Transparency practices for Civil Society Organizations on Corporate Issues

In order to begin, it is necessary to understand what is understood as personal data:

Personal data: information concerning an identified or identifiable person (natural). A person is considered identifiable when their identity can be determined directly or indirectly through any information. (Age, address, telephone number, personal email, academic, work or professional history, assets, social security number, CURP, among others.)

Sensitive personal data: personal data that affect the most intimate sphere of its owner, or whose misuse may give rise to discrimination or entail a serious risk for it. (Racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, sexual preference.)

When we talk about transparency, there are two important figures, the responsible and the commissioned.

The responsible is the natural or legal person who decides on the processing of personal data. Consequently, it collects, stores, uses, transmits, transfers and deletes personal data of people with whom it has or has had some type of relationship, whatever its nature.

The commissioned, then, is the natural or legal person who alone or jointly with other third parties, brings personal data on behalf of the responsible.

However, the protection of personal data for civil society organizations is of the utmost importance since every day information is received from people in the exercise of their activities which is one of the greatest assets of these societies, but at the same time this makes them responsible for the treatment of all this data that is received.

The authority in charge of supervising compliance with the protection of personal data in Mexico is the National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales [INAI]).

The applicable regulation is its Federal Law (Ley Federal de Protección de Daos Personales en Posesión de los Particulares LFPDPPP) and its internal regulation.

Civil society organizations must keep the personal data provided to them under the necessary security conditions to prevent their adulteration, loss, consultation, use or unauthorized or fraudulent access, as well as respect for the rights of the holders of the data.

It is necessary to establish confidentiality and personal data protection clauses in all contracts with clients and with third parties in general. Likewise, it should always be taken into consideration that the information that is being collected is really necessary, adequate and relevant information for the purposes for which it is being obtained.

Additionally, it is necessary to establish personal data protection policies whose purpose is to:

• Ensure compliance with the rules.
• That they are applicable to all employees and their compliance is mandatory.
• Legal consequences and sanctions are established in case of violation.
• Explain how the personal data obtained is treated and protected.
• Establish procedures and guidelines for the rights of access, rectification, cancellation and opposition of personal data.
• Establish an area in charge of dealing with related requests.

The Privacy Notice is a physical, electronic document or in any other format, through which the responsible informs the owner about the existence and main characteristics of the treatment to which their personal data will be submitted. The purpose of the privacy notice is to establish and define the scope, terms and conditions of the processing of personal data, so that the owner can make informed decisions regarding their personal data and maintain control and disposition of the information that is provided to them.

Any person who is considered responsible for processing personal data, regardless of the activity carried out or whether it is a natural or legal person, needs to prepare and make their privacy notice available.

In accordance with the foregoing, the privacy notice must be made available at the following times and consequently request that the third party sign the notice accordingly:

1. Prior to obtaining personal data: when personal data is obtained directly or personally from the owner.
2. At the first contact with the owner: when personal data is obtained indirectly and the treatment for which they will be used involves direct or personal contact with the owner.
3. Prior to the use of personal data: when personal data is obtained indirectly, but the treatment for which it will be used does not require personal or direct contact with the owner.

Different modalities of the Privacy Notice:

Comprehensive privacy notice: All the elements that are described in section III of the ABC of the Privacy Notice: http://abcavisosprivacidad.ifai.org.mx/. It is used when the data is collected directly and in person from the owner.

Simplified privacy notice: (i) The identity and address of the responsible; (ii) the purposes of the treatment, distinguishing those that originated and are necessary for the legal relationship between the owner and the responsible, from those that are not; (iii) the mechanisms for the holder to express his refusal for secondary or accessory purposes; (iv) the mechanisms for the owner to know the comprehensive privacy notice. It is used when the data is collected directly through electronic means or by telephone from the owner.

Short privacy notice: (i) The identity and address of the responsible; (ii) the purposes of the processing, without it being necessary to distinguish the secondary or accessory purposes; (ii) the mechanisms for the owner to know the comprehensive privacy notice. It is used when the space used to obtain personal data is minimal or limited.

In the event that it is required, we leave a link to a generator of Privacy Notices that the INAI has: https://generador-avisos-privacidad.inai.org.mx/

The rights of the holders of personal data are the following (Derechos ARCO):

• Access: right to obtain information about your personal data in the possession of the responsible, as well as information regarding the conditions and generalities of the treatment.
• Rectification: they may request, at any time, that the responsible rectify their personal data that turns out to be inaccurate or incomplete.
• Cancellation: they may request, at any time, the cancellation of personal data when they consider that their treatment is no longer necessary or that they are not being treated in accordance with the principles and duties established by law.
• Opposition: they may at any time oppose the processing of their personal data or demand that it ceases when:
  • There is a legitimate cause and the specific situation requires it.
  • Manifest opposition so that the treatment for specific purposes is not carried out.

What is considered a data breach?

• The unauthorized loss or destruction of personal data.
• The theft, loss or unauthorized copying of personal data.
• The unauthorized use, access or treatment of personal data.
• The damage, alteration or unauthorized modification of personal data.

In case of data breach, the responsible is the one who must inform the owners if there is a significant impact on their economic or moral rights, as well as the measures, guidelines and internal actions that will be carried out.

What behaviors could generate administrative or even criminal sanctions?

• Failure to comply with any request made by an owner of data.
• Change the purpose of the processing of personal data.
• Transfer data to third parties without authorization from the owner.
• Deliberately declare the inexistence of personal data.
• Act with negligence and / or fraud.
• Skip the privacy notice and deal with personal data.
• Failure to comply with confidentiality when processing personal data.

1. Administrative sanctions:
2. Warning
3. Fines of 100 or 200 to 160,000 or 320,000 current minimum wages.
4. In case of repetitions, it can be sanctioned with additional fines or the sanctions can be increased up to double.

• Criminal penalties:
• Imprisonment for 3 months to 3 years for the person who, being authorized to process personal data, for profit, violates the security of the databases in their custody.
• Prison from 6 months to 5 years to which person, in order to profit, treats personal data through deception, takes advantage of the error of the owner or the person authorized to transmit them.

Actions to avoid sanctions or criminal penalties:

1. Have a data protection policy.
2. Train your employees on data protection issues.
3. Have a privacy notice that complies with the characteristics of the country in which the data is collected.
4. Conduct internal audits of existing processes and policies to find out the level of compliance in which the company is.
5. Designate one person or a group of people to be in charge of safeguarding the integrity of the information and verifying its correct handling.

Maria Fernanda Ortega

Gloria Ponce de León & Hernández