Do you know about Personal Data?
Personal Data is any information about a physical person that allows to identify its owner. The law that regulates this subject is the Federal Law on Protection of Personal Information Held by Individuals (Ley Federal de Protección de Datos Personales en Posesión de los Particulares – LFPDPPP), which does not protect moral persons, but it does to the information that is collected from physical persons who work for organizations directly or indirectly.
There is also the Sensitive Personal Data, which is the information that could affect the most intimate sphere of its owner, or whose improper use could cause discrimination of the owner. These data may reveal aspects such as racial or ethnic origin, health status, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions and sexual preferences, which should be treated with more attention, this previous to obtain express consent and in writing from the owner for its processing, through his handwritten or electronic signature.
Who must comply with the Federal Law on Protection of Personal Information Held by Individuals?
When performing operations in a real estate company, it is necessary to collect Personal Data of countless of people who join in day-to-day operations.
The protection of Personal Data is a right recognized in Article 16 of the Political Constitution of the United States of Mexico, which grants the right exclusively to physical persons so that their Personal Data are treated in a lawful manner, guaranteeing adequate protection, their privacy and proper use, as established by the “Federal Law on Protection of Personal Information Held by Individuals”, which guarantees that this same exchange of data is carried out in a protected manner.
If you ask yourself if you are required as a real estate agent to comply with the LFPDPPP, the answer is yes. Likewise, it does not matter what sector you are involved in, when collecting Personal Data from physical persons you are responsible for this information with the duty to give it an adequate treatment.
Why shall we comply with the Federal Law on Protection of Personal Information Held by Individuals?
The order establishes that there are certain sanctions for non-compliance, ranging from a warning, fine, initiation of the sanctions imposition procedure, or even imprisonment, for this reason it is a matter that must be taken seriously.
A Real Estate Agency may directly request or collect the Personal Data of its clients for its use, disclosure and/or storage by any means, pointing out the purposes for which it will be used, with prior consent of the owner. If the Real Estate Agent will have the help of a third party to join in in any phase of the processing of Personal Data, this third party should keep confidentiality regarding them, as well as request the consent of the owner.
Steps to comply with the LFPDPPP:
- First, you must have a Privacy Notice physical, electronic document or in any format generated by the responsible person, which must be available to the owner, prior the processing of their Personal Data, in accordance with the Article 15 of the LFPDPPP.
- Internal policies for protection of Personal Data must be established, so that all employees, and especially those who have an obligation to obtain, use, or store Personal Data in relation to their job, have knowledge of the treatment that should be sought. The security measures that must be taken by the person in charge and their attendants in terms of their management, the use of the Personal Data request forms to obtain the consent, the existence of the ARCO rights and how to request them, as well as responsibilities and consequences of non-compliance.
- Elaboration and use of Personal Data Request Forms in order to obtain the consent of the owners and to inform them of the purpose for which their data will be used. Document that serves as proof of good practices by the Real Estate. As well as the creation of ARCO Rights request forms, by means of which an individual can exercise control over their Personal Data of access, rectification, cancellation and opposition, which can only be exercised personally by the owner of the data or their legal representative, and finally a request for doubts, complaints and suggestions. In order for these rights to be exercised, a physical address, an electronic mail, and a contact number should be made available to the users of their website, where the owners can address themselves and be attended agile and clearly.
- Conduct evaluations to the staff of the Real Estate, in order to document the information the staff has, and verify whether it is sufficient or necessary to be trained on the subject.
- Carry out trainings in order to raise knowledge among the staff of the good use and confidentiality of the Personal Data granted to the person in charge.
- Appoint a supervisor and a department to make consecutive audits, and enhance the use of the established formats, compliance with the policies and regulations, and knowledge of the Privacy Notice, as well as its operation.
- Update your website as the data collection is not only related to the information obtained through telephone calls or face-to-face meetings, but also to the data collected through your web page.
- A cookie window must be created. Cookies are a small information that is sent by a website and stored in the user’s browser, so that the website can consult the previous activity of the same. Not everyone has them and have them activated, but your mission is to install a plugin to warn the navigators of your website that you use them and obtain their consent.
The requested data would be the following, which must be established in the Real Estate Privacy Notice:
Full name, address (street, external number, internal number, colony, zip code, state, delegation or municipality), telephone numbers, age, marital status, email, IDs, birth certificate, proof of address, Federal Taxpayers Registry, Tax Identification Card, ownership documents, Single Registry of Population Registration, Interbanking code, account number, banking institution to which the card belongs.
Can the Real Estate company share the information requested?
The Real Estate may reveal, disclose and/or transfer inside and outside the country the Personal Data provided with collaborators, employees, including its affiliates, suppliers, advertisers, contractors, service providers and/or partners, as long as when requesting this information from its owner by means of a pre-established format, it is made known to him that the information can be transferred, with whom and for what purposes, that format must contain a space in which the owner can insert whether or not it is their consent to transmit that information for the purposes stated. The third parties that receive the information related to the Personal Data of the clients are obliged to comply with the provisions of the Privacy Notice and the applicable legislation in Mexico.
Avoid unnecessary sanctions.
Finally, it is worth mentioning that in some of the cases information is requested such as name and telephone number, without requesting the owner’s consent, which is considered a bad practice, since the purpose is not being informed, you are not asking for express consent, nor is he being made aware of the ARCO Rights, for which reason he should not seek such information in the first instance, without having obtained prior authorization.
In some other cases, your website contains a box to apply to a job vacancy in your company, where the user would have to leave their data, resumé, etc. This without requesting consent to use their information for convenient purposes, or any of the purposes mentioned above.
For each company it is extremely important to generate trust and distinguish itself from the rest of its competitors as a protective guarantor of Personal Data. Therefore, it is recommended to have mechanisms to protect information that we obtain from physical persons, to provide them with proper treatment, even after concluded the relationship with them, maintaining confidentiality. It is worth mentioning that these practices will help us to demonstrate the authority our compliance with the applicable provisions.
Do you need help to comply with the LFPDPPP?
At GP&H we can help you to have the appropriate forms, Privacy Notice, as well as adapt your website in the correct way. Contact our legal team to know the solutions we offer and how to comply with the Federal Law on Protection of Personal Information Held by Individuals.
Alejandra Hernández Treviño