May consent be used as a legal basis for processing worker information? (Y/N – if N, please explain)
No if the information requester is the employer. However, if the requester is a third party, employee’s consent is required.
Are there any specific worker data collections or processing operations that require prior consent? (Y/N – if Y, when is consent required)
Yes. According to the Federal Law for the Protection of Personal Data in Possesion of Individuals, workers must give their express consent when sensitive personal data is required.
Are there exceptions that will allow employers to collect and treat workers data without consent? (Y/N – if Y, list the exceptions)
Yes. Employers may treat employees’ data without employees’ consent if is personal data derived from any labor agreement.
Is the company required to provide a privacy notice to workers? (Y/N)
Yes. Or inform the workers where could they find the company’s privacy notice.
Does the worker privacy notice need to address security measures?
No. Security measures must be provided in different regulations, accordint to the company’s activities.
Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?
Yes. Workers must be informed of the data of the responsible of managing their information, as well as the procedure for the access, rectification, cancellation or opposition (ARCO rights).
Data Subject Rights
Are there data subject rights for workers? (Y/N – if Y, please list)
Yes, in a regular basis as any other individual. However, derived from a legal labor relationship employee/employer, no consent of the employee will be needed.
What is the timeframe to respond to data subject requests from workers?
Pursuant to the Federal Law for the Protection of Personal Data in Possesion of Individuals 20 days for the employer to answer the request, and if it is applicable, 15 days to execute it.
Are there exceptions to responding to data subject requests from workers?
Yes. When the applicant is not the owner of the data requested; when the employer can’t find the data in its database; if the rights of a third party are affected; when there is a legal resolution restraining the disclosure of the data.
Special Rules for Worker Information
Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?
There are no specific employment rules about privacy related discrimination.
Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?
Are there rules about automated decision making involving workers (e.g., hiring decisions)?
Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?
Yes. Sensitive information requires express consent from the employee other than labor agreement.
Are there specific security requirements for storing and processing worker information?
No. The general regime is also applicable for worker’s information.
Are there rules about using worker information for marketing?
Yes. Generic rules about use of personal data for marketing is applicable also to worker information for marketing. Therefore, it requires employee’s consent.
Are there rules about surveillance of workers?
No. However, surveillance measure should not jeopardize emplyoyee’s dignity.
Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?
No. As long as such measure does not jeopardize employee’s dignity.
Government and Recourse
Is there a legislative body or government entity that regulates employment-related privacy matters?
In the event of a violation, is the recourse regulatory, a private right of action, or other?
Expected Changes to Worker Privacy Laws:
Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).
No. Data Protection Privacy Law rules all business to bussines relations.
Cornejo Méndez González & Duarte
Montes Urales 415-3A
Lomas de Chapultepec
Ciudad de México, Mexico
Tel +52 55 5540 44 50