Personal Data and Privacy Protection
Adequacy Projects – Methodology
Since the publication of the Federal Law on Protection of Personal Data Held by Individuals (LFPD), BGBG undertook the task of designing and developing its own methodology to offer optimum compliance with it, in order to effectively execute "LFPD Compliance Projects", which is supported by the extensive national and international experience of its members.
Since then, BGBG has determined the following as the guiding principles of its methodology:
- Knowledge and development degree of national and international legislation on personal data protection
- State of the information security culture in Mexico
- State of the culture of personal data protection in Mexico
- Knowledge of vulnerable sectors
- Dissemination of the culture of prevention against the culture of reaction
- Flexibility in the provision of services
The methodology of BGBG's "Adjustment Projects on the Federal Law on Protection of Personal Data Held by Individuals" has evolved according to the national (and international) legislative development, taking into consideration the subsequent publication and entry into force of the Federal Law on Protection of Personal Data Held by Individuals Regulations, the Privacy Notice Guidelines, the INAI Recommendations on the Short Privacy Notice Model for Video-surveillance, the INAI Recommendations on Personal Data Security, the Self-Regulatory Parameters on Personal Data Protection, etc.
Advice and representation before INAI
Within its authority, the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) may require, investigate, and verify the compliance with the Federal Law on Protection of Personal Data Held by Individuals (LFPD) and, where appropriate, sanction their infractions.
The advice and representation service before INAI aims to provide legal certainty to data controllers within the processes started by such authority, ensuring that at all times of the process they have the best advice to respond to the notified requirements, provide relevant information and, where appropriate, eradicate or minimize the effect that these processes may entail.
The provision of this service includes:
- Representation before the authority.
- Giving responses to INAI requirements and reports.
- Follow-up of the processes until their conclusion.
- Advice and follow-up of procedures before the Federal Court of Administrative Justice, if applicable.
The purpose of conducting a Due Diligence within the framework of the Personal Data Protection regulations is to identify and evaluate the level of compliance or non-compliance that each entity maintains regarding the provisions of the Federal Law on Protection of Personal Data Held by Individuals (LFPD), its Regulations, the Privacy Notice Guidelines, the Recommendations on Personal Data Security, and other legislation related to data protection.
The activities of a Due Diligence in personal data protection matters include, among others:
- Identification and evaluation of the flows of existing personal data
- Identification and evaluation of the existing processes and procedures related to personal data
- Identification and assessment of compliance or non-compliance with the 8 principles related to personal data processing
- Identification and review of legal relationships involving national and/or international data transfers, and processing orders to third party service providers
- Identification of information systems that should be audited for their level of compliance with the Recommendations on Personal Data Security
All the adjustment projects that BGBG has developed and currently offers to its clients include training courses for multiple targets covering different aspects of complying with existing and current national regulations.
BGBG attends and satisfies the specific requirements of its clients in terms of training on personal data protection and has extensive experience in teaching the relevant courses, which audience is and has been varied in terms of number and professional profiles.
Some of the courses offered by BGBG are:
- Training on Personal Data Protection (Regulatory Framework)
- Personnel Duties and Obligations regarding Personal Data
- Attention to requests for rights of access, rectification, cancellation, or objection (ARCO rights)
- Among others
Data Protection Consulting and Advisory Service (CAPD)
The Data Protection Consulting and Advisory Service (CAPD Service) aims to provide companies and/or individuals with advice, consulting, implementation, and support to effectively comply with the Federal Law on Protection of Personal Data Held by Individuals (LFPD), its Regulations, and the rest of the applicable regulations, in compliance with LFPD, Article 30.
With the CAPD Service, these companies or individuals can entrust a third party —with a high degree of knowledge, experience, and expertise— with their obligations under the Federal Law on Protection of Personal Data Held by Individuals and other regulations in force.
CAPD Service is based on 3 major groups of services: Preventive Security Actions, Advisory Security Actions, and Reactive Security Actions. These services include actions such as:
- Attention to inquiries
- Response to requests for ARCO rights, revocation of consent, and limitation and/or disclosure of personal data
- Key decisions in the implementation of data protection measures and compliance
- Implementation of procedures and training actions for personnel
- Among others
Binding self-regulation schemes
Since the publication and entry into force of the Self-Regulation Parameters regarding the Protection of Personal Data (hereinafter, the “Parameters”), BGBG has followed up and is developing new methods and work measures to offer its clients —that are within the framework of the execution of the Parameters— solutions, and advice on binding self-regulation schemes within the framework of the Federal Data Protection Law, Article 44.
BGBG offers effective and up-to-date consultancy on this matter to assist interested clients while waiting for the Federal Institute for Access to Information and Protection of Data to issue the Operation Rules of the Registration of Self-Regulation Schemes.
Response to Requests for ARCO rights
The Federal Law on Protection of Personal Data Held by Individuals (LFPD) grants the holders of personal data the right of access, rectification, cancellation, or objection (ARCO rights), which they can exercise before the data controllers by following certain rules and procedures.
In the area of Protection of Personal Data and Privacy of BGBG, we offer specialized advice to data controllers, regarding the origin and scope of the requests made by said holders, to adjust the responses to the current regulatory framework, which not only includes the provisions of the Federal Law on Protection of Personal Data Held by Individuals.
This service includes, among others, regulatory analysis of the activities of data controllers, the determination of periods and assumptions for the conservation of information, and the generation of adequate responses to specific requests for ARCO rights.
Where appropriate, BGBG can support its clients in the implementation of formats and procedures for responding to requests for ARCO rights, which data controllers can adopt as part of regulatory compliance actions.
Right to be forgotten
Since its issuance in the European Union on May 13, 2014, the Judgment of the so-called “right to be forgotten” has been the subject of analysis, studies and comments around the world.
Its importance compared to the so-called “search engines” on the Internet is of such relevance that during the following 5 months after the issuance of said sentence, the most important search engine of all (Google®) had received more than 120,000 requests related to the withdrawal of links to content deemed harmful to the interests of the individuals who promoted these requests.
In this scenario, BGBG advises owners of personal data who deem their rights violated because of the indexing on the internet of content that affects their legal sphere and that, for various reasons, can be deemed of little relevance to justify its appearance in result lists such as those generated by this type of search engines.
Our experts will advise you to define in a personalized manner whether you can request the erasure of your data from search engine managers and, in any case, on any other right that you can assert against these personal data controllers.
The Personal Data and Privacy Protection area of BGBG Abogados, as part of the TMT area, has been created as a response to the new necessities of the people that must abide by the Federal Law on Protection of Personal Data Held by Individuals (LFPD) and the remaining applicable and current regulations.
The professional practice of the Personal Data Protection area is composed of specialized lawyers with international training on the matter, alongside the experience and prestige of BGBG since its establishment; with the vocation of providing a complete, informed, and high-quality service to clients.
The development of our professional practice is contained within the “boutique” concept, with which the firm came to life. Such an organizational model has allowed us to provide services that satisfy the specific necessities of our clients in a professional, personal, and avant-garde manner.
The Personal Data and Privacy Protection Area offers consulting and advisory services to its clients, such as personal data protection suitability and enforcement projects (compliance); transfer agreements and national and international data processing orders, self-regulation mechanisms and measures development (conduct codes); response system design and implementation on the exercise of rights by holders; personal data protection policy implementation; among others.
International training and experience to provide practical and
effective compliance solutions.
Héctor E. Guzmán Rodríguez
Mauricio Guerrero Reyes
Héctor E. Guzmán Rodríguez
Alejandra Rodríguez Campiran
Mariana Rodríguez López