Alerts and Updates

Personal Data Protection During the COVID-19 Health Emergency in Mexico

April 8, 2020

In Mexico, the Law on the Protection of Personal Data in the Possession of Private Parties regulates the right to informational self-determination.

As a consequence of the COVID-19 health emergency declared by the Mexican government on March 30, many companies in the Mexican market have needed to collect information from their employees as a precaution against the spread of the coronavirus.

In Mexico, the Law on the Protection of Personal Data in the Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) regulates the right to informational self-determination. The law provides that data that may reveal information relating to the health of individuals be deemed as “Sensitive Personal Data.”

The law indicates that such sensitive personal data may not be processed without the express written consent of its owner. However, the law also provides that consent for processing the personal data will not be required in the event of a health emergency.

Thus, the National Institute for Access of Information issued the following recommendations in connection with the processing of personal data:

  1. Ensure strict administrative, physical and technical security measures to prevent any loss, destruction, theft, use or access, damage, modification or unauthorized alteration.
  2. Comply with the other provisions set forth in the law and related regulations.
  3. Protect the confidentiality of any sensitive personal data related to any case of COVID-19.
  4. Adopt measures to ensure accuracy of COVID-19 confirmed cases.
  5. Any communications within the company regarding the presence of COVID-19 should not identify any afflicted individual.
  6. The processing of all sensitive personal data must be disclosed to the respective owner.
  7. Limit the amount of time the sensitive personal data is processed.
  8. Clearly set forth the terms to safely keep the personal data related to COVID-19 cases and establish clear rules to safely delete such information.
  9. Report security breaches of personal data to its owners and to the public sector, the National Institute for Access of Information or the appropriate government entity, as applicable.
  10. Avoid unauthorized distribution of information and data relating to confirmed COVID-19 cases.
  11. Define security measures for fixed and mobile computing and storage devices that contain information relating to COVID-19 cases.

About Duane Morris

Duane Morris has created a COVID-19 Strategy Team to help organizations plan, respond to and address this fast-moving situation. Contact your Duane Morris attorney for more information. Prior Alerts on the topic are available on the team’s webpage.

For More Information

If you have any questions about this Alert, please contact Eduardo Ramos-Gómez, Rosa M. Ertze, Miguel de Leon Perez, any of the attorneys in our Mexico Business Group, any member of the COVID-19 Strategy Team or the attorney in the firm with whom you are regularly in contact. 

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.