Do Companies Operating in Mexico need a Data Protection Officer?
Article 30 of the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares or LFPDPPP) mandates that all data controllers must appoint a “person or department of data protection” within the organization. While the law does not use the exact same name, the responsibilities are similar in nature to those of the Data Protection Officer under the GDPR.
What they do
The “person or department of data protection” has two legal responsibilities:
- Answering data subject requests, especially those regarding their ARCO rights.
- Promote the protection of personal data within the controller’s organizational structure.
The way in which these responsibilities should be exercised will depend on the nature, size, and needs of the company. Companies should have defined processes and channels to be able to respond to data subject’s requests in a timely manner and in the most efficient and lawful way.
Who to appoint
Although the law does not provide guidance on the requirements for this role, the INAI in Mexico has issued recommendations on who should be appointed as the “person or department of data protection”.
The first decision the company must make is whether to designate a single individual, or an entire department. This will depend on the size of the corporation, the type and volume of data being processed, the value of the personal information for the company’s operations, and the expected number of requests from data subjects. Larger companies, those processing sensitive data, or those whose core business depends on the processing of personal data, will be better served by designating an entire department or a whole external firm to ensure that the protection of the information will be well managed.
While there are no requirements regarding the qualities of the designated person or department, it is recommended that they have experience or knowledge in data protection to ensure effective implementation of the law. It is recommended that they hold a senior position within the organisation and that they have sufficient material, technical and human resources to carry out their duties effectively.
Finally, there is no requirement that the person or department has to be a part of the organisation itself. Companies could therefore appoint an external firm such as FIRST PRIVACY, which is specialised in privacy and data protection, to carry out these tasks.
Registration and location
There are no restrictions on the location of the appointees, and companies could designate a person located anywhere in the world to fulfil these obligations.
Fábio Cavalcante, LL.M.
Senior Privacy Counsel
Phone: +49 421 69 66 32-886