February 2018

INAI PUBLISHES GUIDELINES AND PROCEDURES FOR THE

PORTABILITY OF PERSONAL DATA

On February 12, 2018, the National Institute of Transparency, Access to Information and Protection of Personal Data ("INAI", BY its Spanish acronym) published the "Agreement which approves the Guidelines that establish Parameters, Modalities and Procedures for Personal Data Portability are approved” (the "Portability Guidelines"). These Portability Guidelines provide for the possibility that data subjects in possession of Obliged Subjects (government entities) may request them in order to transfer them to another.

It should be borne in mind that under the General Law for the Protection of Personal Data in Possession of Obliged Subjects (the “Law”) any authority, entity, body or organism in the Federal, State or Municipal spheres of the Executive, Legislative and Judiciary branches, autonomous bodies, political parties, public trusts and funds Obliged Subjects.

Legal Basis

Article 57 of the Law provides that the National System of Transparency, Access to Information and Personal Data Protection shall establish, through these Portability Guidelines, the Parameters to determine when a format is structured and commonly used, and the technical standards, modalities and procedures to transfer Personal Data.

Subjects, Object and Hypthetical

The Portability Guidelines are applicable to all Subjects obliged by the Law, within the 3 levels of government, that have systems that generate structured and commonly used formats for the interoperability of Personal Data (the "Formats"). Regardless of the computer system used to generate and reproduce them, Formats will be such if they: (i) are accessible and readable by automated means, which allow identifying, recognizing, extracting, exploiting or carrying out any other operation with Personal Data; (ii) allow the reuse and/or harnessing of Personal Data, and (iii) are interoperable with other computer systems; that is to say, that the transmitter and receiver of the format can share infrastructure and Personal Data by the connection of their systems or technological platforms.

The processing of Personal Data by electronic means in such Formats entitles the holder of such data either to obtain a copy of the data directly made available to an Obliged Subject for their use and processing by another Obliged Subject, or otherwise for its further transmission to another Obliged Subject, as long as it is technically possible in compliance with the conditions set forth in the Portability Guidelines. The Obliged Subject acting as a data controller must inform the data subject in its integral privacy notice of the possibility to request the portability of his personal data, among other matters.

Portability of personal data is not an obligation incumbent upon Obliged Subjects who process personal data and, therefore, it seems restraining for the rights of data subjects that there is no such obligation upon the Obliged Subjects for the storage, preservatiion, safeguarding, maintaining or upholding all the Personal Data that they possess in a structured and commonly used Format.

Portability is not applicable when: (i) information is inferred, derived, created, generated or obtained from the analysis or processing carried out by the Obliged Subject of the personal data provided by the holder; (ii) pseudonyms, unless they are clearly linked to the owner and can identify him or make him identifiable, or (iii) personal data that is dissociated, so that it cannot be associated with the owner or allow his identification, except when by a subsequent procedure they can be associated once again.

The portability of Personal Data can be done in the same terms and conditions that the Law or the local legislation in the matter provide for the ARCO rights, requiring a copy of the Format or its transmission to the Receiving Obliged Subject, and indicating the name of the latter and the document that proves his legal relationship with him. The requesting holder can provide the means of storage to obtain the Format, or make the payment of the fees that the Obliged Subject commands for it, which is the only cost that is required for these applications.

If the applicant exposes an emergency situation of the data subject that motivates a portability request, it must be answered within a maximum of 10 days and implemented within the subsequent 7 days. The transmission should be carried out including as much metadata as possible.

Technical Standards and Transmission Procedures

The Guidelines also foresee norms for the portability of personal data; that is to say, that the Obliged Subjects must implement mechanisms that allow data subject to obtain their Personal Data in a personally or electronically, inform them about the available Formats and, if possible, allow them to choose among them, ensuring that they are interoperable, and to ensure that the services and electronic systems preserve the ability to interoperate with other systems.

Said Obliged Subjects shall also observe certain technical conditions, such as: (i) having protocols, tools, applications and services to link and effectively communicate the transmitted personal Data; (ii) to establish administrative, technical and physical safeguards for the foregoing, incorporating user authentication mechanisms, secure connections or information encryption; (iii) to have controls to evidence forwarding, reception and integrity of the transmitted personal data, (iv) and to keep a record of all the actions carried out with the transmissions of the same.

Entry into force

The Guidelines will enter into force 180 days after their publication in the Official Journal of the Federation.