February 15, 2017
General Law on the Protection of Personal Data in Possession of Responsible Parties
On January 26, 2017, the General Law on the Protection of Personal Data in Possession of Responsible Parties (LGPDPPSO by its Spanish acronym) was published in the Official Daily Gazette. The most important aspects of this law are highlighted below:
- Private parties, in the federal sector, include any authority, entity, organ, or body of the Executive, Legislative, and Judicial Branches of Government, autonomies agencies, political parties, public trusts or funds, as well as unions and any individual or legal entity that receives or manages public resources or carries out acts of authority at the federal, state or municipal levels.
- The object of the law, among other things, is to establish minimum standards of regulating the treatment of personal data and exercising rights over Access, Correction, Cancelation, and Opposition (“ACCO”).
- It incorporates concepts such as impact assessment on personal data protection, meaning, a document through which private parties who intend to affect or amend public policy, programs, IT systems or platforms pertaining to the intensive or relevant treatment of personal data shall assess the actual impact in respect to the treatment of personal data.
- Intensive or relevant treatment is understood when there are risks inherent to the personal data to be processed, sensitive personal data are processed and personal data transfers are made or are intended to be transferred.
- The Federal Code of Civil Procedures and the Federal Law of Administrative Procedure is applicable by extension.
- The law incorporates various aspects contained in the Federal Law on the Protection of Personal Data in Possession of Private Parties, such as: (i) principles of legal entitlement, intent, integrity, consent, capacity, proportionality, information and liability in the treatment of personal data; (ii) express consent and in writing of sensitive personal data; (iii) requires a summarized or extensive privacy notice; (iv) carry out administrative physical and technical procedures for the protection of personal data; (v) requires internal policies that govern the handling and management of personal data; requires an inventory of personal data and processing systems; (vi) implements a risk and breach analysis; (vi) requires a data management system; (vii) requires corrective and preventive actions to take place when security vulnerabilities are discovered; (viii) establishes simple procedures used for exercising ACCO rights; (ix) the relationship between responsible parties and legal liability shall be formalized in terms of a contract; (x) any data transfers shall be subject to the consent of the owner of such data, except when otherwise proved by law.
- Private communications are inviolable. Only the federal judicial authority, at the request of a federal authority that authorizes the law or of the holder of the Public Ministry of the corresponding federal entity, may authorize the intervention of any private communication.
- Databases owned by security, procurement and administrative justice authorities shall establish high-level security measures to ensure the integrity, availability and confidentiality of information.
- The owner of personal data or its representative may file a review appeal or appeal of non-compliance with the National Institute for Transparency, Access to Information and Data Protection (INAI by its Spanish acronym), or the guarantor bodies, as appropriate, or before the Transparency Unit.
- Photographic images, electronic pages, writings and other elements supported by scientific and technological findings, among others, are admitted as evidence.
- Provides for a conciliation procedure once the appeal for review is admitted. If the parties reach an agreement, it will have binding effects, invalidating any prior review appeal made to that effect.
- In the event of probable liability for non-compliance with legal obligations, they shall notify the internal control mechanism or the competent authority so that they may initiate, where appropriate, the respective liability proceedings.
- The INAI may exercise its authority to assert jurisdiction to find review appeals pending judgment in matters of personal data protection of particular merit and interest judging by significance.
- The resolution of the INAI will be final and unassailable for the guarantor agency body and for the responsible parties subject matter of the proceeding.
- Private parties may challenge the INAI's resolutions before the Judicial Branch of the Federation.
- Only the Legal Adviser of the Government may file an appeal for review in the matter of national security before the Supreme Court of Justice of the Nation, in the event that the INAI’s resolution were to endanger national security.
- The INAI or the guarantor agencies may apply the following sanctions to ensure compliance with its resolutions: (i) public reprimand, or (ii) fine in the amount of one hundred fifty to one thousand times the daily “Sanctions Schedule” index (currently $75.49).
- Non-compliance by the Responsible Parties shall be published in the transparency portals and channels of the INAI and the guarantor agencies and, and considered in their assessment of said Responsible Parties.
- In determining such sanctions, the following shall be considered: (i) the severity of said incompliance; (ii) the economic condition of the offender and, (iii) the recidivism.
- Among the causes of sanctions are: (i) acting with negligence, will or bad faith during the filing of ACCO rights applications; (ii) intentionally treating personal data in violation of the principles of law; (iii) lacking privacy notice, or disregarding elements referred to in the law; (iv) classifying as confidential, with intent or negligence, personal data that does not meet the criteria indicated in the applicable law; (v) breaching duty confidentiality clauses; (vi) transferring personal data in contravention of legal provisions; (vii) In the event of the alleged infringement being committed by a member of a political party, the investigation, and, if applicable, the sanction, shall be the responsibility of the competent electoral authority; (viii) economic sanctions may not be covered by public resources.
- Whenever the alleged offender has the legal capacity of a public official, the INAI or the Guarantor shall submit to the competent authority, together with the complaint, a file containing evidence supporting the alleged responsibility.
- In the event of non-compliance by the political parties, the INAI or guarantor body shall give notice to the National Electoral Institute.
- The Federal Law on Transparency and Access to Public Information, other federal laws, and laws in force in the Federal Entities regarding personal data protection, must be brought into compliance with the provisions set forth in the LGPDPPSO within six months, i.e., by July 27, 2017.
- The INAI and the Guarantors shall issue the Guidelines referred to in LGPDPPSO no later than one year after entry into force, e.g., by January 26, 2018.
- The National Personnel Protection Program shall be issued no later than one year after entry into force, i.e. by January 26, 2018.
- Responsible Parties shall process, issue or modify their internal regulations at the latest within eighteen months following entry into force, e.g., by June 26, 2018.
This Law seeks to provide citizens with legal tools that allow them to impose a limit on the actions of authorities that could violate the area of individual rights. In this specific case, a limit to fully exercise the right to self-determination of personal data granting each individual in this country the liberty to decide how their personal data is used and where it goes, at all times enjoying the right to legitimately access, rectify, cancel or oppose certain processes pertaining to their personal data, as the explanatory memorandum indicates herein.
If you need additional information on this topic, please do not hesitate to contact us.