Data Protection Act

Casanueva Pérez, S.A.P.I. de C.V., subsidiarias y filiales (Grupo CP)

On July 5, 2010 the Decree enacting the Federal Law for Protection of Personal Data in Possession of Private Parties was published in the Official Gazette of the Federation, which is intended to protect personal data in the possession of individuals, with the purpose of regulating its legitimate, controlled, and informed processing in order to ensure the privacy and the right to informational self-determination of the people.

In its second article, the Law states that private individuals or companies that process personal data are subject to this Law with the exception of: (I) the credit information companies regulated by the Law for the Regulation of Credit Information Companies and other applicable provisions; and (ii) individuals carrying out the collection and storage of personal data destined for personal use only, and with no disclosure or commercial use purposes.

It is important to consider that the data protected by Law is personal data and sensitive personal data. Personal data is understood as any information relating to an identified or identifiable individual. Sensitive personal data is understood as the personal data that affects the most intimate sphere of its owner, or whose misuse can give rise to discrimination or involve a serious risk thereto. For example, data that may reveal aspects such as racial or ethnic origin, present and future states of health, genetic information, religious, philosophical and moral beliefs, trade union membership, political views, and sexual preference.

Notices and Rights

The Law provides that in order to collect and process personal data it will be necessary to provide, physically, electronically, or in any other format (the "Privacy Notice") a document generated by companies and made available to owners prior to the processing of their personal data, which must contain at least the following information: the identity and address of the company that collects and processes personal information:

  • The purpose of processing the data.
  • The options and means offered by the responsible party to holders to limit the use or disclosure of data.
  • The means to exercise rights of access, rectification, cancellation, and objection ( "ARCO Rights" ).
  • Data transfers carried out.
  • The procedure and means by which the company shall notify the holders of changes to the Privacy Notice.

In other words, companies must prepare the Privacy Notice and make it available to the holder, through printed, digital, visual, or audio formats or any other technology, so that the holder may express his/her consent to his/her personal data being or continue being used, disclosed, and, where appropriate, transferred.

Security Measures

The Law provides that all persons responsible for processing personal data must establish and maintain administrative, technical, and physical security measures to protect personal data, which must be consistent to the degree of confidentiality of the personal data in question. Likewise, the company must appoint a person or department who will process personal data requests from holders and will promote the protection of personal data within the organization.

With regard to the transfer of data to third parties, the Law provides that any responsible party who intends to transfer personal data to national or foreign third parties must notify these individuals of the Privacy Notice and the purposes to which the owner subjected its processing. Likewise, the Law states that the Privacy Notice will contain a clause indicating whether or not the holder accepts the transfer of his/her data and third party recipient shall subject to the same obligations that correspond to the responsible party who disclosed the data.

Sanctions

Finally, chapter X of the Law indicates breaches and their penalties, establishing a maximum penalty of up to the equivalent of 200 to 320,000 days of the current minimum wage in the Federal District.

And, in the event of repeated infractions, the party responsible may be subject to an additional fine of 100 to 320,000 days of the current minimum wage in the Federal District and, in certain cases, to prison.

Application in Grupo CP

Grupo CP, while searching for the best service for our customers, carried out a diagnostic program in conjunction with our consultants for the development of the Data Privacy Program. During the assessment, an evaluation of the level of compliance with the different strategic business units was carried out through risk analysis relating to the privacy of personal data in compliance with the LFPDPPP and Generally Accepted International Privacy Principles. Points were identified for improvement and alternatives were also defined for its closure, establishing the efforts and resources required to supplement the Data Privacy Program and give priority to the actions in accordance with the dates established by the Law.

As required by Law, a program to be completed in stages was designed, taking into account the published commitment dates and including the following activities:

  • The Head of Personal Data was appointed
  • Privacy Notices were prepared for holders of personal data
  • We are updating contracts under which we receive and send personal data to third parties
  • We continually update our policies and procedures in compliance with the LFPDPPP and other applicable Official Privacy laws at Grupo CP

Grupo CP through its Board of Directors, appointed Cecilia Hernández Romo as its Privacy Official responsible for managing data in compliance with the established regulations.

In order to discuss any issue related to this new Law please contact our Privacy Officer at leyproteccion@grupocp.mx or at our offices located on Avenida President Masaryk 111, 5th floor, Colonia Polanco, C. P. 11570, Mexico, D. F.

Grupo CP Privacy Notices

We are sending our customers the necessary documents in order to assume the obligations derived from this new law for the protection and care of the personal data entrusted to us and especially to abide by the terms and conditions of the privacy notices which are submitted to their Officers and employees.

Storage of Personal Data at Grupo CP

Grupo CP keeps its personal data in a database located in a data center equipped under the latest safety standards, supported by global certifications that underpin the correct management of information in order to ensure information remains confidential.

Press Release

Grupo CP sent out a press release in a nationally circulated newspaper on July 7, 2011, announcing the adoption of a Data Privacy Program aligned to the new Federal Law on Protection of Personal Data by maintaining safety policies and procedures that guarantee the privacy and security of the information.PDF

A second press release in a national newspaper was also published on October 10, 2011 as a compensatory measure to standardize databases in use before the Law entered into effect.PDF

Federal Institute of Access to Information and Protection of Data

The agency authorized to monitor the implementation of the law is the Federal Institute for Access to Public Information and Data Protection ( "IFAI" ).

On December 21, 2011 the regulation of the Federal Law on the Protection of Personal Data in Possession of Private Parties was published in the Official Gazette of the Federation, which details the rights and obligations provided for in the LFPDPPP, also establishing verification and sanctioning procedures.PDF

Up to this date, the agency has issued a practical guide to creating privacy notices on its web page: www.ifai.gob.mx.

Reasinter
English version
Acerca de Grupo CP
Presencia
Empresas
Filosofía
Contacto
Avisos de Privacidad
foot