FEDERAL LAW FOR THE PROTECTION OF PERSONAL DATA IN THE POSSESSION OF INDIVIDUALS
New Law published in the Official Journal of the Federation on July 5, 2010
FELIPE DE JESUS CALDERÓN HINOJOSA, President of the United Mexican States, to its inhabitants known:
That the Honorable Congress of the Union, has served to address the following
"THE GENERAL CONGRESS OF THE MEXICAN UNITED STATES, DECREES:
THE FEDERAL LAW ON THE PROTECTION OF PERSONAL DATA HELD BY PRIVATE INDIVIDUALS AND ARTICLES 3, FRACTIONS II AND VII, AND 33, AS WELL AS THE TITLE OF CHAPTER II, SECOND TITLE, FEDERAL LAW ON TRANSPARENCY AND ACCESS TO GOVERNMENT PUBLIC INFORMATION.
ARTICLE FIRST. The Federal Law for the Protection of Personal Data in Possession of the Particular is issued.
FEDERAL LAW ON THE PROTECTION OF PERSONAL DATA HELD BY INDIVIDUALS
Article 1.- This Law is of general public order and observance throughout the Republic and is intended to protect personal data in possession of the individuals, in order to regulate their legitimate, controlled and informed treatment, in order to guarantee the privacy and the right to the information self-determination of the persons.
Article 2.- They are subject to this Law, private individuals or private individuals who carry out the processing of data personal, with the exception of:
I. The credit reporting companies in the assumptions of the Law for Regular Credit Information Societies and other applicable provisions, and
II. People who carry out the collection and storage of personal data, that is for exclusively personal use, and for non-disclosure or commercial use.
Article 3.- For the purposes of this Act, it is understood by:
I. Privacy Notice: Physical, electronic or any other format generated by the responsible person who is made available to the holder, prior to the processing of his personal data, in accordance with Article 15 of this Law.
II. Databases: The ordered set of personal data concerning a person identified or identifiable.
III. Locking: The identification and preservation of personal data after the the purpose for which they were sought, for the sole purpose of determining possible liability in relation to their treatment, up to the legal or contractual limitation period. During that period, the personal data may not be processed and the data shall be cancelled in the corresponding database.
IV. Consent: Manifestation of the will of the data holder by means of which the treatment of the same is performed.
V. Personal data: Any information concerning an identified physical person or identifiable.
VI. Sensitive personal data: Personal data that affects the sphere more the person's intimate use, or the misuse of which may give rise to discrimination or a serious risk to discrimination. In particular, those who can reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, are considered sensitive. sexual preference.
VII. Days: Business days.
VIII. Dissociation: The procedure by which personal data cannot be associated the holder or permit, by its structure, content or degree of disaggregation, the identification of the same.
IX. Charged: The natural or legal person who alone or jointly with others treats data personal on behalf of the person responsible.
X. Public access source: Those databases whose query can be performed by any person, without further requirement than, if applicable, the payment of a consideration, in accordance with the provisions of the Rules of Procedure of this Law.
XI. Institute: Federal Institute for Access to Information and Data Protection, which refers to the Federal Law on Transparency and Access to Government Public Information.
XII. Law: Federal Law on the Protection of Personal Data in Possession of the Particular.
XIII. Regulation: The Regulation of the Federal Law on the Protection of Personal Data in Possession of the Particulars.
XIV. Responsible: Private physical or moral person who decides on the processing of personal data.
XV. Secretariat: Ministry of Economy.
XVI. Third: The natural or moral person, national or foreign, other than the holder or the person responsible for the data.
XVII. Holder: The natural person to whom the personal data correspond.
XVIII. Treatment: obtaining, using, disclosing or storing personal data, by any means. Use encompasses any access, management, use, transfer, or disposition of personal data.
XIX. Transfer: Any communication of data made to a person other than the controller or processor.
Article 4.- The principles and rights provided for in this Law shall be limited in respect to their observance and exercise, the protection of national security, order, security and public health, as well as the rights of third parties.
Article 5.- In the absence of any express provision in this Law, the provisions of the Federal Code of Civil Procedures and the Law will be applied in an extra way. Federal Administrative Procedure.
For the substantiation of the procedures for the protection of rights, verification and imposition of sanctions, the provisions contained in the Law will be observed. Federal Administrative Procedure.
Of Personal Data Protection Principles
Article 6.- Those responsible for the processing of personal data shall observe the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and liability as provided for in the Act.
Article 7.- Personal data shall be collected and processed in a lawful manner in accordance with the provisions laid down in this Law and other regulations applicable.
Getting personal data should not be done through deceptive or fraudulent means.
In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the confidence that any person deposits in another, the personal data provided between them will be processed in accordance with what the parties agreed to in the terms established by this Law.
Article 8.- Any processing of personal data shall be subject to the consent of its holder, except for the exceptions provided for in this Law.
The consent shall be expressed when the will is expressed verbally, in writing, by electronic, optical or any other technology, or by signs No.
It is understood that the holder tacitly consents to the processing of his data, when the privacy notice has been made available to him, does not manifest his opposition.
Financial or economic data shall require the express consent of the holder, except for the exceptions referred to in Articles 10 and 37 of this Regulation. Law.
Consent may be revoked at any time without any retroactive effect. In order to revoke the consent, the person responsible must, in the privacy notice, establish the mechanisms and procedures for this.
Article 9.- Dealing with sensitive personal data, the person responsible shall obtain the express and written consent of the holder for his/her treatment, through of your autograph signature, electronic signature, or any authentication mechanism that you set up.
No databases containing sensitive personal data may be created without justification for the creation of such data for legitimate, concrete and appropriate purposes. with the explicit activities or purposes pursued by the regulated subject.
Article 10.- No consent will be required for the processing of personal data when:
I. This is provided in an Act;
II. The data is displayed in public access sources;
III. Personal data is subject to a prior dissociation procedure;
IV. The purpose of fulfilling obligations arising from a legal relationship between the holder and the person responsible;
V. Exists an emergency situation that could potentially harm an individual in his/her person or their property;
VI. Be indispensable for medical care, prevention, diagnosis, delivery health care, medical treatment or the management of health services, while the holder is not in a position to grant consent, in the terms established by the General Health Law and other applicable legal provisions and that such data processing is carried out by a person subject to professional secrecy or equivalent obligation, or
VII. Competent authority resolution is issued.
Article 11.- The person responsible shall ensure that the personal data contained in the databases are relevant, correct and up to date for the purposes of the data. which were collected.
When personal data has ceased to be necessary for the purposes of the purposes provided for by the privacy notice and the legal provisions applicable, must be cancelled.
The person responsible for the database will be obliged to remove the information regarding non-compliance with contractual obligations once a period of time has elapsed. Seventy-two months from the date of the calendar date on which the said non-compliance is made.
Article 12.- The processing of personal data shall be limited to the fulfillment of the purposes provided for in the privacy notice. If the controller intends to treat the data for a different purpose that is not compatible or analogous to the purposes set out in the privacy notice, the consent of the holder shall be obtained again.
Article 13.- The processing of personal data will be the necessary, appropriate and relevant in relation to the intended purposes of the privacy. In particular for sensitive personal data, the person responsible shall make reasonable efforts to limit the period of treatment of such personal data to the minimum essential.
Article 14.- The person responsible shall ensure compliance with the principles of protection of personal data established by this Law, necessary for its application. The above will apply even if this data is dealt with by a third party at the request of the person responsible. The person responsible shall take the necessary and sufficient measures to ensure that the privacy notice issued to the holder is respected at any time by him or by third parties with whom he or she has any legal relationship.
Article 15.- The person responsible will have the obligation to inform the data holders, the information that is collected from them and for what purpose, through the of privacy.
Article 16.- The privacy notice must contain at least the following information:
I. The identity and address of the person who was running them;
II. The purposes of data processing;
III. The options and means that the controller gives to the holders to limit the use or disclosure of the data;
IV. The means to exercise the rights of access, rectification, cancellation or opposition, in accordance with the provisions of this Law;
V. Where applicable, the data transfers that are made, and
VI. The procedure and means by which the person responsible shall communicate to the holders of changes to the privacy notice, as provided for in this Act.
In the case of sensitive personal data, the privacy notice should expressly state that this is a data type.
Article 17.- The privacy notice must be made available to the holders through printed, digital, visual, sound, or any other formats technology, as follows:
I. When the personal data has been personally obtained from the holder, the notice of privacy shall be provided at the time when the data was collected clearly and reliably, through the formats by which it was collected, unless the notice had been provided in advance, and
II. When personal data is obtained directly from the holder by any electronic, optical, sound, visual, or through any other technology, the person responsible shall provide the holder immediately, at least the information referred to in fractions I and II of the previous article, as well as provide the mechanisms for the holder to know the full text of the notice of privacy.
Article 18.- When the data has not been obtained directly from the holder, the person responsible must make the change to the privacy notice known.
It is not applicable as set out in the preceding paragraph, when the treatment is for historical, statistical or scientific purposes.
When it is impossible to disclose the privacy notice to the holder or demand disproportionate efforts, in consideration of the number of holders, or the age of the data, subject to the approval of the Institute, the person responsible may implement compensatory measures in terms of the Regulation of this Law.
Article 19.- Any person responsible for processing personal data shall establish and maintain administrative, technical and physical security measures. to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or treatment.
Those responsible will not adopt security measures that are less than those they maintain for the handling of their information. It will also take into account the existing risk, the possible consequences for the operators, the sensitivity of the data and the technological development.
Article 20.- Security violations occurring at any stage of treatment that significantly affect the economic or moral rights of the the holders shall be informed immediately by the operator of the holder, in order to enable the holder to take the measures corresponding to the defence of his rights.
Article 21.- The person or third party who is involved in any phase of the processing of personal data shall be required to keep confidentiality in respect of such data, an obligation which will remain after the end of its relations with the holder or, where appropriate, with the person responsible.
Personal Data Entitlement Rights
Article 22.- Any holder, or his legal representative, may exercise the rights of access, rectification, cancellation and opposition provided for in the Law. The exercise of any of them is not a prerequisite or prevents the exercise of another. Personal data must be stored in such a way as to permit the exercise without delay of these rights.
Article 23.- The holders have the right to access their personal data held by the person responsible, as well as to know the Privacy Notice to which they are subject to treatment.
Article 24.- The data holder will have the right to rectify them when they are inaccurate or incomplete.
Article 25.- The holder will have at all times the right to cancel his or her personal data.
The cancellation of personal data will result in a period of blocking after which the data will be deleted. The person responsible may retain them exclusively for the purposes of the responsibilities arising from the treatment. The blocking period shall be equivalent to the limitation period for actions arising from the legal relationship which covers treatment under the terms of the applicable law.
Once the data is cancelled, the data will be given notice to the holder.
When personal data has been transmitted prior to the date of rectification or cancellation and continues to be processed by third parties, the person responsible must make your knowledge such request for rectification or cancellation, so that it may be carried out as well.
Article 26.- The person responsible will not be required to cancel personal data when:
I. Refuses to the parties to a private, social or administrative contract; necessary for their development and compliance;
II. They should be dealt with by law;
III. Hinder judicial or administrative actions related to obligations tax, investigation and prosecution of crimes or the updating of administrative sanctions;
IV. Sean necessary to protect the legally protected interests of the holder;
V. Be required to perform an action based on the public interest;
VI. Sean necessary to comply with an obligation legally acquired by the holder, and
VII. Be the subject of treatment for prevention or for medical diagnosis or management of health services, provided that such treatment is carried out by a health professional subject to a duty of secrecy.
Article 27.- The holder shall be entitled at all times and for legitimate reasons to oppose the processing of his data. If appropriate, the person responsible shall not be able to deal with the data relating to the holder.
From Exercise of Access, Rectification, Cancellation, and Opposition Rights
Article 28.- The holder or his legal representative may ask the person responsible at any time for access, rectification, cancellation or opposition, in respect of personal data that concerns you.
Article 29.- The request for access, rectification, cancellation or opposition must contain and accompany the following:
I. The name of the owner and address or other means of communicating the response to his or her request;
II. Documents certifying the identity or, where applicable, the legal representation of the holder;
III. The clear and precise description of the personal data for which you are searching exercise any of the above rights, and
IV. Any other item or document that facilitates the location of the data personal.
Article 30.- All responsible must designate a person, or personal data department, who will process the application of the headlines, for the exercise of the rights referred to in this Law. It will also encourage the protection of personal data within the organisation.
Article 31.- In the case of requests for the rectification of personal data, the holder shall indicate, in addition to the provisions of the previous article of this Law, modifications to be made and to provide the documentation supporting your request.
Article 32.- The person responsible shall communicate to the holder, within a maximum of 20 days, counted from the date on which the request for access was received, rectification, cancellation or opposition, the determination adopted, to the effect that, if appropriate, it becomes effective within 15 days of the date on which the reply is communicated. In the case of requests for access to personal data, delivery shall be carried out upon accreditation of the identity of the applicant or legal representative, as appropriate.
Deadlines referred to may be extended once for an equal period, as long as the circumstances of the case warrant.
Article 33.- The obligation of access to the information shall be fulfilled when personal data are made available to the holder; or, by means of the dispatch of simple copies, electronic documents or any other means determined by the person responsible in the privacy notice.
In the event that the holder requests access to the data to a person who is presumed to be responsible and it is not possible to be responsible, it will be sufficient for the holder to be told to the owner. by any of the means referred to in the preceding paragraph, in order to comply with the application.
Article 34.- The person responsible may refuse access to the personal data, or to make the rectification or cancellation or to grant the opposition to the treatment of the , in the following assumptions:
I. When the applicant is not the holder of the personal data, or the representative legal is not properly accredited to do so;
II. When in your database, the applicant's personal data is not found;
III. When the rights of a third party are injured;
IV. Where there is a legal impediment, or the resolution of a competent authority, that restrict access to personal data, or do not allow the rectification, cancellation or opposition thereof, and
V. When the rectification, cancellation or opposition has been previously performed.
The refusal referred to in this article may be partial in which case the person responsible shall carry out the access, rectification, cancellation or opposition required by the holder.
In all the cases above, the person responsible must inform the reason of his decision and inform the owner, or, where appropriate, the legal representative, within the time limits. established for that purpose, by the same means by which the application was made, accompanied, where appropriate, by the relevant evidence.
Article 35.- The delivery of the personal data shall be free of charge, with the holder only covering the justified costs of shipping or the cost of reproduction in copies or other formats.
This right shall be exercised by the holder free of charge, upon accreditation of his or her identity to the person responsible. However, if the same person reiterates his or her application within a period of less than twelve months, the costs will not be greater than three days of the General Minimum Wage in the Federal District, unless substantial modifications are made to the notice of privacy to motivate new queries.
The holder may submit a request for data protection for the response received or a lack of response from the controller, in accordance with the provisions of the Next Chapter.
From Data Transfer
Article 36.- When the person responsible intends to transfer the personal data to third parties or foreign nationals, other than the person in charge, he/she must inform the notice of privacy and the purposes to which the holder subject his or her treatment.
The processing of the data shall be done in accordance with the terms of the privacy notice, which shall contain a clause indicating whether or not the holder accepts the data. transfer of your data, in the same way, the third recipient, will assume the same obligations that correspond to the person responsible who transferred the data.
Article 37.- National or international data transfers may be carried out without the consent of the holder when any of the following assumptions:
I. When the transfer is provided for in a Law or Treaty in which Mexico is part;
II. When the transfer is necessary for medical diagnosis or prevention, the provision of health care, medical treatment or the management of health services;
III. When the transfer is made to controlling companies, subsidiaries or affiliated under the common control of the controller, or to a parent company or any company in the same group of the controller operating under the same internal processes and policies;
IV. When the transfer is required by virtue of a contract entered into or by hold in the interest of the holder, the person responsible and a third party;
V. When the transfer is required or legally required for the safeguarding of a public interest, or for the prosecution or administration of justice;
VI. When the transfer is accurate for the recognition, exercise or defense of a right in a judicial process, and
VII. When the transfer is accurate for the maintenance or compliance of a legal relationship between the person responsible and the holder.
From The Institute
Article 38.- The Institute, for the purposes of this Law, shall be aimed at disseminating knowledge of the right to the protection of personal data in society. (a) to promote its exercise and to monitor for due observance of the provisions laid down in this Law and to derive from it; in particular those related to the fulfilment of obligations by the regulated subjects this order.
Article 39.- The Institute has the following attributions:
I. Watch and verify compliance with the provisions contained in this Law, in the the scope of its jurisdiction, with the exceptions provided for by the legislation;
II. Interpret the administrative scope of this Law;
III. Provide technical support to those responsible who request it, for compliance of the obligations laid down in this Law;
IV. Issue the criteria and recommendations, in accordance with the provisions applicable to this Act, for the purpose of its operation and operation;
V. Disclosing international standards and best practices in the field of security information, in the light of the nature of the data; the purposes of processing, and the technical and economic capabilities of the controller;
VI. Know and resolve the rights and verification protection procedures identified in this Law and impose sanctions as appropriate;
VII. Cooperating with other supervisory authorities and national bodies and international, for the purpose of contributing to data protection;
VIII. Give the Union Congress an annual report on its activities;
IX. Accuse to international forums in the scope of this Law;
X. Develop privacy impact studies prior to the implementation of a new mode of processing of personal data or substantial modifications to existing treatments;
XI. Develop, encourage and disseminate analyses, studies and research on protection of personal data in Possession of the Particular and provide training to the required subjects, and
XII. The others who trust this Law and other applicable ordinances.
From Regulatory Authorities
Article 40.- This Law will constitute the normative framework that the dependencies will have to observe, in the field of their own attributions, for the issuance of the appropriate regulation, with the help of the Institute.
Article 41.- The Secretariat, for the purposes of this Law, will have the function of disseminating knowledge of the obligations regarding the protection of personal data between national and international private initiative with commercial activity in Mexican territory; it will promote the best commercial practices around the protection of personal data as input of the digital economy, and economic development national as a whole.
Article 42.- As regards trading databases, the regulation issued by the Secretariat will only apply to those databases. automated or part of an automation process.
Article 43.- The Secretariat has the following attributions:
I. Spread knowledge about the protection of personal data in the field commercial;
II. Promoting good business practices in data protection personal;
III. Issue the corresponding guidelines for the content and scope of the notices privacy in collaboration with the Institute, as referred to in this Law;
IV. Issue, in the field of its competence, the administrative provisions of a character Article 40, in conjunction with the Institute, as referred to in Article 40;
V. Set the necessary parameters for the correct development of the mechanisms and self-regulatory measures referred to in Article 44 of this Law, including the promotion of Mexican Standards or Official Mexican Standards, in collaboration with the Institute;
VI. Carry out consumer records on personal data and verify its operation;
VII. Celebrate conventions with chambers of commerce, associations and business organizations in in general, in terms of the protection of personal data;
VIII. Design and implement policies and coordinate the development of studies for the efficient modernisation and operation of electronic commerce, as well as to promote the development of the digital economy and information technologies in the field of personal data protection;
IX. Accuse of national and international trade forums in the field of protection personal data, or in those events of a commercial nature, and
X. Support the holding of events, which contribute to the dissemination of personal data.
Article 44.- Natural or moral persons may agree with each other or with civil or governmental organizations, national or foreign, (a) binding self-regulation in the field, supplementing the provisions of this Law. Such schemes shall contain mechanisms to measure their effectiveness in the protection of data, consequences and effective corrective measures in the event of non-compliance.
Self-regulation schemes may be translated into deontological codes or good professional practice, trusted seals or other mechanisms and will contain rules or specific standards to harmonise the processing of data carried out by the injured and to facilitate the exercise of rightholders ' rights. Such schemes shall be notified simultaneously to the relevant sectoral authorities and to the Institute.
The Rights Protection Procedure
Article 45.- The procedure will be initiated at the instance of the data holder or his legal representative, clearly expressing the content of your claim and of the provisions of this Law which are considered to be infringed. The application for data protection shall be submitted to the Institute within 15 days of the date on which the reply to the holder is communicated by the person responsible.
In the event that the data holder receives no response from the data controller, the data protection application may be submitted from the time that the data holder is responsible. expired the deadline for the response expected for the person responsible. In this case, the holder of the data shall be sufficient to accompany his application for data protection with the document proving the date on which he submitted the application for access, rectification, cancellation or opposition.
The data protection application will also proceed on the same terms when the person responsible does not give the holder the requested personal data; or incomprehensible format, refusal to make modifications or corrections to the personal data, the holder is not in compliance with the information submitted by considering that it is incomplete or does not correspond to the required information.
Received the request for data protection before the Institute, will be transferred from the same to the responsible one, so that, within fifteen days, issue answer, offer the evidence which it considers relevant and in writing what is appropriate to its right.
The Institute will admit the evidence it deems relevant and will proceed to its Deahogo. It may also request the other evidence it deems necessary from the person responsible. Upon completion of the test, the Institute shall notify the person responsible of the right to assist him, so that, if necessary, he shall present his pleadings within five days of his notification.
For the due process of the procedure, the Institute will decide on the request for data protection, once the tests and other elements of the procedure have been analyzed. conviction that you consider relevant, such as those arising from the hearing or hearings held with the parties.
The Law Regulation will establish the form, terms, and deadlines under which the rights protection procedure will be developed.
Article 46.- The request for data protection may be filed in writing, free or through the formats, of the electronic system that the effect provides the Institute and shall contain the following information:
I. The name of the holder or, if applicable, that of his legal representative, as well as of the third party interested, if any;
II. The name of the controller to whom the request for access was submitted, rectification, cancellation or opposition of personal data;
III. Home to hear and receive notifications;
IV. The date on which the responsable's response was released, except that the the procedure starts on the basis of the provisions of Article 50
V. The acts that motivate your data protection request, and
VI. All other elements considered to be made from knowledge of the Institute.
The form and terms in which the identity of the holder is to be credited or the legal representation will be established in the Regulation.
The application for data protection must also be accompanied by the request and the response that is used or, where appropriate, the data that permit identification. In the case of non-response it will only be necessary to submit the application.
In the event that the request for data protection is filed through means other than electronic means, sufficient transfer copies must be accompanied.
Article 47.- The maximum time limit for issuing the resolution in the rights protection procedure shall be fifty days, counted from the date of submission of the data protection application. Where there is a justified cause, the Institute's plenary session may extend for once and for a period equal to this period.
Article 48.- If the rights protection resolution is favorable to the data holder, the person responsible will be required to do so within ten years. (a) days following the notification, or where justified, a greater than the resolution itself, makes the exercise of the rights under protection effective, and must give a written account of such compliance to the Institute within the next ten days.
Article 49.- In case the data protection application does not satisfy any of the requirements referred to in Article 46 of this Law, and the Institute does not It shall contain elements to be remedied, the holder of the data shall be prevented within 20 working days following the submission of the application for data protection, on a single occasion, to remedy the omissions within a period of time. five days. After the deadline, the application for data protection shall not be submitted for the prevention of the prevention. Prevention will have the effect of disrupting the time limit the Institute has to resolve the data protection request.
Article 50.- The Institute will supply the deficiencies of the complaint in the cases that are required, as long as it does not alter the original content of the application access, rectification, cancellation or opposition of personal data, or any modification of the facts or requests displayed in the same or in the application for data protection.
Article 51.- The Institute's resolutions may:
I. Overwrite or discard the data protection request for improper, or
II. Confirm, revoke, or modify the responsable response.
Item 52.- The data protection request will be discarded by improper when:
I. The Institute is not competent;
II. The Institute has previously known about the data protection request against the same act and ultimately resolved with respect to the same appellant;
III. Any resource or means of defence is being dealt with the competent courts filed by the holder who may have the effect of modifying or revoking the respective act;
IV. This is an offensive or irrational data protection request, or
V. Be extemporanea.
Article 53.- The data protection request will be dismissed when:
I. The holder dies;
II. The headline is displayed in an express way;
III. Admitted to the request for data protection, over a causal origin, and
IV. For any reason, the same is not the case.
Article 54.- The Institute may at any time in the procedure seek a reconciliation between the data holder and the person responsible.
A reconciliation agreement between the two parties will be entered in writing and will have binding effects. The application for data protection shall be without matter and the Institute shall verify compliance with the respective agreement.
For the purposes of the reconciliation referred to in this order, the procedure laid down in the Rules of Procedure of this Law shall be followed.
Article 55.- The request for data protection is filed in response to the lack of response to an application for access rights, rectification, cancellation or opposition on the part of the person responsible, the Institute shall give a view to the responsible person so that, within a period of not more than ten days, he/she can prove to have responded in time and form the request, or in response to it. In case the response to the request is made, the data protection application shall be deemed inappropriate and the Institute shall be required to terminate it.
In the second case, the Institute will issue its resolution based on the content of the original application and the answer of the person responsible referred to in the preceding paragraph.
If the resolution of the Institute referred to in the preceding paragraph determines the origin of the application, the person responsible shall carry out its compliance, at no cost for the holder, the person responsible must cover all costs generated by the corresponding reproduction.
Article 56.- Against the resolutions of the Institute, individuals may promote the judgment of nullity before the Federal Court of Justice and Administrative.
Article 57.- All the Institute's resolutions will be liable to be publicly disseminated in public versions, eliminating those references to the holder of the data that identifies or makes it identifiable.
Article 58.- Holders who consider that they have suffered damage or injury to their property or rights as a result of non-compliance with the provisions of the This Law shall be applicable to the person responsible or the person in charge, who may exercise the rights that they deem relevant for the purposes of the compensation as appropriate, in terms of the corresponding legal provisions.
Of The Verification Procedure
Article 59.- The Institute shall verify the compliance with this Law and the regulations governing it. The verification may be initiated on its own initiative or at the request of a party.
The ex officio verification shall proceed when the non-compliance with decisions given in respect of the rights protection procedures referred to in the Previous Chapter or the existence of violations of this Law is presumed and founded.
Article 60.- In the verification procedure the Institute will have access to the information and documentation it deems necessary, according to the resolution is motivated.
Federal public servants will be required to keep confidentiality about the information they know derived from the corresponding verification.
The Regulation shall develop the form, terms and time-limits in which the procedure referred to in this Article shall be substantiated.
The Sanctions Imposition Procedure
Article 61.- If, for the purposes of the procedure for the protection of rights or the verification procedure carried out by the Institute, the latter has knowledge of an alleged breach of any of the principles or provisions of this Law, shall initiate the procedure referred to in this Chapter, in order to determine the appropriate sanction.
Article 62.- The procedure for imposing sanctions will begin with the notification made by the Institute to the alleged infringer, on the facts that they have prompted the initiation of the procedure and will give him a 15-day term to give evidence and express in writing what is right. In the event of failure to surrender, the Institute shall settle in accordance with the elements of conviction available to it.
The Institute will admit the evidence it deems relevant and will proceed to its Deahogo. It may also request the alleged infringer for any other evidence it deems necessary. Upon completion of the test, the Institute shall notify the alleged infringer of the right to assist him, so that, if necessary, he shall present his pleadings within five days of his notification.
The Institute, once the tests and other elements of conviction it considers relevant, will be definitively resolved within fifty days of the the date on which the sanctioning procedure was initiated. Such a decision shall be notified to the parties.
Where there is a justified cause, the Institute's plenary session may extend for once and for an equal period of time.
The regulation will develop the form, terms and timing of the procedure for imposing sanctions, including the submission of evidence and allegations, the holding hearings and closing the instruction.
Of Infractions and Sanctions
Article 63.- They constitute violations of this Law, the following conduct carried out by the person responsible:
I. Do not comply with the holder's request for access, rectification, cancellation or opposition to the processing of your personal data, without reason, in the terms provided for in this Law;
II. Act with negligence or intent in the processing and response of requests for access, rectification, cancellation or opposition of personal data;
III. Declare the non-existence of personal data in full, in whole or in part, in the data bases of the person responsible;
IV. To give treatment to personal data in contravention of the principles set out in this Law;
V. Omit in the privacy notice, any or all of the items referred to in Article 16 of this Act;
VI. To maintain inaccurate personal data when it is attributable to the person responsible, or not to make the corrections or cancellations of the same as legally applicable when the rights of the holders are affected;
VII. Failure to comply with the warning referred to in Article 64 (I;
VIII. Breach the duty of confidentiality set out in Article 21 of this Law;
IX. To substantially change the original purpose of processing the data, without observing the provisions of Article 12;
X. Transfer data to third parties without communicating to them the privacy notice containing the limitations to which the holder subject the disclosure of the same;
XI. To violate the security of databases, premises, programs or equipment, when it is attributable to the person responsible;
XII. Carry out the transfer or transfer of personal data, outside of the cases where it is permitted by law;
XIII. To collect or transfer personal data without the express consent of the holder, in cases where it is enforceable;
XIV. Obstructing the verification acts of the authority;
XV. Collect data in a misleading and fraudulent manner;
XVI. Continue the illegitimate use of personal data when the Eesc has been requested by the Institute or the holders;
XVII. To address personal data in such a way as to affect or impede the exercise of the rights of access, rectification, cancellation and opposition established in Article 16 of the Political Constitution of the United Mexican States;
XVIII. Create databases in violation of the provisions of article 9, second paragraph of this Law, and
XIX. Any failure to comply with the obligations established in accordance with this Law in accordance with this Law.
Article 64.- Violations of this Law shall be sanctioned by the Institute with:
I. The warning for the person responsible to carry out the acts requested by the holder, in the terms provided for by this Law, in the case of the assumptions provided for in the section I of the previous article;
II. Fine of 100 to 160,000 days of minimum wage in force in the Federal District, in the cases provided for in fractions II to VII of the previous article;
III. Fine of 200 to 320,000 days of minimum wage in force in the Federal District, in the cases provided for in fractions VIII to XVIII of the previous article, and
IV. In case the violations cited in previous incisations persist, an additional fine will be imposed, ranging from 100 to 320,000 days of minimum wage in force in the Federal District. In the case of infringements committed in the processing of sensitive data, the penalties may be increased by up to twice the amounts established.
Article 65.- The Institute will establish and motivate its resolutions, considering:
I. The nature of the data;
II. The notorious refusal of the person responsible, to carry out the acts requested by the holder, in terms of this Law;
III. The intentional or otherwise intentional nature of the action or omission constituting the infringement;
IV. The economic capacity of the person responsible, and
V. The recidivism.
Article 66.- The penalties provided for in this Chapter shall be imposed without prejudice to the resulting civil or criminal liability.
Of Crimes in Matter of Personal Data Indue Treatment
Article 67.- months to three years of imprisonment will be imposed on you who are authorized to treat personal data, for profit, cause a violation security to the databases in their custody.
Article 68.- It shall be punishable by imprisonment of six months to five years to which, in order to achieve undue profit, he shall treat personal data by deception, taking advantage of the error in which the holder or the person authorised to transmit them is located.
Article 69.- Dealing with sensitive personal data, the penalties referred to in this Chapter will be doubled.
FIRST.- This Decree shall enter into force on the day following that of its publication in the Official Journal of the Federation.
SECOND.- The Federal Executive will issue this Act's Rules of Procedure within the year following its entry into force.
THIRD.- The persons responsible shall designate the person or department of personal data referred to in Article 30 of the Law and issue their privacy notices to the holders of personal data in accordance with Articles 16 and 17 at the latest one year after the entry into force of this Law.
FOURTH.- The rightholders may exercise their rights of access, rectification, cancellation and opposition under Chapter IV of the Law to those responsible; as well as to initiate, where appropriate, the procedure for the protection of rights set out in Chapter VII thereof, eighteen months after the entry into force of the Law.
QUINTO.- In compliance with the provisions of the third transitional article of the Decree by which the XXIX-O fraction is added to Article 73 of the Constitution Policy of the United Mexican States, published in the Official Journal of the Federation on 30 April 2009, the local provisions on the protection of personal data in the possession of individuals are opened, and the others are repealed. provisions that are contrary to this Law.
SIXTH.- References that prior to the entry into force of this Decree are made in the laws, treaties and international agreements, regulations and Other orders to the Federal Institute for Access to Public Information, in the future, will be understood as references to the Federal Institute for Access to Information and Protection of Personal Data.
SEVENTH.- The actions that, in compliance with the provisions of the Federal Law on the Protection of Personal Data in the Possession of the Particulars, must be carried out to the Federal Executive, will be subject to the approved budgets of the corresponding institutions and the provisions of the Federal Law of Budget and Accountability.
EIGHTH.- The Federation Budget for Fiscal Year 2011 will consider items sufficient for the proper functioning of the Institute Federal Access to Information and Data Protection in the areas of this Law.
ARTICLE SECOND. ..........
ONLY.- This Decree shall enter into force on the day following that of its publication in the Official Journal of the Federation.
Mexico, D.F., on April 27, 2010.-Dip. Francisco Javier Ramírez Acuna, President.-Sen. Carlos Navarrete Ruiz, President.-Dip. Georgina Trujillo Zentella, Secretary.-Sen. Renan Cleominio Zoreda Novelo, Secretary.-Rubicas."
In compliance with the provisions of Article 89 of the Political Constitution of the United Mexican States, and for their due publication and observance, I request the present Decree in the Federal Executive Branch, in Mexico City, Federal District, to twenty-eight June of two thousand ten.- Felipe de Jesús Calderón Hinojosa.-Heading.-The Secretary of Government, Lic. Fernando Francisco Gómez Mont Urueta.-Heading.