...

Privacy Law Survey 2021
Mexico / Monterrey

Privacy Notice

Is the company required to provide a privacy notice to workers? (Y/N)

Yes.

Does the worker privacy notice need to address security measures?

No. Security measures are mandatory but there is no obligation related to addressing such measures in the privacy notice.

Are there any other unique disclosure requirements with respect to the privacy notice (e.g. list data retention periods, state legitimate bases, etc.)?

Yes. Employees, as any other data subject, shall be informed at least of the following: the identity and address of the person responsible for collecting the personal data (employer); the purposes of the data processing; the options and means offered to the employees to limit the use or disclosure of their data; the means to exercise the rights of access, rectification, cancellation or opposition, in accordance with the provisions of the law.

Data Subject Rights

Are there data subject rights for workers? (Y/N – if Y, please list)

Yes. Workers have the same rights as any data subject. The only difference is that the employer is not required to obtain their consent for processing personal/employment data derived from a labor agreement.

What is the timeframe to respond to data subject requests from workers?

In case a worker, as any other data subject, requests to exercise its rights to access, rectification, cancellation or opposition of its personal data, the response timeframe is 20 days, and the execution timeframe is 15 days following the response.

Are there exceptions to responding to data subject requests from workers?

Yes. Requests may be denied when the petitioner is not the owner of the personal data ; when the petitioner’s personal data is not found in its database; when the rights of a third party are injured; when a legal impediment or a resolution by an authority restricts access to personal data or does not allow its rectification, cancellation or opposition; or when the rectification, cancellation or opposition has already been made.

Special Rules for Worker Information

Are there employment rules about privacy-related discrimination (e.g., unlawful to terminate employment due to worker submitting an access request)?

There are no specific employment rules about privacy related discrimination.

Are there any unique requirements for transfers of employee information to third parties (i.e., contractual restrictions or otherwise)?

No. The general rules about transfer of personal data to third parties are also applicable to employee information.

Are there rules about automated decision making involving workers (e.g., hiring decisions)?

No.

Are there rules about processing sensitive information or information about worker households or families (e.g., biometric data, health/medical information, sexual orientation, religious affiliation, union membership, etc.)?

Yes. Express consent from the employee is required to process sensitive personal data.

Are there specific security requirements for storing and processing worker information?

No. The general rules are also applicable for workers’ information.

Are there rules about using worker information for marketing?

Yes. General rules about use of personal data for marketing is applicable also to workers’ information for marketing.

Are there rules about surveillance of workers?

Not specifically, the Federal Labor Law states that surveillance of remote workers is permitted but the mechanisms and technology used to do so must be proportional to its objective, guaranteeing the right to privacy of workers and respecting the legal framework regarding the protection of personal data. Video cameras and microphones may only be used extraordinarily.

Are there other specific privacy rules or issues involving worker information (e.g., BYOD policies, monitoring technology use, automated tracking of workers)?

No. However, as a general principle consent is required.

Government and Recourse

Is there a legislative body or government entity that regulates employment-related privacy matters?

No.

In the event of a violation, is the recourse regulatory, a private right of action, or other?

Both.

Expected Changes to Worker Privacy Laws:

No.

B2B Data

Is business-to-business (B2B) data treated differently than consumer or employee data? (Y/N – If yes, please explain).

No. Data Protection Privacy Law rules all business too. bussines relations.

D & A Morales y Asociados

Mexico / Monterrey

Offices

D & A Morales y Asociados SC, Ignacio L. Vallarta No. 811
Sur, Colonia El Mirador Centro, Monterrey, Mexico 64070
Tel +52 81 8129 9200