Mexico, City, December 13th, 2022
In the first half of 2022, the National Institute for Transparency, Access to Information, and Protection of Personal Data (INAI) settled 63 private sector sanction proceedings, of which 58 culminated in a sanction, 4 in a warning and only in 1 sanction proceeding no fine was imposed. Therefore, in 92% of the private sector sanction proceedings before the INAI, a fine was imposed. Most of the sanctioned cases are related to the lack of a Privacy Notice, others to the failure to obtain the applicable data subjects’ consent, or that the Privacy Notice does not comply with the requirements established in the Federal Law for the Protection of Personal Data Held by Private Parties («LFPDPPP«), its Regulations («RLFPDPPP«) and the Privacy Notice Guidelines.
Among the highest fines, it is the one imposed on a mobile application dedicated to granting loans to Users. According to the INAI, data controller did not obtain the express consent to process the financial data of the data subject; hence, it processed the personal data for different purposes from those informed in the Privacy Notice, and it did not demonstrate to have made available the Privacy Notice, among other conducts. As a result, it was subject to a fine of approx. US $88,500.
Among other cases, in another one the authority determined to sanction an insurance company that transferred personal data by email to a Third Party unrelated to the legal relationship between the Controller and the Data Subject. The Controller failed to comply with the principle of responsibility, did not have the necessary security measures to prevent this improper disclosure of personal data, and the transfer was not foreseen in its Privacy Notice. Therefore, INAI fined the insurer with US $329,222.46
From the sanction procedures resolved by INAI in this first semester, in general, highlights the relevance of having adequate mechanisms and procedures to comply with the principles of data protection, mainly with the Privacy Notice.
In the Privacy, IT and Data Protection practice area we are at your service.