There is an emergency situation that could potentially harm an individual in his person or property;
p.000003: VI. It is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or
p.000003: health services management, where the data owner is unable to give consent in the terms established by
p.000003: the General Health Law and other applicable laws, and said processing of data is carried out by a person subject to a
p.000003: duty of professional secrecy or an equivalent obligation, or
p.000003: VII. A resolution is issued by a competent authority.
p.000003:
p.000003: Article 11. The data controller shall ensure that personal data contained in databases is relevant, correct and
p.000003: up-to-date for the purposes for which it has been collected.
p.000003:
p.000003: When the personal data is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and
p.000003: applicable law, it must be cancelled.
p.000003:
p.000003: The controller of the database will be required to remove information relating to nonperformance of
p.000003: contractual obligations, after a period of seventy-two months counted from the calendar day on which
p.000003: said nonperformance arose.
p.000003:
p.000003: Article 12. Processing of personal data must be limited to fulfillment of the purposes set out in the privacy notice.
p.000003: If the data controller intends to process data for another purpose which is not compatible or analogous to the purposes
p.000003: set out in the privacy notice, the data owner's consent must be obtained again.
p.000003:
...
Social / Access to Social Goods
Searching for indicator access:
(return to top)
p.000003: 2 (First Section) OFFICIAL GAZETTE
p.000003: Monday, July 5, 2010
p.000003:
p.000003: EXECUTIVE BRANCH MINISTRY OF THE INTERIOR
p.000003: DECREE issuing the Federal Law on Protection of Personal Data Held by Private Parties and amending Article 3, sections
p.000003: ii and vii, and Article 33, as well as the title of Chapter II of Title II of the Federal Law on Transparency
p.000003: and Access to Public Government Information.
p.000003:
p.000003: In the margin a seal with the national emblem, which reads: United Mexican States – Office of the President of the
p.000003: Republic.
p.000003: FELIPE DE JESÚS CALDERÓN HINOJOSA, President of the United Mexican States, to its inhabitants; be it known:
p.000003: That the Honorable Congress of the Union has sent me the following
p.000003:
p.000003: DECREE
p.000003:
p.000003: "THE GENERAL CONGRESS OF THE UNITED MEXICAN STATES DECREES:
p.000003:
p.000003: THE FEDERAL LAW ON PROTECTION OF PERSONAL DATA HELD BY PRIVATE PARTIES IS ISSUED AND ARTICLE 3, SECTIONS
p.000003: II AND VII, AND ARTICLE 33, AS WELL AS THE TITLE OF CHAPTER II OF TITLE II OF THE FEDERAL LAW ON TRANSPARENCY AND
p.000003: ACCESS TO PUBLIC GOVERNMENT INFORMATION ARE AMENDED.
p.000003:
p.000003: ARTICLE ONE. The Federal Law on Protection of Personal Data held by Private Parties is issued.
p.000003:
p.000003: FEDERAL LAW ON PROTECTION OF PERSONAL DATA HELD BY PRIVATE PARTIES
p.000003:
p.000003: CHAPTER I
p.000003: General Provisions
p.000003:
p.000003: Article 1. This Law is of a public order and of general observance throughout the Republic, and has the purpose of
p.000003: protecting personal data held by private parties, in order to regulate its legitimate, controlled and informed
p.000003: processing, to ensure the privacy and the right to informational self-determination of individuals.
p.000003:
p.000003: Article 2. The parties regulated under this Law are private parties, whether individuals or private legal
p.000003: entities, that process personal data, with the exception of:
p.000003:
p.000003: I. Credit reporting companies under the Law Regulating Credit Reporting Companies and other
p.000003: applicable laws, and
p.000003:
p.000003: II. Persons carrying out the collection and storage of personal data that is exclusively for personal use,
p.000003: and without purposes of disclosure or commercial use.
p.000003:
p.000003: Article 3. For purposes of this Law, the following definitions will apply:
p.000003:
p.000003: I. Privacy Notice: Document in physical, electronic or any other format, generated by the data
p.000003: controller, that is made available to the data owner prior to the processing of his personal data, in accordance with
p.000003: Article 15 of this Law.
...
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIV. Data controller: Individual or private legal entity that decides on the processing of personal data.
p.000003: XV. Ministry: Ministry of Economy.
p.000003: XVI. Third party: Mexican or foreign individual or legal entity other than the data owner or data
p.000003: controller.
p.000003: XVII. Data owner: The individual to whom personal data relates.
p.000003: XVIII. Processing: Retrieval, use, disclosure or storage of personal data by any means. Use covers any action of
p.000003: access, management, exploitation, transfer or disposal of personal data.
p.000003: XIX. Transfer: Any data communication made to a person other than the data controller or data
p.000003: processor.
p.000003:
p.000003: Article 4. The principles and rights under this Law will have, as a limit with regard to their observance and exercise,
p.000003: protection of national security, public order, health and safety as well as the rights of third parties.
p.000003:
p.000003: Article 5. Where not expressly provided in this Law, the provisions of the Federal Code of Civil Procedure and the
p.000003: Federal Administrative Procedure Law will apply supplementarily.
p.000003:
p.000003: For the substantiation of rights protection, verification and penalty procedures, the provisions contained in the
p.000003: Federal Administrative Procedure Law will be observed.
p.000003:
p.000003: CHAPTER II
p.000003: Principles of Personal Data Protection
p.000003:
p.000003: Article 6. Data controllers must adhere to the principles of legality, consent, notice, quality, purpose,
p.000003: fidelity, proportionality and accountability under the Law.
p.000003:
p.000003: Article 7. Personal data must be collected and processed in a lawful manner in accordance with the
p.000003: provisions established by this Law and other applicable regulations.
p.000003:
p.000003: Personal data must not be obtained through deceptive or fraudulent means.
p.000003:
p.000003: In all processing of personal data, it is presumed that there is a reasonable expectation of privacy,
...
p.000003: purposes set out in the privacy notice. In particular, for sensitive personal data, the data controller must make
p.000003: reasonable efforts to limit the processing period thereof to the minimum required.
p.000003:
p.000003: Article 14. The data controller shall ensure compliance with the personal data protection principles
p.000003: established by this Law, and shall adopt all necessary measures for their application. The foregoing will apply even
p.000003: when this data has been processed by a third party at the request of the data controller. The data
p.000003: controller must take all necessary and sufficient action to ensure that the privacy notice given to the data owner is
p.000003: respected at all times by it or by any other parties with which it has any legal relationship.
p.000003:
p.000003: Article 15. The data controller will have the obligation of providing data owners with information regarding what
p.000003: information is collected on them and why, through the privacy notice.
p.000003:
p.000003: Article 16. The privacy notice must contain at least the following information:
p.000003:
p.000003: I. The identity and domicile of the data controller collecting the data;
p.000003: II. The purposes of the data processing;
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 5
p.000003:
p.000003: III. The options and means offered by the data controller to the data owners to limit the use
p.000003: or disclosure of data;
p.000003: IV. The means for exercising rights of access, rectification, cancellation or objection, in accordance with
p.000003: the provisions of this Law;
p.000003: V. Where appropriate, the data transfers to be made, and
p.000003: VI. The procedure and means by which the data controller will notify the data owners of changes to the privacy
p.000003: notice, in accordance with the provisions of this Law.
p.000003:
p.000003: For sensitive personal data, the privacy notice must expressly state that it is dealing with this type of data.
p.000003:
p.000003: Article 17. The privacy notice must be made available to data owners through print, digital, visual or audio formats
p.000003: or any other technology, as follows:
p.000003:
p.000003: I. Where personal data has been obtained personally from the data owner, the privacy notice must be
p.000003: provided at the time the data is collected, clearly and unequivocally, through the format by which
p.000003: collection is carried out, unless the notice has been provided prior;
p.000003: II. Where personal data are obtained directly from the data owner by any electronic, optical,
p.000003: audio or visual means, or through any other technology, the data controller must immediately provide the data owner
p.000003: with at least the information referred to in sections I and II of the preceding article, as well as
p.000003: provide the mechanisms for the data owner to obtain the full text of the privacy notice.
p.000003:
p.000003: Article 18. Where data has not been obtained directly from the data owner, the data controller must notify him of the
p.000003: change in the privacy notice.
p.000003:
p.000003: The provisions of the preceding paragraph are not applicable where processing is done for historical,
p.000003: statistical or scientific purposes.
p.000003:
p.000003: Where it is impossible to provide the privacy notice to the data owner or where disproportionate effort is involved
p.000003: considering the number of data owners, or the age of the data, with the authorization of the Institute, the data
p.000003: controller may implement compensatory measures in the terms of the Regulation for this Law.
p.000003:
p.000003: Article 19. All responsible parties that process personal data must establish and maintain physical and
p.000003: technical administrative security measures designed to protect personal data from damage, loss, alteration,
p.000003: destruction or unauthorized use, access or processing.
p.000003:
p.000003: Data controllers will not adopt security measures inferior to those they keep to manage their own
p.000003: information. Moreover, risk involved, potential consequences for the data owners, sensitivity of the data, and
p.000003: technological development will be taken into account.
p.000003:
p.000003: Article 20. Security breaches occurring at any stage of processing that materially affect the property or moral
p.000003: rights of data owners will be reported immediately by the data controller to the data owner, so that the latter can
p.000003: take appropriate action to defend its rights.
p.000003:
p.000003: Article 21. The data controller or third parties involved in any stage of personal data processing must
p.000003: maintain confidentiality with respect to such data, and this obligation will continue even after the end of its/their
p.000003: relationship with the data owner or, as the case may be, with the data controller.
p.000003:
p.000003: CHAPTER III
p.000003: Rights of Data Owners
p.000003:
p.000003: Article 22. Any data owner, or, where appropriate, his legal representative, may exercise the rights of
p.000003: access, rectification, cancellation and objection under this Law. The exercise of any of these is not a
p.000003: prerequisite nor does it impede the exercise of another. Personal data must be preserved in such a way as to allow the
p.000003: exercise of these rights without delay.
p.000003:
p.000003: Article 23. Data owners will have the right to access their personal data held by the data controller as well as to be
p.000003: informed of the privacy notice to which processing is subject.
p.000003:
p.000003: Article 24. The data owner will have the right to rectify data if it is inaccurate or incomplete. Article 25. The
p.000003: data owner will at all times have the right to cancel his personal data.
p.000003:
p.000003:
p.000005: 5
p.000005:
p.000005: 6 (First Section) OFFICIAL GAZETTE
p.000005: Monday, July 5, 2010
p.000005:
p.000005: Cancellation of personal data will lead to a blocking period following which the data will be erased. The data
p.000005: controller may retain data exclusively for purposes pertaining to responsibilities arising from processing. The
p.000005: blocking period will be equal to the limitation period for actions arising from the legal relationship governing
p.000005: processing pursuant to applicable law.
p.000005:
p.000005: Once the data is cancelled, the data owner will be notified.
p.000005:
p.000005: Where personal data has been transmitted prior to the date of rectification or cancellation and continues to be
p.000005: processed by third parties, the data controller must notify them of the request for rectification or
p.000005: cancellation, so that such third parties also carry it out.
p.000005:
p.000005: Article 26. The data controller will not be obligated to cancel personal data when:
p.000005:
p.000005: I. It relates to the parties of a private or administrative contract or partnership agreement
p.000005: and is necessary for its performance and enforcement;
p.000005: II. The law requires that it be processed;
p.000005: III. Such action hinders judicial or administrative proceedings relating to tax obligations, investigation and
p.000005: prosecution of crimes, or updating of administrative sanctions;
p.000005: IV. It is necessary to protect the legally protected interests of the data owner;
p.000005: V. It is necessary to carry out an action in the public interest;
p.000005: VI. It is necessary to fulfill an obligation legally undertaken by the data owner, and
p.000005: VII. It is subject to processing for medical diagnosis or prevention or health services management, provided
p.000005: such processing is done by a health professional subject to a duty of secrecy.
p.000005:
p.000005: Article 27. Data owners will, at all times and for any legitimate reason, have the right to object to
p.000005: the processing of their data. Where appropriate, the data controller may not process such data owner's data.
p.000005:
p.000005: CHAPTER IV
p.000005: Exercise of Rights of Access, Rectification, Cancellation and Objection
p.000005:
p.000005: Article 28. The data owner or his legal representative may at any time make a request to the data
p.000005: controller for access, rectification, cancellation or objection in relation to the personal data concerning him.
p.000005:
p.000005: Article 29. The access, rectification, cancellation or objection request must include the following:
p.000005:
p.000005: I. The data owner's name and address or other means to notify him of the response to his request;
p.000005: II. Documents establishing the identity or, where appropriate, legal representation of the data
p.000005: owner;
p.000005: III. A clear and precise description of the personal data with regard to which the data owner seeks to
p.000005: exercise any of the abovementioned rights.
p.000005: IV. Any other item or document that facilitates locating the personal data.
p.000005:
p.000005: Article 30. All data controllers must designate a personal data person or department who will process
p.000005: requests from data owners for the exercise of the rights referred to in this Law. In addition, data controllers will
p.000005: promote protection of personal data within their organizations.
p.000005:
p.000005: Article 31. In the case of requests for rectification of personal data, the data owner must indicate, in
p.000005: addition to that which is specified in the preceding article of this Law, the changes to be made, and provide
p.000005: documentation supporting the request.
p.000005:
p.000005: Article 32. The data controller will notify the data owner, within a maximum of twenty days counted from the date of
p.000005: receipt of the request for access, rectification, cancellation or objection, of the determination made, so that, where
p.000005: appropriate, same will become effective within fifteen days from the date on which the notice is provided. For
p.000005: personal data access requests, delivery will be made upon proof of identity of the requesting party or legal
p.000005: representative.
p.000005:
p.000005: The aforementioned time periods may be extended a single time by a period of equal length, provided that such action is
p.000005: justified by the circumstances of the case.
p.000005:
p.000005: Article 33. The obligation to provide access to information will be fulfilled when the personal data is made
p.000005:
p.000005: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000005: (First Section) 7
p.000005:
p.000005: available to the data owner; or, by issuing uncertified copies, electronic documents or any other means
p.000005: established by the data controller in the privacy notice.
p.000005:
p.000005: In the event that the data owner requests access to data from a person or entity who he presumes is the data controller
p.000005: and said person or entity proves not to be such, it will be sufficient for said person or entity to so indicate to the
p.000005: data owner by any of the means referred to in the preceding paragraph, for the request to be considered properly
p.000005: fulfilled.
p.000005:
p.000005: Article 34. The data controller may deny access to personal data or refuse the rectification, cancellation or objection
p.000005: with relation thereto in the following cases:
p.000005:
p.000005: I. Where the requesting party is not the subject of the personal data, or the legal representative is not
p.000005: duly accredited for such purposes;
p.000005: II. Where the requesting party's personal data is not found in the data controller's database;
p.000005: III. Where the rights of a third party are adversely affected;
p.000005: IV. Where there is any legal impediment, or decision of a competent authority, restricting access to the
p.000005: personal data or not allowing the rectification, cancellation or objection with relation thereto, and
p.000005: V. Where the rectification, cancellation or objection has been previously performed.
p.000005:
p.000005: The refusal referred to in this article may be partial, in which case the data controller will carry out the
p.000005: access, rectification, cancellation or objection requested by the data owner.
p.000005:
p.000005: In all of the aforementioned cases, the data controller must notify the data owner, or, as appropriate, his legal
p.000005: representative, of its decision and the reason for such decision, within the periods established for such purposes, via
p.000005: the same means by which the request was made, attaching, where appropriate, any relevant evidence.
p.000005:
p.000005: Article 35. The action of providing personal data will be free, and the data owner must only pay justified expenses of
p.000005: shipping or the cost of copying or providing data in other formats.
p.000005:
p.000005: This right will be exercised by the data owner free of charge, upon proof of his identity to the
p.000005: data controller. However, if the same person repeats his request within a period of twelve months, costs will not be
p.000005: greater than three days of the General Current Minimum Wage in Mexico City, unless there are material
p.000005: changes to the privacy notice that prompt new queries.
p.000005:
p.000005: The data owner may file a data protection request due to the response received or lack of response from the data
p.000005: controller, in accordance with the provisions of the following Chapter.
p.000005:
p.000005: CHAPTER V
p.000005: Data Transfer
p.000005:
p.000005: Article 36. Where the data controller intends to transfer personal data to domestic or foreign third parties other
p.000005: than the data processor, it must provide them with the privacy notice and the purposes to which the data owner has
p.000005: limited data processing.
p.000005:
p.000005: Data processing will be done as agreed in the privacy notice, which shall contain a clause indicating
...
p.000007: Law. Such schemes must include mechanisms to measure their effectiveness in protecting data, consequences and effective
p.000007: corrective measures in the case of nonfulfillment.
p.000007:
p.000007: Self-regulatory schemes may be translated into codes of ethics or good professional practice, trust seals or other
p.000007: mechanisms, and will contain specific rules or standards enabling harmonization of data processing performed by
p.000007: adherents and facilitation of the exercise of data owners' rights. Notification of such schemes will be made
p.000007: simultaneously to the relevant sectoral authorities and the Institute.
p.000007:
p.000007: CHAPTER VII
p.000007: Rights Protection Procedure
p.000007:
p.000007: Article 45. The procedure will be initiated by request from the data owner or his legal representative,
p.000007: clearly stating the content of his claim and the provisions of this Law deemed violated. The data protection request
p.000007: must be submitted to the Institute within fifteen days from the date on which the response from the data controller is
p.000007: communicated to the data owner.
p.000007:
p.000007: In the event that the data owner does not receive a response from the data controller, the data protection request may
p.000007: be filed after the deadline for the data controller response has passed. In this case, it will be
p.000007: sufficient for the data owner to accompany its data protection request with the document that proves the date on which
p.000007: he filed the request for access, rectification, cancellation or objection.
p.000007:
p.000007: The data protection request will also be allowed under the same terms when the data controller does not deliver the
p.000007: requested personal data to the data owner, or delivers it in an incomprehensible form, refuses to make changes or
p.000007: corrections to personal data, or where the data owner is not satisfied with the information delivered since he
p.000007: considers it is incomplete or does not match the information requested.
p.000007:
p.000007: Upon receipt of the data protection request by the Institute, said request will be sent to the data controller, for
p.000007: said controller to, within fifteen days, issue a response, provide any evidence it deems relevant and make its formal
p.000007: arguments in writing.
p.000007:
p.000007: The Institute will admit any evidence it deems relevant and introduce it. It may also request any
p.000007: other evidence it deems necessary from the data controller. After introduction of evidence, the Institute will notify
p.000007: the data controller of its right to, if it so considers necessary, present its arguments within five days of
p.000007: notification.
p.000007:
p.000007: As required under the procedure, the Institute will issue a decision on the data protection request filed, after
p.000007: analyzing the evidence and other elements of proof it deems appropriate, as may be those that arise from the hearing(s)
p.000007: held with the parties.
p.000007:
p.000007: The Regulations to the Law will establish the manner, conditions and periods under which the rights
p.000007: protection procedure will be carried out.
p.000007:
p.000007: Article 46. The data protection request may be filed in writing or using the electronic system forms
p.000007: provided by the Institute for such a purpose, and must contain the following information:
p.000007:
p.000007: I. The name of the data owner or, where applicable, his legal representative, as well as that of any third
p.000007: party to the request;
p.000007:
p.000007:
p.000009: 9
p.000009:
p.000009: 10 (First Section) OFFICIAL GAZETTE
p.000009: Monday, July 5, 2010
p.000009:
p.000009: II. The name of the data controller to whom the request for personal data access,
p.000009: rectification, cancellation or objection was sent;
p.000009: III. Address to hear and receive notifications;
p.000009: IV. The date on which the response from the data controller was received, except where the
p.000009: procedure begins pursuant to the provisions of Article 50;
p.000009: V. The acts giving rise to the data protection request, and
p.000009: VI. Any other items considered appropriate to bring to the attention of the Institute.
p.000009:
p.000009: The manner and terms in which the identity of the data owner or, as the case may be, the legal
p.000009: representative, must be documented will be established in the Regulations.
p.000009:
p.000009: Furthermore, the data protection request will include the request and response being challenged or, where appropriate,
p.000009: any information enabling its identification. Where there has been no response, it will only be necessary
p.000009: to submit the request.
p.000009:
p.000009: Where the data protection request is filed through non-electronic means, it must include sufficient copies for
p.000009: notification.
p.000009:
p.000009: Article 47. The decision in the rights protection procedure must be issued within fifty days counted from the date of
p.000009: filing of the data protection request. Where there is good cause, the Plenum of the Institute may extend this deadline
p.000009: a single time for a period of equal length.
p.000009:
p.000009: Article 48. Where the protection of rights decision is in favor of the data owner, the data controller will be ordered
p.000009: to, within ten days of notification or, where warranted, a longer period as set out in the decision, carry out all
p.000009: action required in accordance with the exercise of the rights subject to protection, and it shall report compliance
p.000009: therewith in writing to the Institute within the following ten days.
p.000009:
p.000009: Article 49. If the data protection request fails to satisfy any of the requirements specified in Article 46 of this
p.000009: Law, and where the Institute lacks the information to remedy such omissions, the data owner will be
p.000009: instructed, a single time, within twenty working days following the filing of the data protection
p.000009: request, to remedy the omissions within five days. If the instructions are not followed by the deadline, the data
p.000009: protection request will be considered not filed. The instructions will have the effect of interrupting the period
p.000009: allowed for the Institute to issue a decision on the data protection request.
p.000009:
p.000009: Article 50. The Institute will remedy the deficiencies in the complaint where required, provided it does not alter the
p.000009: original content of the request for personal data access, rectification, cancellation or objection, nor modify the
p.000009: facts or petitions set out in the same or in the data protection request.
p.000009:
p.000009: Article 51. The decisions of the Institute may:
p.000009:
p.000009: I. Dismiss or reject the data protection request as without merit or inadmissible, or
p.000009: II. Affirm, reverse or amend the response of the data controller.
p.000009:
p.000009: Article 52. The data protection request will be rejected as without merit or inadmissible where:
p.000009:
p.000009: I. The Institute lacks jurisdiction;
p.000009: II. The Institute has already heard the data protection request for the same act and issued a final decision
p.000009: with regard to the same petitioner;
p.000009: III. Any petition or legal action filed by the data owner is pending before the competent courts that may have
p.000009: the effect of amending or revoking the act in question;
p.000009: IV. The data protection request is offensive or irrational, or
p.000009: V. It is filed late.
p.000009:
p.000009: Article 53. The data protection request will be dismissed where:
p.000009:
p.000009: I. The data owner dies;
p.000009: II. The data owner expressly withdraws the petition;
p.000009: III. After admission of the data protection request, grounds for inadmissibility arise.
p.000009: IV. Same becomes moot for any reason.
p.000009:
p.000009: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000009: (First Section) 11
p.000009:
p.000009: Article 54. The Institute may, at any time in the procedure, seek conciliation between the data owner and the data
p.000009: controller.
p.000009:
p.000009: If a conciliation agreement is reached between the two, it will be recorded in writing and will have binding effect.
p.000009: The data protection request will become moot and the Institute will verify fulfillment of the respective agreement.
p.000009:
p.000009: For the purposes of conciliation referred to herein, the procedure established in the Regulations to this Law will be
p.000009: followed.
p.000009:
p.000009: Article 55. Where a data protection request is filed upon lack of response by the data controller to a
p.000009: request in the exercise of the rights of access, rectification, cancellation or objection, the Institute will serve
p.000009: notice on said data controller to, within ten days, prove it has responded in a timely manner to the request, or
p.000009: respond to it. If the response satisfies the request, the data protection request will be considered without merit and
p.000009: the Institute must dismiss it.
p.000009:
p.000009: In this latter case, the Institute will issue its decision based on the content of the original request and the
p.000009: response of the data controller referred to in the preceding paragraph.
p.000009:
p.000009: If the decision of the Institute referred to in the preceding paragraph determines that the request has merit, the data
p.000009: controller will proceed to fulfill it, at no charge to the data owner, where the data controller must bear all costs
p.000009: generated by the corresponding reproduction.
p.000009:
p.000009: Article 56. Private parties may file a petition for annulment against decisions issued by the Institute with the
p.000009: Federal Tax and Administrative Court.
p.000009:
p.000009: Article 57. All decisions of the Institute may be publicly released in public versions, eliminating any
p.000009: references to the data owner which identify him or make him identifiable.
p.000009:
p.000009: Article 58. Data owners who feel they have suffered harm or damage to their property or rights as a result of a breach
p.000009: of the provisions of this Law by the data controller or data processor, may exercise the rights they deem appropriate
p.000009: for purposes of any applicable indemnity, in the terms of the relevant law.
p.000009:
p.000009: CHAPTER VIII
p.000009: Verification Procedure
p.000009:
p.000009: Article 59. The Institute will verify compliance with this Law and the regulations derived herefrom.
p.000009: Verification may be initiated of its own motion or by petition of an interested party.
p.000009:
p.000009: Verification of its own motion will be carried out in the event of nonfulfillment of decisions issued in rights
p.000009: protection procedures as referred to in the preceding Chapter, or where the existence of violations of this Law is
p.000009: presumed grounded in law and fact.
p.000009:
p.000009: Article 60. In the verification procedure, the Institute will have access to all information and documentation it deems
p.000009: necessary, in accordance with the respective decision.
p.000009:
p.000009: Federal public servants will be obliged to observe confidentiality of the information they have access to as a result
p.000009: of the relevant verification.
p.000009:
p.000009: The Regulations will describe the form, terms and periods for the procedure referred to in this article.
p.000009:
p.000009: CHAPTER IX
p.000009: Penalty Application Procedure
p.000009:
p.000009: Article 61. If, by virtue of a rights protection procedure or verification procedure carried out by the Institute, the
p.000009: Institute becomes aware of a presumed breach of any of the principles or provisions of this Law, it will
p.000009: initiate the procedure referred to in this Chapter in order to determine the appropriate penalty.
p.000009:
p.000009: Article 62. The penalty application procedure will begin with notice sent by the Institute to the alleged
p.000009: offender with regard to the facts that originated the procedure and will grant a period of fifteen days to present
p.000009: evidence and state formal arguments in writing. Where no evidence is presented, the Institute will arrive at a decision
p.000009: through the evidence at its disposal.
p.000009:
p.000009:
p.000009:
p.000011: 11
p.000011:
p.000011: 12 (First Section) OFFICIAL GAZETTE
p.000011: Monday, July 5, 2010
p.000011:
p.000011: The Institute will admit evidence it deems relevant and introduce it. In addition, it may request any other evidence it
p.000011: deems necessary from the alleged offender. After introduction of evidence, the Institute will notify the alleged
p.000011: offender of its right to, if it so considers necessary, present its arguments within five days of
p.000011: notification.
p.000011:
p.000011: The Institute, after analyzing the evidence and other elements of proof it deems relevant, will issue a final decision
p.000011: within fifty days after the date on which it initiated the penalty procedure. Notice of this decision must be given to
p.000011: the parties.
p.000011:
p.000011: Where there is good cause, the Plenum of the Institute may extend this deadline a single time for a period of equal
p.000011: length.
p.000011:
p.000011: The Regulations will describe the form, terms and periods for the penalty application procedure, including presentation
p.000011: of evidence and arguments, hearings and end of proceedings.
p.000011:
p.000011: CHAPTER X
p.000011: Violations and Penalties
p.000011:
p.000011: Article 63. The following acts carried out by the data controller are violations of this Law:
p.000011:
p.000011: I. Failure to satisfy the data owner's request for personal data access, rectification, cancellation or
p.000011: objection without well-founded reason, in the terms of this Law;
p.000011: II. Acting negligently or fraudulently in processing and responding to requests for personal data
p.000011: access, rectification, cancellation or objection;
p.000011: III. Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the
p.000011: databases of the data controller;
p.000011: IV. Processing personal data in violation of the principles established in this Law;
p.000011: V. Omitting, in the privacy notice, any or all of the items referred to in Article 16 of this Law;
p.000011: VI. Maintaining inaccurate personal data when such action is attributable to the data controller, or failing
p.000011: to perform legally due rectifications or cancellations where the data owner's rights are affected;
p.000011: VII. Failure to comply with the notice referred to in section I of Article 64;
p.000011: VIII. Breaching the duty of confidentiality established in Article 21 of this Law;
p.000011: IX. Materially changing the original data processing purpose, without observing the provisions of
p.000011: Article 12;
p.000011: X. Transferring data to third parties without providing them with the privacy notice containing
p.000011: the limitations to which the data owner has conditioned data disclosure;
p.000011: XI. Compromising the security of databases, sites, programs or equipment, where attributable to the data
p.000011: controller;
p.000011: XII. Carrying out the transfer or assignment of personal data outside of the cases where it is
p.000011: permitted under this Law;
p.000011: XIII. Collecting or transferring personal data without the express consent of the data owner, in
p.000011: the cases where this is required;
p.000011: XIV. Obstructing verification actions of the authority;
p.000011: XV. Collecting data in a deceptive and fraudulent manner;
p.000011: XVI. Continuing with the illegitimate use of personal data when the Institute or the data owners have requested
p.000011: such use be ended;
p.000011: XVII. Processing personal data in a way that affects or impedes the exercise of the rights of access,
p.000011: rectification, cancellation and objection set forth in Article 16 of the Political Constitution of the United Mexican
p.000011: States;
p.000011: XVIII. Creating databases in violation of the provisions of Article 9, second paragraph, of this Law, and
p.000011: XIX. Any breach by the data controller of the obligations pertaining thereto as established in the
p.000011: provisions of this Law.
p.000011:
p.000011: Article 64. Violations of this Law will be punished by the Institute as follows:
p.000011:
p.000011: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000011: (First Section) 13
p.000011:
p.000011: I. A warning instructing the data controller to carry out the actions requested by the data owner, under
p.000011: the terms established by this Law, in the cases described in section I of the preceding article;
p.000011: II. A fine from 100 to 160,000 days of the Mexico City minimum wage, in the cases described in sections II to
p.000011: VII of the preceding article;
p.000011: III. A fine from 200 to 320,000 days of the Mexico City minimum wage, in the cases described in sections VIII
p.000011: to XVIII of the preceding article; and
p.000011: IV. In the event of repeated occurrences of the violations described in the preceding paragraphs, an
p.000011: additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage. With
p.000011: regard to violations committed in processing sensitive data, sanctions may be increased up to double the
p.000011: established amounts.
p.000011:
p.000011: Article 65. The Institute will ground its decisions in law and fact, considering:
p.000011:
...
p.000011:
p.000011: Article 66. The penalties specified in this chapter will be imposed without prejudice to any applicable civil or
p.000011: criminal liability.
p.000011:
p.000011: CHAPTER XI
p.000011: Crimes Relating to Unlawful Processing of Personal Data
p.000011: Article 67. Three months to three years imprisonment will be imposed on any person who, authorized to process personal
p.000011: data, for profit, causes a security breach affecting the databases under his custody.
p.000011: Article 68. Six months to five years imprisonment will be imposed on any person who, with the aim of
p.000011: achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data owner or the
p.000011: person authorized to transmit such data.
p.000011: Article 69. With regard to sensitive personal data, the penalties referred to in this chapter will be doubled.
p.000011:
p.000011: TRANSITORY PROVISIONS
p.000011:
p.000011: ONE. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000011:
p.000011: TWO. The Federal Executive will issue the Regulations to this Law within one year following its entry into force.
p.000011:
p.000011: THREE. Data controllers shall designate the personal data person or department referred to in Article 30 of the Law,
p.000011: and shall issue their privacy notices to personal data owners in accordance with the provisions of articles 16 and 17
p.000011: within one year after this Law enters into force.
p.000011:
p.000011: FOUR. Data owners may exercise, with data controllers, their rights of access, rectification, cancellation and
p.000011: objection, as set forth in Chapter IV of this Law; they may also initiate, as necessary, the rights protection
p.000011: procedure established in Chapter VII hereof, eighteen months after the entry into force of the Law.
p.000011:
p.000011: FIVE. Pursuant to the provisions of Transitory Article Three of the Decree, adding section XXIX-O to
p.000011: Article 73 of the Political Constitution of the United Mexican States, published in the Federal Official Gazette on
p.000011: April 30, 2009, local regulations regarding the protection of personal data held by private parties are annulled, and
p.000011: any other provisions contrary to this Law are repealed.
p.000011:
p.000011: SIX. References made prior to the entry into force of this Decree by laws, treaties and international
p.000011: agreements, regulations and other bodies of law to the Federal Institute of Access to Public Information, in the future
p.000011: will be understood as made to the Federal Institute for Access to Information and Protection of Personal Data.
p.000011:
p.000011:
p.000013: 13
p.000013:
p.000013: 14 (First Section) OFFICIAL GAZETTE
p.000013: Monday, July 5, 2010
p.000013:
p.000013:
p.000013: SEVEN. Actions that, pursuant to the provisions of the Federal Law on Protection of Personal Data held by Private
p.000013: Parties, are to be carried out by the Federal Executive, will be subject to the approved budgets of the institutions
p.000013: concerned and the provisions of the Federal Budget and Fiscal Responsibility Law.
p.000013:
p.000013: EIGHT. The Expenditure Budget of the Federation for Fiscal Year 2011 includes items deemed sufficient for the proper
p.000013: functioning of the Federal Institute for Access to Information and Data Protection with respect to this Law.
p.000013:
p.000013: ARTICLE TWO. Article 3 sections II and VII, and Article 33, as well as the title of Chapter II of Title II of the
p.000013: Federal Law on Transparency and Access to Public Government Information are amended, to read as follows:
p.000013:
p.000013: Article 3. For purposes of this Law, the following definitions will apply:
p.000013:
p.000013: I…
p.000013:
p.000013: II. Personal data: Any information concerning an identified or identifiable individual.
p.000013:
p.000013: III to VI…
p.000013:
p.000013: VII. Institute: The Federal Institute for Access to Information and Data Protection, established in Article 33 of this
p.000013: Law;
p.000013:
p.000013: VIII to XV…
p.000013:
p.000013: CHAPTER II
p.000013: The Institute
p.000013:
p.000013: Article 33. The Institute is a body of the Federal Public Administration, with operational, budgetary and
p.000013: decision-making autonomy, responsible for promoting and disseminating information regarding the exercise of the right
p.000013: to information, resolving on refusal of information access requests, and protecting personal data held by agencies and
p.000013: entities.
p.000013:
p.000013:
p.000013: TRANSITORY PROVISIONS
p.000013:
p.000013: SOLE PROVISION. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000013:
p.000013: Mexico City, April 27, 2010. Deputy Francisco Javier Ramirez Acuña, Chair. Sen. Carlos Navarrete Ruiz,
p.000013: Chair. Deputy Georgina Trujillo Zentella, Secretary. Sen. Renán Cleominio Zoreda Novelo, Secretary.
p.000013: Signatures."
p.000013: Pursuant to the provisions of Section I of Article 89 of the Constitution of the United Mexican States, and for its due
p.000013: publication and observance, I issue this Decree at the Residence of the Federal Executive in Mexico City, Federal
p.000013: District, on June Twenty-Eighth, Two Thousand and Ten. Felipe de Jesús Calderón Hinojosa.- Signature.
...
Searching for indicator access to information:
(return to top)
p.000005: exercise any of the abovementioned rights.
p.000005: IV. Any other item or document that facilitates locating the personal data.
p.000005:
p.000005: Article 30. All data controllers must designate a personal data person or department who will process
p.000005: requests from data owners for the exercise of the rights referred to in this Law. In addition, data controllers will
p.000005: promote protection of personal data within their organizations.
p.000005:
p.000005: Article 31. In the case of requests for rectification of personal data, the data owner must indicate, in
p.000005: addition to that which is specified in the preceding article of this Law, the changes to be made, and provide
p.000005: documentation supporting the request.
p.000005:
p.000005: Article 32. The data controller will notify the data owner, within a maximum of twenty days counted from the date of
p.000005: receipt of the request for access, rectification, cancellation or objection, of the determination made, so that, where
p.000005: appropriate, same will become effective within fifteen days from the date on which the notice is provided. For
p.000005: personal data access requests, delivery will be made upon proof of identity of the requesting party or legal
p.000005: representative.
p.000005:
p.000005: The aforementioned time periods may be extended a single time by a period of equal length, provided that such action is
p.000005: justified by the circumstances of the case.
p.000005:
p.000005: Article 33. The obligation to provide access to information will be fulfilled when the personal data is made
p.000005:
p.000005: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000005: (First Section) 7
p.000005:
p.000005: available to the data owner; or, by issuing uncertified copies, electronic documents or any other means
p.000005: established by the data controller in the privacy notice.
p.000005:
p.000005: In the event that the data owner requests access to data from a person or entity who he presumes is the data controller
p.000005: and said person or entity proves not to be such, it will be sufficient for said person or entity to so indicate to the
p.000005: data owner by any of the means referred to in the preceding paragraph, for the request to be considered properly
p.000005: fulfilled.
p.000005:
p.000005: Article 34. The data controller may deny access to personal data or refuse the rectification, cancellation or objection
p.000005: with relation thereto in the following cases:
p.000005:
p.000005: I. Where the requesting party is not the subject of the personal data, or the legal representative is not
p.000005: duly accredited for such purposes;
p.000005: II. Where the requesting party's personal data is not found in the data controller's database;
p.000005: III. Where the rights of a third party are adversely affected;
p.000005: IV. Where there is any legal impediment, or decision of a competent authority, restricting access to the
...
p.000011: TWO. The Federal Executive will issue the Regulations to this Law within one year following its entry into force.
p.000011:
p.000011: THREE. Data controllers shall designate the personal data person or department referred to in Article 30 of the Law,
p.000011: and shall issue their privacy notices to personal data owners in accordance with the provisions of articles 16 and 17
p.000011: within one year after this Law enters into force.
p.000011:
p.000011: FOUR. Data owners may exercise, with data controllers, their rights of access, rectification, cancellation and
p.000011: objection, as set forth in Chapter IV of this Law; they may also initiate, as necessary, the rights protection
p.000011: procedure established in Chapter VII hereof, eighteen months after the entry into force of the Law.
p.000011:
p.000011: FIVE. Pursuant to the provisions of Transitory Article Three of the Decree, adding section XXIX-O to
p.000011: Article 73 of the Political Constitution of the United Mexican States, published in the Federal Official Gazette on
p.000011: April 30, 2009, local regulations regarding the protection of personal data held by private parties are annulled, and
p.000011: any other provisions contrary to this Law are repealed.
p.000011:
p.000011: SIX. References made prior to the entry into force of this Decree by laws, treaties and international
p.000011: agreements, regulations and other bodies of law to the Federal Institute of Access to Public Information, in the future
p.000011: will be understood as made to the Federal Institute for Access to Information and Protection of Personal Data.
p.000011:
p.000011:
p.000013: 13
p.000013:
p.000013: 14 (First Section) OFFICIAL GAZETTE
p.000013: Monday, July 5, 2010
p.000013:
p.000013:
p.000013: SEVEN. Actions that, pursuant to the provisions of the Federal Law on Protection of Personal Data held by Private
p.000013: Parties, are to be carried out by the Federal Executive, will be subject to the approved budgets of the institutions
p.000013: concerned and the provisions of the Federal Budget and Fiscal Responsibility Law.
p.000013:
p.000013: EIGHT. The Expenditure Budget of the Federation for Fiscal Year 2011 includes items deemed sufficient for the proper
p.000013: functioning of the Federal Institute for Access to Information and Data Protection with respect to this Law.
p.000013:
p.000013: ARTICLE TWO. Article 3 sections II and VII, and Article 33, as well as the title of Chapter II of Title II of the
p.000013: Federal Law on Transparency and Access to Public Government Information are amended, to read as follows:
p.000013:
p.000013: Article 3. For purposes of this Law, the following definitions will apply:
p.000013:
p.000013: I…
p.000013:
p.000013: II. Personal data: Any information concerning an identified or identifiable individual.
p.000013:
p.000013: III to VI…
p.000013:
p.000013: VII. Institute: The Federal Institute for Access to Information and Data Protection, established in Article 33 of this
p.000013: Law;
p.000013:
p.000013: VIII to XV…
p.000013:
p.000013: CHAPTER II
p.000013: The Institute
p.000013:
p.000013: Article 33. The Institute is a body of the Federal Public Administration, with operational, budgetary and
p.000013: decision-making autonomy, responsible for promoting and disseminating information regarding the exercise of the right
p.000013: to information, resolving on refusal of information access requests, and protecting personal data held by agencies and
p.000013: entities.
p.000013:
p.000013:
p.000013: TRANSITORY PROVISIONS
p.000013:
p.000013: SOLE PROVISION. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000013:
p.000013: Mexico City, April 27, 2010. Deputy Francisco Javier Ramirez Acuña, Chair. Sen. Carlos Navarrete Ruiz,
p.000013: Chair. Deputy Georgina Trujillo Zentella, Secretary. Sen. Renán Cleominio Zoreda Novelo, Secretary.
p.000013: Signatures."
p.000013: Pursuant to the provisions of Section I of Article 89 of the Constitution of the United Mexican States, and for its due
p.000013: publication and observance, I issue this Decree at the Residence of the Federal Executive in Mexico City, Federal
p.000013: District, on June Twenty-Eighth, Two Thousand and Ten. Felipe de Jesús Calderón Hinojosa.- Signature.
...
Social / Age
Searching for indicator age:
(return to top)
p.000003: notice, in accordance with the provisions of this Law.
p.000003:
p.000003: For sensitive personal data, the privacy notice must expressly state that it is dealing with this type of data.
p.000003:
p.000003: Article 17. The privacy notice must be made available to data owners through print, digital, visual or audio formats
p.000003: or any other technology, as follows:
p.000003:
p.000003: I. Where personal data has been obtained personally from the data owner, the privacy notice must be
p.000003: provided at the time the data is collected, clearly and unequivocally, through the format by which
p.000003: collection is carried out, unless the notice has been provided prior;
p.000003: II. Where personal data are obtained directly from the data owner by any electronic, optical,
p.000003: audio or visual means, or through any other technology, the data controller must immediately provide the data owner
p.000003: with at least the information referred to in sections I and II of the preceding article, as well as
p.000003: provide the mechanisms for the data owner to obtain the full text of the privacy notice.
p.000003:
p.000003: Article 18. Where data has not been obtained directly from the data owner, the data controller must notify him of the
p.000003: change in the privacy notice.
p.000003:
p.000003: The provisions of the preceding paragraph are not applicable where processing is done for historical,
p.000003: statistical or scientific purposes.
p.000003:
p.000003: Where it is impossible to provide the privacy notice to the data owner or where disproportionate effort is involved
p.000003: considering the number of data owners, or the age of the data, with the authorization of the Institute, the data
p.000003: controller may implement compensatory measures in the terms of the Regulation for this Law.
p.000003:
p.000003: Article 19. All responsible parties that process personal data must establish and maintain physical and
p.000003: technical administrative security measures designed to protect personal data from damage, loss, alteration,
p.000003: destruction or unauthorized use, access or processing.
p.000003:
p.000003: Data controllers will not adopt security measures inferior to those they keep to manage their own
p.000003: information. Moreover, risk involved, potential consequences for the data owners, sensitivity of the data, and
p.000003: technological development will be taken into account.
p.000003:
p.000003: Article 20. Security breaches occurring at any stage of processing that materially affect the property or moral
p.000003: rights of data owners will be reported immediately by the data controller to the data owner, so that the latter can
p.000003: take appropriate action to defend its rights.
p.000003:
p.000003: Article 21. The data controller or third parties involved in any stage of personal data processing must
p.000003: maintain confidentiality with respect to such data, and this obligation will continue even after the end of its/their
p.000003: relationship with the data owner or, as the case may be, with the data controller.
p.000003:
p.000003: CHAPTER III
p.000003: Rights of Data Owners
p.000003:
p.000003: Article 22. Any data owner, or, where appropriate, his legal representative, may exercise the rights of
...
Social / Ethnicity
Searching for indicator ethnic:
(return to top)
p.000003:
p.000003: Article 3. For purposes of this Law, the following definitions will apply:
p.000003:
p.000003: I. Privacy Notice: Document in physical, electronic or any other format, generated by the data
p.000003: controller, that is made available to the data owner prior to the processing of his personal data, in accordance with
p.000003: Article 15 of this Law.
p.000003: II. Database: The ordered set of personal data concerning an identified or identifiable individual.
p.000003: III. Blocking: The labeling and retention of personal data once it has served the purpose for which it was
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
...
Social / LGBTQ+ Status
Searching for indicator sexual preference:
(return to top)
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIV. Data controller: Individual or private legal entity that decides on the processing of personal data.
p.000003: XV. Ministry: Ministry of Economy.
p.000003: XVI. Third party: Mexican or foreign individual or legal entity other than the data owner or data
p.000003: controller.
p.000003: XVII. Data owner: The individual to whom personal data relates.
...
Social / Marital Status
Searching for indicator single:
(return to top)
p.000005: owner;
p.000005: III. A clear and precise description of the personal data with regard to which the data owner seeks to
p.000005: exercise any of the abovementioned rights.
p.000005: IV. Any other item or document that facilitates locating the personal data.
p.000005:
p.000005: Article 30. All data controllers must designate a personal data person or department who will process
p.000005: requests from data owners for the exercise of the rights referred to in this Law. In addition, data controllers will
p.000005: promote protection of personal data within their organizations.
p.000005:
p.000005: Article 31. In the case of requests for rectification of personal data, the data owner must indicate, in
p.000005: addition to that which is specified in the preceding article of this Law, the changes to be made, and provide
p.000005: documentation supporting the request.
p.000005:
p.000005: Article 32. The data controller will notify the data owner, within a maximum of twenty days counted from the date of
p.000005: receipt of the request for access, rectification, cancellation or objection, of the determination made, so that, where
p.000005: appropriate, same will become effective within fifteen days from the date on which the notice is provided. For
p.000005: personal data access requests, delivery will be made upon proof of identity of the requesting party or legal
p.000005: representative.
p.000005:
p.000005: The aforementioned time periods may be extended a single time by a period of equal length, provided that such action is
p.000005: justified by the circumstances of the case.
p.000005:
p.000005: Article 33. The obligation to provide access to information will be fulfilled when the personal data is made
p.000005:
p.000005: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000005: (First Section) 7
p.000005:
p.000005: available to the data owner; or, by issuing uncertified copies, electronic documents or any other means
p.000005: established by the data controller in the privacy notice.
p.000005:
p.000005: In the event that the data owner requests access to data from a person or entity who he presumes is the data controller
p.000005: and said person or entity proves not to be such, it will be sufficient for said person or entity to so indicate to the
p.000005: data owner by any of the means referred to in the preceding paragraph, for the request to be considered properly
p.000005: fulfilled.
p.000005:
p.000005: Article 34. The data controller may deny access to personal data or refuse the rectification, cancellation or objection
p.000005: with relation thereto in the following cases:
p.000005:
p.000005: I. Where the requesting party is not the subject of the personal data, or the legal representative is not
p.000005: duly accredited for such purposes;
p.000005: II. Where the requesting party's personal data is not found in the data controller's database;
p.000005: III. Where the rights of a third party are adversely affected;
...
p.000009: rectification, cancellation or objection was sent;
p.000009: III. Address to hear and receive notifications;
p.000009: IV. The date on which the response from the data controller was received, except where the
p.000009: procedure begins pursuant to the provisions of Article 50;
p.000009: V. The acts giving rise to the data protection request, and
p.000009: VI. Any other items considered appropriate to bring to the attention of the Institute.
p.000009:
p.000009: The manner and terms in which the identity of the data owner or, as the case may be, the legal
p.000009: representative, must be documented will be established in the Regulations.
p.000009:
p.000009: Furthermore, the data protection request will include the request and response being challenged or, where appropriate,
p.000009: any information enabling its identification. Where there has been no response, it will only be necessary
p.000009: to submit the request.
p.000009:
p.000009: Where the data protection request is filed through non-electronic means, it must include sufficient copies for
p.000009: notification.
p.000009:
p.000009: Article 47. The decision in the rights protection procedure must be issued within fifty days counted from the date of
p.000009: filing of the data protection request. Where there is good cause, the Plenum of the Institute may extend this deadline
p.000009: a single time for a period of equal length.
p.000009:
p.000009: Article 48. Where the protection of rights decision is in favor of the data owner, the data controller will be ordered
p.000009: to, within ten days of notification or, where warranted, a longer period as set out in the decision, carry out all
p.000009: action required in accordance with the exercise of the rights subject to protection, and it shall report compliance
p.000009: therewith in writing to the Institute within the following ten days.
p.000009:
p.000009: Article 49. If the data protection request fails to satisfy any of the requirements specified in Article 46 of this
p.000009: Law, and where the Institute lacks the information to remedy such omissions, the data owner will be
p.000009: instructed, a single time, within twenty working days following the filing of the data protection
p.000009: request, to remedy the omissions within five days. If the instructions are not followed by the deadline, the data
p.000009: protection request will be considered not filed. The instructions will have the effect of interrupting the period
p.000009: allowed for the Institute to issue a decision on the data protection request.
p.000009:
p.000009: Article 50. The Institute will remedy the deficiencies in the complaint where required, provided it does not alter the
p.000009: original content of the request for personal data access, rectification, cancellation or objection, nor modify the
p.000009: facts or petitions set out in the same or in the data protection request.
p.000009:
p.000009: Article 51. The decisions of the Institute may:
p.000009:
p.000009: I. Dismiss or reject the data protection request as without merit or inadmissible, or
p.000009: II. Affirm, reverse or amend the response of the data controller.
p.000009:
p.000009: Article 52. The data protection request will be rejected as without merit or inadmissible where:
p.000009:
p.000009: I. The Institute lacks jurisdiction;
p.000009: II. The Institute has already heard the data protection request for the same act and issued a final decision
p.000009: with regard to the same petitioner;
...
p.000009:
p.000009: Article 61. If, by virtue of a rights protection procedure or verification procedure carried out by the Institute, the
p.000009: Institute becomes aware of a presumed breach of any of the principles or provisions of this Law, it will
p.000009: initiate the procedure referred to in this Chapter in order to determine the appropriate penalty.
p.000009:
p.000009: Article 62. The penalty application procedure will begin with notice sent by the Institute to the alleged
p.000009: offender with regard to the facts that originated the procedure and will grant a period of fifteen days to present
p.000009: evidence and state formal arguments in writing. Where no evidence is presented, the Institute will arrive at a decision
p.000009: through the evidence at its disposal.
p.000009:
p.000009:
p.000009:
p.000011: 11
p.000011:
p.000011: 12 (First Section) OFFICIAL GAZETTE
p.000011: Monday, July 5, 2010
p.000011:
p.000011: The Institute will admit evidence it deems relevant and introduce it. In addition, it may request any other evidence it
p.000011: deems necessary from the alleged offender. After introduction of evidence, the Institute will notify the alleged
p.000011: offender of its right to, if it so considers necessary, present its arguments within five days of
p.000011: notification.
p.000011:
p.000011: The Institute, after analyzing the evidence and other elements of proof it deems relevant, will issue a final decision
p.000011: within fifty days after the date on which it initiated the penalty procedure. Notice of this decision must be given to
p.000011: the parties.
p.000011:
p.000011: Where there is good cause, the Plenum of the Institute may extend this deadline a single time for a period of equal
p.000011: length.
p.000011:
p.000011: The Regulations will describe the form, terms and periods for the penalty application procedure, including presentation
p.000011: of evidence and arguments, hearings and end of proceedings.
p.000011:
p.000011: CHAPTER X
p.000011: Violations and Penalties
p.000011:
p.000011: Article 63. The following acts carried out by the data controller are violations of this Law:
p.000011:
p.000011: I. Failure to satisfy the data owner's request for personal data access, rectification, cancellation or
p.000011: objection without well-founded reason, in the terms of this Law;
p.000011: II. Acting negligently or fraudulently in processing and responding to requests for personal data
p.000011: access, rectification, cancellation or objection;
p.000011: III. Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the
p.000011: databases of the data controller;
p.000011: IV. Processing personal data in violation of the principles established in this Law;
p.000011: V. Omitting, in the privacy notice, any or all of the items referred to in Article 16 of this Law;
p.000011: VI. Maintaining inaccurate personal data when such action is attributable to the data controller, or failing
p.000011: to perform legally due rectifications or cancellations where the data owner's rights are affected;
p.000011: VII. Failure to comply with the notice referred to in section I of Article 64;
p.000011: VIII. Breaching the duty of confidentiality established in Article 21 of this Law;
p.000011: IX. Materially changing the original data processing purpose, without observing the provisions of
p.000011: Article 12;
...
Social / Property Ownership
Searching for indicator property:
(return to top)
p.000003: the data controller must, in the privacy notice, establish the mechanisms and procedures for such action.
p.000003:
p.000003: Article 9. In the case of sensitive personal data, the data controller must obtain express written consent from the
p.000003: data owner for processing, through said data owner's signature, electronic signature, or any authentication
p.000003: mechanism established for such a purpose.
p.000003:
p.000003: Databases containing sensitive personal data may not be created without justification of their creation for purposes
p.000003: that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
p.000003:
p.000003: Article 10. Consent for processing of personal data will not be necessary where:
p.000003:
p.000003: I. Any Law so provides;
p.000003: II. The data is contained in publicly available sources;
p.000003: III. The personal data is subject to a prior dissociation procedure;
p.000003: IV. It has the purpose of fulfilling obligations under a legal relationship between the data owner and the
p.000003: data controller;
p.000003: V. There is an emergency situation that could potentially harm an individual in his person or property;
p.000003: VI. It is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or
p.000003: health services management, where the data owner is unable to give consent in the terms established by
p.000003: the General Health Law and other applicable laws, and said processing of data is carried out by a person subject to a
p.000003: duty of professional secrecy or an equivalent obligation, or
p.000003: VII. A resolution is issued by a competent authority.
p.000003:
p.000003: Article 11. The data controller shall ensure that personal data contained in databases is relevant, correct and
p.000003: up-to-date for the purposes for which it has been collected.
p.000003:
p.000003: When the personal data is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and
p.000003: applicable law, it must be cancelled.
p.000003:
p.000003: The controller of the database will be required to remove information relating to nonperformance of
p.000003: contractual obligations, after a period of seventy-two months counted from the calendar day on which
p.000003: said nonperformance arose.
p.000003:
p.000003: Article 12. Processing of personal data must be limited to fulfillment of the purposes set out in the privacy notice.
p.000003: If the data controller intends to process data for another purpose which is not compatible or analogous to the purposes
p.000003: set out in the privacy notice, the data owner's consent must be obtained again.
p.000003:
p.000003: Article 13. Processing of personal data will be done as necessary, appropriate and relevant with relation to the
...
p.000003: provide the mechanisms for the data owner to obtain the full text of the privacy notice.
p.000003:
p.000003: Article 18. Where data has not been obtained directly from the data owner, the data controller must notify him of the
p.000003: change in the privacy notice.
p.000003:
p.000003: The provisions of the preceding paragraph are not applicable where processing is done for historical,
p.000003: statistical or scientific purposes.
p.000003:
p.000003: Where it is impossible to provide the privacy notice to the data owner or where disproportionate effort is involved
p.000003: considering the number of data owners, or the age of the data, with the authorization of the Institute, the data
p.000003: controller may implement compensatory measures in the terms of the Regulation for this Law.
p.000003:
p.000003: Article 19. All responsible parties that process personal data must establish and maintain physical and
p.000003: technical administrative security measures designed to protect personal data from damage, loss, alteration,
p.000003: destruction or unauthorized use, access or processing.
p.000003:
p.000003: Data controllers will not adopt security measures inferior to those they keep to manage their own
p.000003: information. Moreover, risk involved, potential consequences for the data owners, sensitivity of the data, and
p.000003: technological development will be taken into account.
p.000003:
p.000003: Article 20. Security breaches occurring at any stage of processing that materially affect the property or moral
p.000003: rights of data owners will be reported immediately by the data controller to the data owner, so that the latter can
p.000003: take appropriate action to defend its rights.
p.000003:
p.000003: Article 21. The data controller or third parties involved in any stage of personal data processing must
p.000003: maintain confidentiality with respect to such data, and this obligation will continue even after the end of its/their
p.000003: relationship with the data owner or, as the case may be, with the data controller.
p.000003:
p.000003: CHAPTER III
p.000003: Rights of Data Owners
p.000003:
p.000003: Article 22. Any data owner, or, where appropriate, his legal representative, may exercise the rights of
p.000003: access, rectification, cancellation and objection under this Law. The exercise of any of these is not a
p.000003: prerequisite nor does it impede the exercise of another. Personal data must be preserved in such a way as to allow the
p.000003: exercise of these rights without delay.
p.000003:
p.000003: Article 23. Data owners will have the right to access their personal data held by the data controller as well as to be
p.000003: informed of the privacy notice to which processing is subject.
p.000003:
p.000003: Article 24. The data owner will have the right to rectify data if it is inaccurate or incomplete. Article 25. The
p.000003: data owner will at all times have the right to cancel his personal data.
p.000003:
p.000003:
p.000005: 5
p.000005:
p.000005: 6 (First Section) OFFICIAL GAZETTE
p.000005: Monday, July 5, 2010
p.000005:
p.000005: Cancellation of personal data will lead to a blocking period following which the data will be erased. The data
...
p.000009: followed.
p.000009:
p.000009: Article 55. Where a data protection request is filed upon lack of response by the data controller to a
p.000009: request in the exercise of the rights of access, rectification, cancellation or objection, the Institute will serve
p.000009: notice on said data controller to, within ten days, prove it has responded in a timely manner to the request, or
p.000009: respond to it. If the response satisfies the request, the data protection request will be considered without merit and
p.000009: the Institute must dismiss it.
p.000009:
p.000009: In this latter case, the Institute will issue its decision based on the content of the original request and the
p.000009: response of the data controller referred to in the preceding paragraph.
p.000009:
p.000009: If the decision of the Institute referred to in the preceding paragraph determines that the request has merit, the data
p.000009: controller will proceed to fulfill it, at no charge to the data owner, where the data controller must bear all costs
p.000009: generated by the corresponding reproduction.
p.000009:
p.000009: Article 56. Private parties may file a petition for annulment against decisions issued by the Institute with the
p.000009: Federal Tax and Administrative Court.
p.000009:
p.000009: Article 57. All decisions of the Institute may be publicly released in public versions, eliminating any
p.000009: references to the data owner which identify him or make him identifiable.
p.000009:
p.000009: Article 58. Data owners who feel they have suffered harm or damage to their property or rights as a result of a breach
p.000009: of the provisions of this Law by the data controller or data processor, may exercise the rights they deem appropriate
p.000009: for purposes of any applicable indemnity, in the terms of the relevant law.
p.000009:
p.000009: CHAPTER VIII
p.000009: Verification Procedure
p.000009:
p.000009: Article 59. The Institute will verify compliance with this Law and the regulations derived herefrom.
p.000009: Verification may be initiated of its own motion or by petition of an interested party.
p.000009:
p.000009: Verification of its own motion will be carried out in the event of nonfulfillment of decisions issued in rights
p.000009: protection procedures as referred to in the preceding Chapter, or where the existence of violations of this Law is
p.000009: presumed grounded in law and fact.
p.000009:
p.000009: Article 60. In the verification procedure, the Institute will have access to all information and documentation it deems
p.000009: necessary, in accordance with the respective decision.
p.000009:
p.000009: Federal public servants will be obliged to observe confidentiality of the information they have access to as a result
p.000009: of the relevant verification.
p.000009:
p.000009: The Regulations will describe the form, terms and periods for the procedure referred to in this article.
p.000009:
p.000009: CHAPTER IX
p.000009: Penalty Application Procedure
p.000009:
p.000009: Article 61. If, by virtue of a rights protection procedure or verification procedure carried out by the Institute, the
...
Social / Racial Minority
Searching for indicator racial:
(return to top)
p.000003: and without purposes of disclosure or commercial use.
p.000003:
p.000003: Article 3. For purposes of this Law, the following definitions will apply:
p.000003:
p.000003: I. Privacy Notice: Document in physical, electronic or any other format, generated by the data
p.000003: controller, that is made available to the data owner prior to the processing of his personal data, in accordance with
p.000003: Article 15 of this Law.
p.000003: II. Database: The ordered set of personal data concerning an identified or identifiable individual.
p.000003: III. Blocking: The labeling and retention of personal data once it has served the purpose for which it was
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
...
Social / Religion
Searching for indicator religious:
(return to top)
p.000003: I. Privacy Notice: Document in physical, electronic or any other format, generated by the data
p.000003: controller, that is made available to the data owner prior to the processing of his personal data, in accordance with
p.000003: Article 15 of this Law.
p.000003: II. Database: The ordered set of personal data concerning an identified or identifiable individual.
p.000003: III. Blocking: The labeling and retention of personal data once it has served the purpose for which it was
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
...
Social / Trade Union Membership
Searching for indicator union:
(return to top)
p.000003: 2 (First Section) OFFICIAL GAZETTE
p.000003: Monday, July 5, 2010
p.000003:
p.000003: EXECUTIVE BRANCH MINISTRY OF THE INTERIOR
p.000003: DECREE issuing the Federal Law on Protection of Personal Data Held by Private Parties and amending Article 3, sections
p.000003: ii and vii, and Article 33, as well as the title of Chapter II of Title II of the Federal Law on Transparency
p.000003: and Access to Public Government Information.
p.000003:
p.000003: In the margin a seal with the national emblem, which reads: United Mexican States – Office of the President of the
p.000003: Republic.
p.000003: FELIPE DE JESÚS CALDERÓN HINOJOSA, President of the United Mexican States, to its inhabitants; be it known:
p.000003: That the Honorable Congress of the Union has sent me the following
p.000003:
p.000003: DECREE
p.000003:
p.000003: "THE GENERAL CONGRESS OF THE UNITED MEXICAN STATES DECREES:
p.000003:
p.000003: THE FEDERAL LAW ON PROTECTION OF PERSONAL DATA HELD BY PRIVATE PARTIES IS ISSUED AND ARTICLE 3, SECTIONS
p.000003: II AND VII, AND ARTICLE 33, AS WELL AS THE TITLE OF CHAPTER II OF TITLE II OF THE FEDERAL LAW ON TRANSPARENCY AND
p.000003: ACCESS TO PUBLIC GOVERNMENT INFORMATION ARE AMENDED.
p.000003:
p.000003: ARTICLE ONE. The Federal Law on Protection of Personal Data held by Private Parties is issued.
p.000003:
p.000003: FEDERAL LAW ON PROTECTION OF PERSONAL DATA HELD BY PRIVATE PARTIES
p.000003:
p.000003: CHAPTER I
p.000003: General Provisions
p.000003:
p.000003: Article 1. This Law is of a public order and of general observance throughout the Republic, and has the purpose of
p.000003: protecting personal data held by private parties, in order to regulate its legitimate, controlled and informed
p.000003: processing, to ensure the privacy and the right to informational self-determination of individuals.
p.000003:
p.000003: Article 2. The parties regulated under this Law are private parties, whether individuals or private legal
p.000003: entities, that process personal data, with the exception of:
p.000003:
p.000003: I. Credit reporting companies under the Law Regulating Credit Reporting Companies and other
p.000003: applicable laws, and
p.000003:
p.000003: II. Persons carrying out the collection and storage of personal data that is exclusively for personal use,
...
p.000003: II. Database: The ordered set of personal data concerning an identified or identifiable individual.
p.000003: III. Blocking: The labeling and retention of personal data once it has served the purpose for which it was
p.000003: collected, with the sole purpose of determining possible responsibilities in relation to its processing,
p.000003: until the end of the legal or contractual limitation period of said responsibilities. During this period,
p.000003: personal data may not be processed, and, once the period has ended, the data will be cancelled in the relevant
p.000003: database.
p.000003: IV. Consent: Expression of the will of the data owner by which data processing is enabled.
p.000003: V. Personal data: Any information concerning an identified or identifiable individual.
p.000003: VI. Sensitive personal data: Personal data touching on the most private areas of the data owner's life, or
p.000003: whose misuse might lead to discrimination or involve a serious risk for said data owner. In particular, sensitive data
p.000003: is considered that which may reveal items such as racial or ethnic origin, present and future health status, genetic
p.000003: information, religious, philosophical and moral beliefs,
p.000003:
p.000003:
p.000003:
p.000003: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000003: (First Section) 3
p.000003:
p.000003: union membership, political views, sexual preference.
p.000003: VII. Days: Working days.
p.000003: VIII. Dissociation: The procedure through which personal data cannot be associated with the data
p.000003: owner nor allow, by way of its structure, content or degree of disaggregation, identification thereof.
p.000003: IX. Data processor: The individual or legal entity that, alone or jointly with others, processes personal data
p.000003: on behalf of the data controller.
p.000003: X. Publicly available source: Those databases on which queries can be made by any person,
p.000003: without any requirement except, where appropriate, payment of a fee, in accordance with the Regulations to
p.000003: this Law.
p.000003: XI. Institute: Federal Institute for Access to Information and Data Protection, referred to in
p.000003: the Federal Law on Transparency and Access to Public Government Information.
p.000003: XII. Law: Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIII. Regulations: The Regulations to the Federal Law on Protection of Personal Data Held by Private Parties.
p.000003: XIV. Data controller: Individual or private legal entity that decides on the processing of personal data.
p.000003: XV. Ministry: Ministry of Economy.
...
Social / parents
Searching for indicator parent:
(return to top)
p.000005: changes to the privacy notice that prompt new queries.
p.000005:
p.000005: The data owner may file a data protection request due to the response received or lack of response from the data
p.000005: controller, in accordance with the provisions of the following Chapter.
p.000005:
p.000005: CHAPTER V
p.000005: Data Transfer
p.000005:
p.000005: Article 36. Where the data controller intends to transfer personal data to domestic or foreign third parties other
p.000005: than the data processor, it must provide them with the privacy notice and the purposes to which the data owner has
p.000005: limited data processing.
p.000005:
p.000005: Data processing will be done as agreed in the privacy notice, which shall contain a clause indicating
p.000005: whether or not the data owner agrees to the transfer of his data; moreover, the third party receiver will assume the
p.000005: same obligations as the data controller that has transferred the data.
p.000005:
p.000005: Article 37. Domestic or international transfers of data may be carried out without the consent of the data owner in the
p.000005: following cases:
p.000005:
p.000005: I. Where the transfer is pursuant to a Law or Treaty to which Mexico is party;
p.000005: II. Where the transfer is necessary for medical diagnosis or prevention, health care delivery,
p.000005: medical treatment or health services management;
p.000005: III. Where the transfer is made to holding companies, subsidiaries or affiliates under common control of the
p.000005: data controller, or to a parent company or any company of the same group as the data controller, operating under the
p.000005: same internal processes and policies;
p.000005: IV. Where the transfer is necessary by virtue of a contract executed or to be executed in the interest of the
p.000005: data owner between the data controller and a third party;
p.000005:
p.000005:
p.000005:
p.000007: 7
p.000007:
p.000007: 8 (First Section) OFFICIAL GAZETTE
p.000007: Monday, July 5, 2010
p.000007:
p.000007: V. Where the transfer is necessary or legally required to safeguard public interest or for the
p.000007: administration of justice;
p.000007: VI. Where the transfer is necessary for the recognition, exercise or defense of a right in a judicial
p.000007: proceeding, and
p.000007: VII. Where the transfer is necessary to maintain or fulfill a legal relationship between the data
p.000007: controller and the data owner.
p.000007:
p.000007: CHAPTER VI AUTHORITIES
p.000007:
p.000007: SECTION I
p.000007: The Institute
p.000007:
p.000007: Article 38. The Institute, for the purposes of this Law, will have the purpose of disseminating information on the
p.000007: right to personal data protection in Mexican society, promoting its exercise, and overseeing the due
p.000007: observance of the provisions of this Law and those arising herefrom; particularly those related to the fulfillment of
p.000007: obligations by the parties regulated by this Law.
p.000007:
p.000007: Article 39. The Institute has the following responsibilities:
p.000007:
...
General/Other / Impaired Autonomy
Searching for indicator autonomy:
(return to top)
p.000013:
p.000013:
p.000013: SEVEN. Actions that, pursuant to the provisions of the Federal Law on Protection of Personal Data held by Private
p.000013: Parties, are to be carried out by the Federal Executive, will be subject to the approved budgets of the institutions
p.000013: concerned and the provisions of the Federal Budget and Fiscal Responsibility Law.
p.000013:
p.000013: EIGHT. The Expenditure Budget of the Federation for Fiscal Year 2011 includes items deemed sufficient for the proper
p.000013: functioning of the Federal Institute for Access to Information and Data Protection with respect to this Law.
p.000013:
p.000013: ARTICLE TWO. Article 3 sections II and VII, and Article 33, as well as the title of Chapter II of Title II of the
p.000013: Federal Law on Transparency and Access to Public Government Information are amended, to read as follows:
p.000013:
p.000013: Article 3. For purposes of this Law, the following definitions will apply:
p.000013:
p.000013: I…
p.000013:
p.000013: II. Personal data: Any information concerning an identified or identifiable individual.
p.000013:
p.000013: III to VI…
p.000013:
p.000013: VII. Institute: The Federal Institute for Access to Information and Data Protection, established in Article 33 of this
p.000013: Law;
p.000013:
p.000013: VIII to XV…
p.000013:
p.000013: CHAPTER II
p.000013: The Institute
p.000013:
p.000013: Article 33. The Institute is a body of the Federal Public Administration, with operational, budgetary and
p.000013: decision-making autonomy, responsible for promoting and disseminating information regarding the exercise of the right
p.000013: to information, resolving on refusal of information access requests, and protecting personal data held by agencies and
p.000013: entities.
p.000013:
p.000013:
p.000013: TRANSITORY PROVISIONS
p.000013:
p.000013: SOLE PROVISION. This Decree will take effect on the day following its publication in the Federal Official Gazette.
p.000013:
p.000013: Mexico City, April 27, 2010. Deputy Francisco Javier Ramirez Acuña, Chair. Sen. Carlos Navarrete Ruiz,
p.000013: Chair. Deputy Georgina Trujillo Zentella, Secretary. Sen. Renán Cleominio Zoreda Novelo, Secretary.
p.000013: Signatures."
p.000013: Pursuant to the provisions of Section I of Article 89 of the Constitution of the United Mexican States, and for its due
p.000013: publication and observance, I issue this Decree at the Residence of the Federal Executive in Mexico City, Federal
p.000013: District, on June Twenty-Eighth, Two Thousand and Ten. Felipe de Jesús Calderón Hinojosa.- Signature.
...
General/Other / Relationship to Authority
Searching for indicator authority:
(return to top)
p.000003: mechanism established for such a purpose.
p.000003:
p.000003: Databases containing sensitive personal data may not be created without justification of their creation for purposes
p.000003: that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
p.000003:
p.000003: Article 10. Consent for processing of personal data will not be necessary where:
p.000003:
p.000003: I. Any Law so provides;
p.000003: II. The data is contained in publicly available sources;
p.000003: III. The personal data is subject to a prior dissociation procedure;
p.000003: IV. It has the purpose of fulfilling obligations under a legal relationship between the data owner and the
p.000003: data controller;
p.000003: V. There is an emergency situation that could potentially harm an individual in his person or property;
p.000003: VI. It is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or
p.000003: health services management, where the data owner is unable to give consent in the terms established by
p.000003: the General Health Law and other applicable laws, and said processing of data is carried out by a person subject to a
p.000003: duty of professional secrecy or an equivalent obligation, or
p.000003: VII. A resolution is issued by a competent authority.
p.000003:
p.000003: Article 11. The data controller shall ensure that personal data contained in databases is relevant, correct and
p.000003: up-to-date for the purposes for which it has been collected.
p.000003:
p.000003: When the personal data is no longer necessary for the fulfillment of the objectives set forth in the privacy notice and
p.000003: applicable law, it must be cancelled.
p.000003:
p.000003: The controller of the database will be required to remove information relating to nonperformance of
p.000003: contractual obligations, after a period of seventy-two months counted from the calendar day on which
p.000003: said nonperformance arose.
p.000003:
p.000003: Article 12. Processing of personal data must be limited to fulfillment of the purposes set out in the privacy notice.
p.000003: If the data controller intends to process data for another purpose which is not compatible or analogous to the purposes
p.000003: set out in the privacy notice, the data owner's consent must be obtained again.
p.000003:
p.000003: Article 13. Processing of personal data will be done as necessary, appropriate and relevant with relation to the
p.000003: purposes set out in the privacy notice. In particular, for sensitive personal data, the data controller must make
p.000003: reasonable efforts to limit the processing period thereof to the minimum required.
p.000003:
p.000003: Article 14. The data controller shall ensure compliance with the personal data protection principles
p.000003: established by this Law, and shall adopt all necessary measures for their application. The foregoing will apply even
...
p.000005:
p.000005: Article 33. The obligation to provide access to information will be fulfilled when the personal data is made
p.000005:
p.000005: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000005: (First Section) 7
p.000005:
p.000005: available to the data owner; or, by issuing uncertified copies, electronic documents or any other means
p.000005: established by the data controller in the privacy notice.
p.000005:
p.000005: In the event that the data owner requests access to data from a person or entity who he presumes is the data controller
p.000005: and said person or entity proves not to be such, it will be sufficient for said person or entity to so indicate to the
p.000005: data owner by any of the means referred to in the preceding paragraph, for the request to be considered properly
p.000005: fulfilled.
p.000005:
p.000005: Article 34. The data controller may deny access to personal data or refuse the rectification, cancellation or objection
p.000005: with relation thereto in the following cases:
p.000005:
p.000005: I. Where the requesting party is not the subject of the personal data, or the legal representative is not
p.000005: duly accredited for such purposes;
p.000005: II. Where the requesting party's personal data is not found in the data controller's database;
p.000005: III. Where the rights of a third party are adversely affected;
p.000005: IV. Where there is any legal impediment, or decision of a competent authority, restricting access to the
p.000005: personal data or not allowing the rectification, cancellation or objection with relation thereto, and
p.000005: V. Where the rectification, cancellation or objection has been previously performed.
p.000005:
p.000005: The refusal referred to in this article may be partial, in which case the data controller will carry out the
p.000005: access, rectification, cancellation or objection requested by the data owner.
p.000005:
p.000005: In all of the aforementioned cases, the data controller must notify the data owner, or, as appropriate, his legal
p.000005: representative, of its decision and the reason for such decision, within the periods established for such purposes, via
p.000005: the same means by which the request was made, attaching, where appropriate, any relevant evidence.
p.000005:
p.000005: Article 35. The action of providing personal data will be free, and the data owner must only pay justified expenses of
p.000005: shipping or the cost of copying or providing data in other formats.
p.000005:
p.000005: This right will be exercised by the data owner free of charge, upon proof of his identity to the
p.000005: data controller. However, if the same person repeats his request within a period of twelve months, costs will not be
p.000005: greater than three days of the General Current Minimum Wage in Mexico City, unless there are material
p.000005: changes to the privacy notice that prompt new queries.
p.000005:
p.000005: The data owner may file a data protection request due to the response received or lack of response from the data
p.000005: controller, in accordance with the provisions of the following Chapter.
p.000005:
p.000005: CHAPTER V
...
p.000011: III. Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the
p.000011: databases of the data controller;
p.000011: IV. Processing personal data in violation of the principles established in this Law;
p.000011: V. Omitting, in the privacy notice, any or all of the items referred to in Article 16 of this Law;
p.000011: VI. Maintaining inaccurate personal data when such action is attributable to the data controller, or failing
p.000011: to perform legally due rectifications or cancellations where the data owner's rights are affected;
p.000011: VII. Failure to comply with the notice referred to in section I of Article 64;
p.000011: VIII. Breaching the duty of confidentiality established in Article 21 of this Law;
p.000011: IX. Materially changing the original data processing purpose, without observing the provisions of
p.000011: Article 12;
p.000011: X. Transferring data to third parties without providing them with the privacy notice containing
p.000011: the limitations to which the data owner has conditioned data disclosure;
p.000011: XI. Compromising the security of databases, sites, programs or equipment, where attributable to the data
p.000011: controller;
p.000011: XII. Carrying out the transfer or assignment of personal data outside of the cases where it is
p.000011: permitted under this Law;
p.000011: XIII. Collecting or transferring personal data without the express consent of the data owner, in
p.000011: the cases where this is required;
p.000011: XIV. Obstructing verification actions of the authority;
p.000011: XV. Collecting data in a deceptive and fraudulent manner;
p.000011: XVI. Continuing with the illegitimate use of personal data when the Institute or the data owners have requested
p.000011: such use be ended;
p.000011: XVII. Processing personal data in a way that affects or impedes the exercise of the rights of access,
p.000011: rectification, cancellation and objection set forth in Article 16 of the Political Constitution of the United Mexican
p.000011: States;
p.000011: XVIII. Creating databases in violation of the provisions of Article 9, second paragraph, of this Law, and
p.000011: XIX. Any breach by the data controller of the obligations pertaining thereto as established in the
p.000011: provisions of this Law.
p.000011:
p.000011: Article 64. Violations of this Law will be punished by the Institute as follows:
p.000011:
p.000011: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000011: (First Section) 13
p.000011:
p.000011: I. A warning instructing the data controller to carry out the actions requested by the data owner, under
p.000011: the terms established by this Law, in the cases described in section I of the preceding article;
p.000011: II. A fine from 100 to 160,000 days of the Mexico City minimum wage, in the cases described in sections II to
p.000011: VII of the preceding article;
p.000011: III. A fine from 200 to 320,000 days of the Mexico City minimum wage, in the cases described in sections VIII
p.000011: to XVIII of the preceding article; and
p.000011: IV. In the event of repeated occurrences of the violations described in the preceding paragraphs, an
...
Orphaned Trigger Words
p.000003:
p.000003: Article 4. The principles and rights under this Law will have, as a limit with regard to their observance and exercise,
p.000003: protection of national security, public order, health and safety as well as the rights of third parties.
p.000003:
p.000003: Article 5. Where not expressly provided in this Law, the provisions of the Federal Code of Civil Procedure and the
p.000003: Federal Administrative Procedure Law will apply supplementarily.
p.000003:
p.000003: For the substantiation of rights protection, verification and penalty procedures, the provisions contained in the
p.000003: Federal Administrative Procedure Law will be observed.
p.000003:
p.000003: CHAPTER II
p.000003: Principles of Personal Data Protection
p.000003:
p.000003: Article 6. Data controllers must adhere to the principles of legality, consent, notice, quality, purpose,
p.000003: fidelity, proportionality and accountability under the Law.
p.000003:
p.000003: Article 7. Personal data must be collected and processed in a lawful manner in accordance with the
p.000003: provisions established by this Law and other applicable regulations.
p.000003:
p.000003: Personal data must not be obtained through deceptive or fraudulent means.
p.000003:
p.000003: In all processing of personal data, it is presumed that there is a reasonable expectation of privacy,
p.000003: understood as the trust any one person places in another for personal data provided to be treated pursuant to any
p.000003: agreement of the parties in the terms established by this Law.
p.000003:
p.000003: Article 8. All processing of personal data will be subject to the consent of the data owner except as
p.000003: otherwise provided by this Law.
p.000003:
p.000003: Consent will be express when such is communicated verbally, in writing, by electronic or optical means or via any other
p.000003: technology, or by unmistakable indications.
p.000003:
p.000003: It will be understood that the data owner tacitly consents to the processing of his data when, once the privacy
p.000003: notice has been made available to him, he does not express objection.
p.000003:
p.000003:
p.000003:
p.000003: 3
p.000003:
p.000003: 4 (First Section) OFFICIAL GAZETTE
p.000003: Monday, July 5, 2010
p.000003:
p.000003: Financial or asset data will require the express consent of the data owner, except as provided in Articles 10 and 37 of
p.000003: this Law.
p.000003:
p.000003: Consent may be revoked at any time without retroactive effects being attributed thereto. For revocation of consent,
p.000003: the data controller must, in the privacy notice, establish the mechanisms and procedures for such action.
p.000003:
p.000003: Article 9. In the case of sensitive personal data, the data controller must obtain express written consent from the
p.000003: data owner for processing, through said data owner's signature, electronic signature, or any authentication
p.000003: mechanism established for such a purpose.
p.000003:
...
p.000007: VI. Where the transfer is necessary for the recognition, exercise or defense of a right in a judicial
p.000007: proceeding, and
p.000007: VII. Where the transfer is necessary to maintain or fulfill a legal relationship between the data
p.000007: controller and the data owner.
p.000007:
p.000007: CHAPTER VI AUTHORITIES
p.000007:
p.000007: SECTION I
p.000007: The Institute
p.000007:
p.000007: Article 38. The Institute, for the purposes of this Law, will have the purpose of disseminating information on the
p.000007: right to personal data protection in Mexican society, promoting its exercise, and overseeing the due
p.000007: observance of the provisions of this Law and those arising herefrom; particularly those related to the fulfillment of
p.000007: obligations by the parties regulated by this Law.
p.000007:
p.000007: Article 39. The Institute has the following responsibilities:
p.000007:
p.000007: I. To oversee and verify compliance with the provisions of this Law, within the scope of its
p.000007: competence, with the exceptions provided by the law;
p.000007: II. To interpret this Law in the administrative system;
p.000007: III. To provide technical support to the data controllers who so request for fulfillment of the
p.000007: obligations established by this Law;
p.000007: IV. To issue opinions and recommendations in accordance with the applicable provisions of this Law, for
p.000007: purposes of its functions and operation;
p.000007: V. To disseminate international best practices and standards for information security, in view of the nature
p.000007: of the data, the processing purposes, and the technical and financial capacity of the data controller.
p.000007: VI. Hear and issue decisions in rights protection and verification procedures as set forth in this Law, and
p.000007: impose penalties as appropriate;
p.000007: VII. Cooperate with other domestic and international bodies and supervisory authorities, in order to assist in
p.000007: the area of data protection;
p.000007: VIII. Submit an annual activity report to the Mexican Congress;
p.000007: IX. Participate in international forums in the area of this Law;
p.000007: X. Carry out studies of the impact on privacy prior to the implementation of new types of processing of
p.000007: personal data or material modification of existing types of processing;
p.000007: XI. Develop, promote and disseminate analyses, studies and research in the area of protection of personal data
p.000007: held by third parties and provide training to the obligated parties, and
p.000007: XII. Any other responsibilities under this Law and other applicable laws.
p.000007:
p.000007: SECTION II
p.000007: Regulatory Authorities
p.000007:
p.000007: Article 40. This Law will constitute the regulatory framework to be observed by agencies, in the areas of their
p.000007: respective responsibilities, for issuance of appropriate regulations, with the cooperation of the Institute.
p.000007:
p.000007: Article 41. The Ministry, for purposes of this Law, will have the function of disseminating information on obligations
p.000007: relating to the protection of personal data to domestic private enterprise and international private enterprise with
p.000007: business activity in Mexico; it will promote best business practices around protection of personal data as
p.000007: an input for the digital economy, and national economic development as a whole.
p.000007:
p.000007: Article 42. With regard to business databases, the regulations issued by the Ministry will apply only to
p.000007: databases that are automated or are part of an automation process.
p.000007:
p.000007: Article 43. The Ministry has the following responsibilities:
p.000007:
p.000007: I. To disseminate information regarding the protection of personal data in the business world;
p.000007: II. To promote good business practices in the area of personal data protection;
p.000007: III. To issue the relevant guidelines for the content and scope of privacy notices in cooperation with the
p.000007: Institute referred to in this Law;
p.000007:
p.000007: Monday, July 5, 2010 OFFICIAL GAZETTE
p.000007: (First Section) 9
p.000007:
p.000007: IV. To issue, within the scope of its competence, the general administrative provisions referred to in Article
p.000007: 40, in cooperation with the Institute;
p.000007: V. To establish the necessary parameters for the proper development of the self-regulatory
p.000007: mechanisms and measures referred to in Article 44 of this Law, including the promotion of Mexican
p.000007: Standards and Official Mexican Standards, in cooperation with the Institute;
p.000007: VI. To maintain consumer registries in the area of personal data and verify their proper operation;
p.000007: VII. To execute agreements with chambers of commerce, associations and business organizations in general, in
p.000007: the area of personal data protection;
p.000007: VIII. To design and implement policies and coordinate studies for the modernization and efficient
p.000007: operation of electronic commerce, as well as to promote the development of the digital economy and information
p.000007: technologies in the area of personal data protection;
p.000007: IX. To participate in domestic and international trade forums in the area of personal data protection, or in
p.000007: events of a commercial nature, and
p.000007: X. Support events that contribute to increased awareness on personal data protection.
p.000007:
p.000007: Article 44. Individuals or legal entities may establish agreements amongst themselves and with domestic or foreign
p.000007: civil or governmental organizations on self-regulatory schemes on the subject, complementing the provisions of this
p.000007: Law. Such schemes must include mechanisms to measure their effectiveness in protecting data, consequences and effective
p.000007: corrective measures in the case of nonfulfillment.
p.000007:
p.000007: Self-regulatory schemes may be translated into codes of ethics or good professional practice, trust seals or other
p.000007: mechanisms, and will contain specific rules or standards enabling harmonization of data processing performed by
p.000007: adherents and facilitation of the exercise of data owners' rights. Notification of such schemes will be made
p.000007: simultaneously to the relevant sectoral authorities and the Institute.
p.000007:
p.000007: CHAPTER VII
p.000007: Rights Protection Procedure
p.000007:
p.000007: Article 45. The procedure will be initiated by request from the data owner or his legal representative,
p.000007: clearly stating the content of his claim and the provisions of this Law deemed violated. The data protection request
p.000007: must be submitted to the Institute within fifteen days from the date on which the response from the data controller is
p.000007: communicated to the data owner.
p.000007:
p.000007: In the event that the data owner does not receive a response from the data controller, the data protection request may
p.000007: be filed after the deadline for the data controller response has passed. In this case, it will be
...
Appendix
Indicator List
| Indicator | Vulnerability |
|---|
| access | Access to Social Goods |
| access to information | Access to information |
| age | Age |
| authority | Relationship to Authority |
| autonomy | Impaired Autonomy |
| criminal | criminal |
| emergency situation | patients in emergency situations |
| ethnic | Ethnicity |
| parent | parents |
| party | political affiliation |
| political | political affiliation |
| property | Property Ownership |
| racial | Racial Minority |
| religious | Religion |
| sexual preference | LGBTQ+ Status |
| single | Marital Status |
| union | Trade Union Membership |
| unlawful | Illegal Activity |
Indicator Peers (Indicators in Same Vulnerability)
| Indicator | Peers |
|---|
| party | ['political'] |
| political | ['party'] |
Trigger Words
capacity
consent
ethics
harm
justice
protect
protection
risk
self-determination
sensitive
Applicable Type / Vulnerability / Indicator Overlay for this Input