The following is a translation of a legal briefing written by Isabel Davara, CIPP/E, CIPP/US, CIPM. Find it in Spanish, here. 

The National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) has announced the resolution of the proposed sanctions procedure identified by number of record PS.0016/14, in which the plenary decided to impose three INAI fines to Banorte for giving personal data treatment of a holder in contravention of the provisions of the Federal Law on Protection of Personal Data Held by Private (LFPDPPP) and its regulations.

The resolution is a remarkable event because the economic sanctions imposed within procedure PS.0016/14 represent a historical figure reaching the amount of $ 32'006,691 MXN ($2 million USD), is the largest financial penalty amount that the guarantor authority has imposed for a charge for violations of LFPDPPP.

The three fines are described as follows:

1) The infringement consists of sensitive personal data being collected regarding the status of present and future health of the spouse of the complainant, without obtaining your express written consent; $18’ 544, 200.00

2) The infringement consists of having physical databases and electronic media which contain personal data relating to the health of present and future persons outside the complainant, without this situation being legally justified; $8’673,900.00

3) The infringement consists of giving treatment to the personal data of the complainant and his spouse, contrary to the principles of:

• Information, and failed to make available to the complainant its privacy notice in to report personal data obtained and for what purposes, when it got personal data;
• Proportionality, since it gave treatment to personal data of the spouse of the complainant, without these data prove necessary, appropriate and relevant in relation to the purposes for which they were obtained, and
• Legality, not subject to the applicable regulations. $4’788,591.00

From the precedent cited it is relevant to consider the following recommendations be taken into account regarding the case of merit, and if the responsible party would have effectively implemented, would have prevented the imposition of various economic sanctions:

• Get the express written consent of the owner for the processing of sensitive personal data.Have an inventory of personal data in which the data are treated according to their type, characteristics and levels of security.
• Limit the treat of sensitive personal data to the minimum possible and justify according to legitimate and specific purposes required by the head.
• Compose a privacy notice that is clear and simple, by which the holder is informed about the processing of sensitive personal data and to inform the purposes for which their personal information is used. For the processing of personal data of third parties, other than the owner, he must obtain the consent for such treatment as well.

Thus, we can see that today it is essential to comply with regulations applicable to the protection of personal data, as currently various precedents issued by the INAI show the hardness of their faults and spacious both investigative powers as LFPDPPP sanction that would confer.

photo credit: Iranian flags at MEK protest via photopin (license)