The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) when resolving the procedure for imposing sanctions PS.0006/15, August 10, 2015, determined to fine a financial institution for the amounts of $4’ 000, 000 -US$210,000 approx, for breach of lawfulness and responsibility principles-, $6’000,000 -US$316,000 approx, for breach of duty of confidentiality- and $7’000,000 -US$368,000 approx, for transfer of data from an individual, without his express consent, breach of consent principle-. That is a total of $17’000,000, US$894,000 approx, for violating the different cases provided in sections IV, VIII, and XIII of article 63 of the Federal Law on Protection of Personal Data Held by Private Parties. Mexico City, January 9, 2020. Mexican Supreme Court of Justice confirms the standardized banking key is a personal data.
The INAI determined that the standardized banking key (interbank key -CLABE-) is a personal data that can be protected in terms of the mexican data protection regulation, since it is a unique and unrepeatable number for the Mexican financial system, assigned to a bank account and which, when used for electronic money transfers, is intimately related to the data subject. This is information that is associated and identifies the owner of each account, and regardless of whether the owner is a private individual or legal entity.
Therefore any processing related to the Clabe requires the express consent of the data subject, as long as no exception case provided for in the aforementioned law are updated.
The foregoing was ratified by the Superior Chamber of the Federal Court of Administrative Justice , and later by the Second Chamber of the Mexican Supreme Court of Justice when deciding the file AD 48/2017 , which although confirms the aforementioned criterion, also ordered the INAI to issue a new resolution in which it considers imposing a single sanction – and not three – for the commission of a single improper act, as provided in section XIII, of article 63 of the Federal Law on Protection of Personal Data Held by Private Parties, in order to comply with the non bis in idem principle, and also considering that the intentionality in the behavior attributed to the financial institution was not proven.
Mexico City, January 9th, 2020.
 Sentence of November 16, 2016, issued by the Superior Chamber of the Federal Court of Administrative Justice in file 10465 / 15-17-04-3 / AC1 / 1976/16-PL-04-04 regarding the trial Federal administrative dispute number 10465 / 15-17-04-3 and its accumulated 21179 / 15-17-09-4.