﻿Page 1 
Contents 
Presentation ................................................. .................................................. ...............................................: 1 
Section I. Frequently asked questions about the privacy notice ........................................ ................................. two 
1. What is a privacy notice? .................................................. .................................................. ............... two 
2. In which cases is it necessary to have a privacy notice and who is obliged to issue it and make it available 
provision? .................................................. .................................................. ........................................... two 
3. What is the privacy notice for? .................................................. .................................................. ...... 3 
4. When should the privacy notice be made available? .................................................. ............. 3 
5. What does the provision of the privacy notice imply, is the person responsible for delivering a copy of the 
same to the owner? .................................................. .................................................. .................................... 4 
6. Can a single privacy notice be used for different activities? .................................................. ....... 5 
7. What are the terms of the privacy notice? .................................................. .................................... 5 
8. By what means can the privacy notice be disseminated? .................................................. ............................. 5 
9. What are the general characteristics that the privacy notice must comply with in terms of its design and 
presentation?................................................ .................................................. ........................................... 5 
10. What other obligations does the person responsible have in relation to the privacy notice? ................................................ 6 
11. Are there cases of exception for making the privacy notice available? .............................................. 6 
12. Who is obliged to demonstrate compliance with the obligation of the privacy notice? ................................. 7 
Page 2 
Section II. Take the following into account before preparing your privacy notice ...................................... .... 8 
Section III. The content of the privacy notice ............................................ .............................................. eleven 
1. The identity and address of the person in charge .......................................... .................................................. ........... eleven 
2. The purposes of the treatment ............................................ .................................................. ..................... 12 
3. The mechanisms so that the owner can express his refusal for secondary or accessory purposes .......... 15 
4. The personal data processed ............................................ .................................................. ...................... 19 
5. The express indication of the sensitive personal data that is processed ..................................... ..................... twenty 
6. The transfers of personal data that may be carried out ..................................... ............................. 2. 3 
7. The clause that indicates whether or not the holder accepts the transfer when required ................................ ...... 25 
8. The means and procedure to exercise ARCO rights ...................................... ................................. 27 
9. The mechanisms and procedures so that, where appropriate, the owner can revoke his consent to the treatment of 
your personal information ............................................... .................................................. ................................ 30 
10. The options and means that the person in charge offers to the holders to limit the use or disclosure of their data 
personal ................................................. .................................................. ............................................ 32 
11. The use of cookies, web beacons or any other similar or analogous technology .................................. .................. 3. 4 
12. The procedures and means by which the person in charge will communicate to the owners the changes in the notice of 
Privacy ................................................. .................................................. ............................................ 36 
Section IV. Good practices ................................................ .................................................. ...................... 39 
Section V. Modalities of the privacy notice .......................................... .................................................. 42 
Section VI. Privacy Notice Models ............................................. .................................................. .44 
Model A. Comprehensive privacy notice ........................................... .................................................. ................ 44 
Model B. Simplified privacy notice ........................................... .................................................. ........... 49 
Page 3 
Model C. Short privacy notice ........................................... .................................................. .................... 51  
  
  
 
Original text 
 
Modelo C. Aviso de privacidad corto ................................................................................................................. 51 
Contribute a better translation
	



Glossary ................................................. .................................................. .................................................. .. 52  
Single Appendix. Regulatory framework of the privacy notice ............................................ ................................ 54
  
  
  

Page 4 
Presentation 
The purpose of this document is to guide those responsible for the processing of personal data on the preparation and 
making the privacy notice available, according to what is established in the Privacy Notice Guidelines (hereinafter the 
Guidelines), published in the Official Gazette of the Federation on January 17, 2013. 
This guide answers basic questions for the proper preparation and availability of the privacy notice, such as: 
what is the purpose and main characteristics of the privacy notice; who is obliged to issue it; what information should 
contain; when it should be made available and by what means and modalities it can be disseminated. 
With this document, the Institute seeks to provide those responsible with a tool that facilitates compliance with the 
Obligation imposed by law to issue and make the privacy notice available to the owners. 
1 
Page 5 
Section I. Frequently asked questions about the privacy notice 
1. What is a privacy notice? 
It is a physical, electronic document or in any other format (for example sound), through which the person in charge informs the 
owner about the existence and main characteristics of the treatment to which your personal data will be submitted. Through the notice 
of privacy, the information principle established by the Federal Law on Protection of Personal Data in Possession of 
Individuals (hereinafter the Law) and its Regulations. 
To better understand this definition, you need to understand the following terms: 
Personal data: any information concerning a natural person , which identifies him or makes him identifiable, expressed 
in numerical, alphabetical, graphic, photographic, acoustic or any other form. For example: name, degree of studies, 
Address, professional identification, email, social security number, credit card number, among others. 
Sensitive personal data: are those personal data that affect the most intimate sphere of the owner, or whose use 
undue may give rise to discrimination or entail a serious risk for him, such as: his racial or ethnic origin; condition 
past, present and future health; Genetic information; religious, philosophical and moral beliefs; union membership; opinions 
policies; sexual preference, among others. 
Responsible: it is the private natural or legal person who decides on the processing of personal data, for example, 
an educational institution, civil association, bank, department store, self-service store, a doctor, an accountant, among others. 
The person in charge is the one obliged to issue the privacy notice. 
Owner: is the natural person to whom the personal data correspond, for example, Mr. Alejandro Flores Castañeda, Ms. 
María Allende Paz or the child Raúl Montes de Oca Maldonado. 
Treatment: is the obtaining, use, disclosure or storage of personal data by any means. The use covers any 
action of access, handling, use, transfer or disposition of personal data. 
2. In which cases is it necessary to have a privacy notice and who is obliged to issue it and make it available? 
two 
Page 6 
Any person responsible for processing personal data, regardless of the activity carried out or whether it is a natural or legal person, requires 
prepare and make your privacy notice available. For example, a physician, lawyer, or independent accountant is required to 
have privacy notice. Also a micro, small, medium or large company. 
IMPORTANT: The person in charge has the obligation to inform the owner of the existence and main characteristics of the 
treatment to which your personal data will be submitted through the privacy notice, regardless of whether it requires 
or not obtaining the consent of the owner to carry out said treatment. 
3. What is the privacy notice for? 
The main purpose of the privacy notice is to establish and delimit the scope, terms and conditions of the treatment of the 
personal data, so that the owner can make informed decisions regarding their personal data and maintain control 
and disposition of the corresponding information. 
Likewise, the privacy notice allows the person in charge to make transparent the treatment or use given to the personal data that are 
in its possession, as well as the mechanisms it has enabled for the holders to exercise their rights in relation to their 
personal information, which undoubtedly strengthens the level of confidence of the owner in relation to the protection of their data. 
4. When should the privacy notice be made available? 
The moment in which the person in charge must make the privacy notice available to the owners depends on the way in which it is 
obtain personal data, that is, if they are collected personally , directly or indirectly from the owner. 
Personally. Personal data is obtained personally when the owner provides them to the person in charge or to the 
natural person designated by him, with the physical presence of both , for example, when the owner goes to the company or to a 
branch of the person in charge and there provides them face to face. 
In a direct way. Personal data is obtained directly when the owner provides them by any means that 
allows its direct delivery to the person in charge , including electronic, optical, sound, visual media or any other technology, 
such as postal mail, Internet or by telephone, among others. Clear examples of the above are when the headline fills in a form a 
through the Internet in which you provide your personal information, or when the owner communicates your personal data to 
responsible by a phone call. 
3 
Page 7 
Indirectly. Personal data is obtained indirectly when the controller obtains it without the owner 
it has been provided to you personally or directly , such as through a publicly accessible source or a 
transfer. 
Based on the above, we have that the privacy notice is made available at the following times: 
• When personal data is obtained directly or personally from its owner. In that 
A) Prior to obtaining the personal information 
B) At the first contact with the headline 
C) Prior to the use of 
Personal information 
In this sense, the person in charge must make their privacy notice available to the owner before that the latter provide your personal information, through the format or medium respective. 
• When personal data is obtained indirectly and the treatment for which 
will be used involves direct or personal contact with the owner. For example, if the personal data was obtained from a publicly accessible source and the controller will send the holder propaganda about the goods or services offered, in the first sending of information that you do, you must make the privacy notice available to the owner. 
• When personal data is obtained indirectly, but the treatment for the 
which will be used does not require personal or direct contact with the owner. For example, yes the personal data was obtained through a transfer and will be used for a 
socioeconomic study that does not require contacting the holders, before carrying out the study, the person in charge must make the privacy notice available to the owners. 
5. What does the provision of the privacy notice imply, is the person responsible for delivering a copy of the 
same to the owner? 
Making the privacy notice available implies making the owner aware of said document. In that sense, the 
responsible is not obliged to deliver a copy of the privacy notice to the owner, unless he requests it through the exercise 
of your right of access. 
4 
Page 8 
6. Can a single privacy notice be used for different activities? 
The number of privacy notices that the same person in charge must have depends on the characteristics of the treatments that are 
carried out in the different activities carried out by the person in charge. 
It is not recommended that the same privacy notice refers to treatments in which the information to be included in it is different 
with each other, that is, where the purposes, the type of data processed or the transfers that are made are not the same, or are not 
It is possible to clearly express the information that applies or corresponds to each case. 
For example, it is recommended that the person in charge have a privacy notice for the processing of personal data carried out 
with respect to its employees, and other different ones for the treatments carried out with the information of its clients. 
7. What are the terms of the privacy notice? 
The Law, its Regulations and the Guidelines recognize and develop three types of privacy notice: comprehensive, simplified 
and short , as well as the general rules for their application. Each one is explained in section V. 
8. By what means can the privacy notice be disseminated? 
• Comprehensive and simplified privacy notice • Short privacy notice 
• Printed format. 
• Electronic or digital, for example Internet page. 
• Optical or visual, for example projection on screens or broadcast 
of posters. 
• Sound, for example by telephone. 
• Any other technology. 
9. What are the general characteristics that the privacy notice must comply with in terms of its design and presentation? 
• In minimal and limited spaces, for example the coupon from a raffle, an ATM or an SMS message. 
For the privacy notice to be an effective and practical information mechanism, it must be characterized by having a design and 
simple structure, that facilitate their understanding, with the necessary information, expressed in Spanish, and with a clear and 
understandable. This implies the following: 
5 
Page 9 
▪ Do not use inaccurate, ambiguous or vague phrases, such as “among others”, “as for example” or “in an enunciative way but not 
limiting ”. 
• Write the privacy notice based on the profile of the owners or public to whom it is addressed, for example, the language that 
would be used in a privacy notice addressed to university students would have to be different from the one that would be used in one 
intended for minors. 
• Do not include texts or phrases that induce the owner, in a deceptive or fraudulent way, to select a specific option, 
for example, “We recommend that you allow us to use your personal information without restriction, to be more 
efficient in our service ”. 
• Do not include boxes or other similar mechanisms that are previously marked, which oblige the holders to uncheck them. 
to modify the condition established there. 
Do not refer the owner to texts or documents that are not available, for example, to disabled hyperlinks or that do not contain 
the indicated information. 
10. What other obligations does the person responsible have in relation to the privacy notice? 
Any communication of personal data that the person in charge makes with managers or third parties to whom he transfers personal data, 
It must always be accompanied by the privacy notice, in order that they know the conditions to which the owner subjected the 
treatment of your information. 
The person in charge is the natural or legal person, outside the organization of the person in charge, who alone or jointly with others, processes data 
personal in the name and on behalf of the controller, for example, a service provider dedicated to the administration of a database 
of personal data that is hired by the person in charge. 
A third party is the natural or legal person, national or foreign, other than the owner, the person in charge or the person in charge, for example 
a foreign company to which a person in charge communicates the personal data for the purposes of that third party. Other 
An example could be an authority to which the controller is legally obliged to communicate personal data. 
11. Are there cases of exception for making the privacy notice available? The person in charge is not obliged to give to 
know the privacy notice in the following cases: 
• When you obtain personal data indirectly and they are intended for historical, statistical or 
scientists. 
6 
Page 10 
• When collecting information from legal entities, since in Mexico the right to personal data protection only applies 
to natural persons. 
• When you obtain personal data from individuals in their capacity as traders and professionals, for example, from a 
supplier. 
When you obtain data for the purposes of representation of natural persons who provide their services to other natural or legal persons, 
relating to the full name, position held, physical address, email, telephone and fax number, for example, a 
business card of a manager of a company or its legal representative. 
12. Who is obliged to demonstrate compliance with the obligation of the privacy notice? 
It is important to take into account that the person responsible for any eventuality, circumstance, controversy with the owner or act of 
INAI authority is obliged to demonstrate or verify that it has made the privacy notice of 
in accordance with the provisions of the Law, its Regulations and the Guidelines, through the means that it deems appropriate and that demonstrate 
Objectively fulfilling this obligation, such as procedure manuals, telephone recordings, 
photographs, evidence of facts or signatures of the holders, among others. 
7 
Page 11 
Section II. Consider the following before preparing your notice of 
Privacy 
1. Know your obligations and duties. It is suggested that before starting the elaboration of the privacy notice, you know the 
Federal Law on Protection of Personal Data Held by Private Parties, its Regulations and the Guidelines of the Notice of 
Privacy, in order to know, in a general way, the principles and duties that regulate the protection of personal data, as well as 
how to find out about the obligations established by the norm. For this, the courses that are available from 
free of charge at the INAI virtual campus (Cevinai) at: http://cevifaiprivada.ifai.org.mx/swf/intro/cevifai_intro.swf 
2. Identify the activities and / or procedures in which you use personal data. 
3. Identify how you obtain personal data. It is necessary to identify where you obtain the personal data that is processed in 
each activity and / or procedure, that is, if you obtain them personally or directly from the owner of the data, or in a 
indirect, such as through a transfer or public access source. It will also be important to identify the 
Means by which you obtain personal data in each activity and / or procedure: printed, electronic, verbal formats 
or any other technology. 
4. Identify the flow of personal data that you process. That is, the processes of obtaining, using and eliminating the data in 
each of these activities and / or procedures. 
5. Identify for what purposes you use personal data and what type of data is being processed. The processing of personal data in 
an activity and / or procedure is intended to achieve explicit purposes, that is, the treatment is carried out for certain 
objectives. The person in charge must identify these purposes. It is essential that you remember that the processing of data 
Personal will be limited to the purposes that are reported in the privacy notice. Assess whether the data you are dealing with is strictly 
necessary to achieve the intended purpose. 
8 
Page 12 
6. Identify the transfers of personal data you make. You must clearly identify for what purposes you transfer the 
personal data and to whom it communicates. The transfers are all communication of personal data carried out inside or outside 
from the country to a person other than the owner, manager or manager. If you carry out national or international transfers, 
It is suggested to review which of these will need the consent of the owner, in accordance with article 37 of the Law, which states 
cases in which the consent of the owner is not required. 
Here are some questions to help you identify important transfer issues: 
• To whom do I transfer personal data? 
• Are the recipients of the data transfers located in the national territory or outside it? 
• What is the purpose or purposes of the transfers made? 
• Is the personal data necessary to fulfill the purpose of the transfers identified? 
• How is or will the consent of the owner be obtained, if required, that is, what mechanisms, means or options 
have they arranged for it? 
7. Identify the profile of the holders of personal data. It is important that you recognize the profile of the holders of the 
personal data that it treats, in order to: 
• Where appropriate, determine particular provisions for minors, persons in a state of interdiction or disability; 
Define the means of dissemination of the privacy notice that is relevant, and 
• Find the appropriate wording of the privacy notice according to the age, school level, profession, interests, among others, of the public 
objective. 
8. Identify the mechanisms you offer for the holders to decide on their personal data. It is recommended 
identify the procedures that you already have in place to meet the requests of your customers or data owners 
personal information regarding your personal information, in order to determine the possibility of continuing with said procedures or 
adapt them to comply with the obligations established by law. Or, you must design new procedures to comply 
with the same. 
9. Think of additional information that talks about your privacy practices. Consider whether it is important to include in the 
privacy notice additional information that allows the owner to know other relevant practices that it has implemented for the 
protection of the privacy and personal data of the holders. 
9 
Page 13 
10. Write your privacy notice. It is suggested to first prepare the comprehensive privacy notice, since the information there 
contained, the simplified and / or short privacy notice may be written. 
10 
Page 14 
Section III. The content of the privacy notice 
This section lists the information that the privacy notice should contain and explains and gives examples of how to communicate it. 
Likewise, the following table leaves a space for the person in charge to do the exercise of writing the information content 
of your privacy notice, as described in the other columns: 
Informational element Content to report Wording examples Exercise 
Example for natural person: 
Dr. Juan Roberto Hernández Rodríguez, 
with address at calle Ahuehuete núm. 
519, col. University, Chihuahua, Chih., 
Mexico, CP 31106 , is responsible for the use 
and protection of your personal data, and 
In this regard informs you the following: 
Example for legal person 
Grupo Fitness, SA de RL (KV Centers), 
with address at Avenida México núm. 128, 
cabbage. Del Carmen, Coyoacán Delegation, 
CP 41000, Mexico, Federal District , is the 
Page 15 
(1) 
Identity and address of 
responsable 
Full name , if it is 
a natural person, or the 
reason or denomination 
Social with which I know 
finds constituted the 
Moral person. 
Address , the one who has 
designated responsible 
in order to hear Y receive 
notifications. The data to 
include are the following: 
Street; outside number and, in 
your case, interior; Suburb; 
town; municipality or 
eleven 
Informational element Content to report Wording examples Exercise 
responsible for the use and protection of your data 
personal information, and in this regard informs you 
following: 
For what purposes will we use your data 
personal? 
The personal data that we collect from you, 
We will use them for the following purposes 
that are necessary for the service you request: 
[List of main purposes] 
Additionally, we will use your 
personal information for the following 
purposes that are not necessary for the 
requested service, but that allow us and 
make it easier to provide you with better care: 
[List of secondary purposes] 
Page 16 
(two) 
The purposes of treatment 
delegation; entity 
federative, and postal code. 
Note: I know recommends 
also include the name 
commercial with which the 
responsible is identified 
or commonly known by 
the general public . 
The identification of 
purposes responds to the 
question: what will they be for 
treaties the data 
personal? These 
purposes are translated into 
the specific uses that 
I know you give to to the 
personal information . 
To meet this 
information content, 
shall: 
1. Identify each of 
the purposes for 
which will the 
data personal. 
They must be concrete and 
determined, that is, 
12 
Informational element Content to report Wording examples Exercise 
point out promptly and 
without room for vagueness, 
each of the uses that 
the data will be given 
personal. 
Examples of 
purposes 
determined, "in order to 
verify and confirm your 
identity and situation 
patrimonial"; "in order to 
manage and operate 
services and products 
bank requesting or 
contract with us ”; 
"To carry out the 
student enrollment in 
our school system ”; 
"For creation, study, 
analysis, update and 
conservation of 
medical records". A 
example of purpose 
ambiguous would: "in order to 
provide the services and 
products we offer, 
as well as activities 
related ”.
13 
Page 17 
Informational element Content to report Wording examples Exercise 
two. Distinguish Come in 
main purposes 
Y high schools or 
accessory. The 
main purposes are 
those that give rise and are 
necessary to carry 
out and hold 
legal relationship between 
responsible and the owner, 
those that do not comply with 
this condition is the 
secondary or accessory. 
For example, a person 
provides your data to 
a hospital to be performed 
surgery, and in turn 
this hospital want 
use data from 
patient to generate a 
profile on your consumption 
health services. On 
in this case, the purpose 
main treatment 
It is related to the 
surgery to be performed on 
data holder 
personal, while 
the accessory purpose or 
14 
Page 18 
Informational element Content to report Wording examples Exercise 
secondary would be the profile 
you want to make the 
hospital. 
3. Expressly indicate 
when using the 
personal data with 
marketing purposes, 
advertising or from 
commercial prospecting. 
Note: Use should be avoided 
of ambiguous phrases or 
inaccurate What: "Come in 
other purposes ”, "from 
enunciative but not 
limiting ”, "etc", 
"Such as" or "other 
analogous purposes ”. 
(3) 
The mechanisms for that the holder can express your refusal 
Holders have the right 
to not grant its consent for the 
treatment of your data 
Example of how to write this content information when the mechanism for express the negative DO NOT be your own privacy notice and it is made known 
in order to purposes 
personal in order to 
personally to the owner through a medium 
printed: 
For what purposes will we use your data 
personal? 
Page 19 
secondary or accessory 
secondary purposes or 
accessory. 
fifteen 
Informational element Content to report Wording examples Exercise 
The personal data that we collect from you, 
We will use them for the following purposes 
that are necessary for the service you request: 
• Main purpose A 
• Main purpose B 
• Main purpose c 
Additionally, we will use your 
personal information for the following 
purposes that are not necessary for the 
requested service, but that allow us and 
make it easier to provide you with better care: 
• Secondary purpose A 
• Secondary purpose B 
In case you do not want your data 
personal are treated for these purposes 
additional, you can present from this 
moment a writing in this branch, 
stating the above. Request the format 
corresponding to your executive. 
The refusal to use your personal data 
for these purposes it cannot be a reason 
so that we deny you services and products 
that you request or contract with us. 
Page 20 
On that sense, the 
responsible must inform 
in the privacy notice the 
mechanism what have 
enabled for the 
holder, if you wish, you can 
express your refusal to 
treatment of your data 
personal for all or 
some of the purposes 
secondary or accessory. 
This mechanism must be 
available to the owner 
prior to your information 
staff be treated for 
said purposes. 
For example, if the data 
personal I know collect 
directly at the branch 
of the person in charge and right there 
is made available to 
Headlines the notice from 
privacy, a mechanism 
suitable for the case that 
it concerns us, it would be a list 
exclusion, in which the 
holder can register his 
negative for your data 
personal are treated 
16 
Informational element Content to report Wording examples Exercise 
Example of how to write this content 
information when the mechanism for 
express the negative DO NOT be your own 
privacy notice and it is made known 
to the holder via the Internet: 
For what purposes will we use your data 
personal? 
[…] 
In case you do not want your data 
personal are treated for these purposes 
additional click here and fill out the form 
correspondent. 
The refusal to use your personal data 
for these purposes it cannot be a reason 
so that we deny you services and products 
that you request or contract with us. 
Example of how to write this content 
information when the mechanism for 
express the negative DO NOT be your own 
privacy notice and it is made known 
to the owner by phone: 
For what purposes will we use your data 
personal? 
[…] 
In case you do not want your data 
personal are treated for these purposes 
Page 21 
in order to the purposes 
high schools advertised in 
the privacy notice. 
Other example, Yes the 
responsible collects data 
personal through 
Internet and by that means 
makes the knowledge of the 
Headlines the notice from 
privacy, a mechanism 
suitable would be a link 
in which the holder could 
enter your data in order to 
that your personal information 
do not treat for 
secondary purposes that 
do not want. 
Now when the notice 
privacy is not done 
of the knowledge of 
headline from way 
personal or direct , like 
for example in your shipment by 
postal mail, the notice of 
privacy must contain 
a statement 
indicating that the holder 
has a term of 5 days 
17 
Informational element Content to report Wording examples Exercise 
additional dial number 2 and provide 
the information requested below. The 
refusal to use your personal data 
for these purposes it cannot be a reason 
so that we deny you services and products 
that you request or contract with us. 
Example of how to write this content 
information when the mechanism for 
express the refusal is the notice itself 
Of privacy: 
For what purposes will we use your data 
personal? 
[…] 
In case you do not want your data 
personal are used for these purposes, 
Please indicate below: 
I do not consent to my personal data being 
used for the following purposes: 
□ Secondary purpose A 
□ Secondary purpose B. 
The refusal to use your personal data 
for these purposes it cannot be a reason 
so that we deny you services and products 
that you request or contract with us. 
Page 22 
skillful so that, to be 
the case, state your 
negative in order to the 
treatment or 
taking advantage of their 
personal data for 
secondary purposes. 
18 
Informational element Content to report Wording examples Exercise 
(4) 
Personal information treaties 
The list from data personal must be 
complete , Y can show up at anyone 
of the following two 
modalities: 
1. Identifying each one of the data 
personal that I know 
will try, or, 
two. Listing the categories to which 
data belong 
personal that will be 
treaties. To count on 
a reference on 
categories from data 
An example of how it might be worded This information content is the 
following: 
What personal data do we collect and we use about you? 
To carry out the purposes described in the this privacy notice, we will use the 
following personal data: full name, age; sex; address; phone and mail 
electronic individuals; autograph signature; Photography; current job; phone number and work email, and number of 
credit card. 
Example in which the 
categories to which the data belongs personnel treated: 
personal, I know 
What personal data do we collect and 
we use about you? 
To carry out the purposes described in the 
this privacy notice, we will use 
personal identification data, contact, 
labor and property. 
Page 23 
recommends reviewing the 
Glossary. 
Note: Avoid 
utilization from phrases 
ambiguous such as: “between 
others", "from way 
declarative more not 
limiting ”,“ for example ”, 
"for to mention alone 
some "," etcetera ", or others 
19 
Informational element Content to report Examples of drafting 
phrases Similar what 
imply that the list of 
data personal or 
categories is not complete. 
It is suggested that the modality 
of data category 
personal only use 
when to list each data 
is very extensive and 
hinder shaping and 
reading of notice from 
Privacy. 
Exercise 
What data sensitive personnel 
will we use? 
In addition to the personal data mentioned 
above, for the purposes reported 
in this privacy notice we will use 
the following personal data considered 
as sensitive, requiring special 
protection: diseases you suffer from, allergies 
and medications you take at the time of 
get your membership; religion that practices and 
political party in which you are active or with 
sympathize. 
Page 24 
(5) 
The pointing data express 
sensitive personnel that they treat 
In the privacy notice 
must expressly state 
Personal information 
sensitive that are treated, what 
which can be fulfilled to 
through two modalities: 
1. Identifying each 
one from the data 
sensitive personnel, or 
well, 
two. Listing the 
categories to which 
data belong 
sensitive personnel. In order to 
have a referral 
twenty 
Informational element Content to report Wording examples Exercise 
about some categories 
from data personal 
sensitive is recommended 
review the Glossary . 
Note: When not treated 
data personal 
sensitive , it is recommended 
indicate it. 
It is suggested that the modality 
of data category 
sensitive personnel only 
be used when listing 
each piece of information is very 
extensive and difficult 
conformation and reading of 
Notice of Privacy. 
It is important to remember that 
data processing 
sensitive personnel demands 
the obtaining of 
express consent and 
in writing from the owner, to 
through from its firm 
autograph, electronic or 
any other mechanism 
that for this purpose 
established, unless 
twenty-one 
Page 25 
Informational element Content to report Wording examples Exercise 
present any of the 
exceptions provided in the 
Article 10 of the Law. 
Yes choose obtain the 
consent for the 
treatment from data 
personal sensitive to 
through of notice from 
Privacy, the clause 
must be written in 
proper way to 
meet the requirement of 
that consent is 
expressly and in writing, as 
for example: 
I give my consent 
in order to what my data 
sensitive personal be 
treated in accordance with 
noted in the present 
Notice of Privacy. 
Name and handwritten signature 
of the holder 
22 
Page 26 
Informational element Content to report Wording examples Exercise 
(6) 
Transfers of 
personal data that 
Regarding transfers, the privacy notice must report the following: 
Example of how this can be written 
l 
information content under the assumption 
from what the responsable makes 
in your case they are carried out 
1. Yes are made 
transfers. 
2. Who do you 
transfer the data 
personal , that is, the 
third party recipients or 
recipients of the data 
personal. Can 
done in two ways: 
• Identifying 
transfers national and international what require and consent of the owner: 
With whom do we share your information and 
for what purposes? 
We inform you that your personal data are 
shared inside and outside the country with 
following people, companies, organizations 
and authorities other than us, for the 
following purposes: 
specifically to each for his 
full name yes 
It is a 
Addressee of the data personal 
Country (optional) 
Purpose 
natural person, or by the denomination or company name when be a person 
moral, or 
• Indicating the type or third party category 
Secretary of 
Health of District 
Federal 
Mexico For him fulfillment of 
obligations 
sanitary that 
imposes the 
Law […] 
For him 
offering of 
the services that 
lend said 
Page 27 
receiver, by 
example, authorities Mexican prosecutors, institutions 
Health Network 
Saint 
Francisco, 
California, 
USA 
2. 3 
Informational element Content to report Wording examples Exercise 
center, as well as 
promotions 
specials (*) In 
your case, for 
perform the 
formalities from 
record e 
inscription, 
when you 
decide to take the 
courses 
specialized 
that offers the 
center. 
Mexico For him 
offering of 
the services that 
lend saying 
center, as well as 
promotions 
specials (*) 
In your case, for 
perform the 
formalities 
corresponding 
for the 
intervention of 
insurance. 
Page 28 
banks, agencies 
travels, 
insurers, 
institutions from social care. 
3. In order to what specific purposes 
the data will be processed 
transferred. 
Four. In addition, it must 
identify those purposes for which 
I know require the consent of the owner, 
for not being in the 
assumptions provided in the 
Article 37 of the Law. 
Super Sport 
Center 
His 
insurance carrier 
24 
Informational element Content to report Wording examples Exercise 
Your bank In your case, for 
make the payment 
from our 
services with 
card from 
credit. 
For transfers indicated with a 
asterisk (*) we require to obtain your 
consent. 
Example of a clause for consent 
unspoken : 
With whom do we share your information and 
for what purposes? 
[…] 
We inform you that for transfers 
indicated with an asterisk (*) we require 
obtain your consent. If you do not 
manifests its negative in order to said 
transfers, we will understand that you have 
granted. 
I do not authorize my personal data to be 
shared with the following third parties: 
□ […] 
□ […] 
Page 29 
(7) 
The clause that indicates if the owner accepts or not the transference 
when required 
When they are going to take place 
data transfers 
personnel that require the 
consent of the owner, 
must include a clause 
that allows the holder to indicate 
Yes you accept or not the 
transfer from its 
personal information. 
In your writing, you must 
take into account the type of 
data to transfer 
(patrimonial, financial, 
sensitive, or other), for 
what get the 
consent according 
applicable: express, 
25 
Informational element Content to report Wording examples Exercise 
Example of a clause for consent 
express: 
With whom do we share your information and 
for what purposes? 
[…] 
We inform you that for transfers 
indicated with an asterisk (*) we require 
obtain your express consent: 
I grant my consent for the following 
transfers of my personal data: 
□ […] 
□ […] 
Example of a clause for consent 
expressly and in writing: 
With whom do we share your information and 
for what purposes? 
[…] 
We inform you that for transfers 
indicated with an asterisk (*) we require 
obtain your express consent and by 
written: 
I grant my consent for the following 
transfers of my personal data: 
□ […] 
□ […] 
Page 30 
expressly and in writing or 
tacit. 
Note: In case not 
make transfers, 
suggests pointing it out in the notice 
Of privacy. 
26 
Informational element Content to report Wording examples Exercise 
Name and signature of the holder: 
______________________________ 
(8) 
The media and the 
The privacy notice must 
inform the media and 
procedures that he 
Example of the writing model that could be used by the person in charge when I choose to describe punctually 
process in order to 
exercise rights BOW 
responsable ha implemented so that 
Headlines exercise the ARCO rights. About, 
it should be noted: 
1. The media enabled to receive 
the requests from ARCO rights. 
two. The process 
settled down to give 
attention to requests, 
pointing out, at least, the 
Next information: 
▪ How to prove the 
owner's identity 
in the privacy notice the procedure 
enabled to attend requests 
ARCO rights: 
How can you access, rectify or cancel your personal data, or oppose their use? You have the right to know what data 
personal information we have of you, why we use and the conditions of use that 
we give (Access). It is also your right 
request correction of your information 
staff in case it is out of date, 
is inaccurate or incomplete (Rectification); what remove it from our records or databases data when you consider that it is not 
being used in accordance with the principles, Duties and obligations provided for in the regulations (Cancellation); as well as opposing the use of your personal data for purposes 
specific (Opposition). These rights are 
known as ARCO rights. 
Page 31 
and, where appropriate, that of your 
representative, So 
like personality 
from the last batch; 
27 
Informational element Content to report Wording examples Exercise 
For the exercise of any of the rights 
ARCO, you must submit the request 
in [Describe the media]. 
The procedure and requirements for the exercise 
of these rights is the following: [Description 
of the procedure]. 
The contact details of the person or 
department that will process applications 
for the exercise of ARCO rights, as well 
how to answer any questions you may have 
regarding the treatment of your information are 
the following: 
Privacy Department , with address at 
[…], Email […] and telephone number 
[…]. 
A writing model when the 
responsable decide not include the 
description of the procedure, but 
provide media information 
available for the owner to know: 
How can you access, rectify or cancel 
your personal data, or oppose their use? 
You have the right to know what data 
personal information we have of you, why 
we use and the conditions of use that 
Page 32 
• Information that 
must accompany 
application; 
▪ Maximum term 
response; 
• Media in order to give 
answer to the 
request; 
• Means of 
reproduction of 
personal information 
requested (copy 
simple, CD, access in 
site, among others); 
• Forms, systems 
Y other methods 
simplified for 
facilitate the exercise of 
rights, where appropriate, 
Y 
• Other peculiarities 
that I consider 
convenient to give to 
know. 
3. The data from 
ID Y 
contact person 
28 
Informational element Content to report Wording examples Exercise 
or department of 
data personal, 
as: full name and 
position of the natural person, 
or the Name of Department, the direction Postcard, the phone number, mail 
electronic, among others. 
The obligation to inform 
about the procedure 
enabled for exercise 
of ARCO rights and its 
requirements, can be met 
two ways: 
1. Detailing the information in the body 
of the notice, or 
two. Informing the medium 
through which the holder 
may know the respective procedure, 
through a number 
telephone, mail electronic or going 
directly to a branch of the person in charge, 
among others. 
we give (Access). It is also your right 
request correction of your information 
staff in case it is out of date, 
is inaccurate or incomplete (Rectification); what 
remove it from our records or databases 
data when you consider that it is not 
being used in accordance with the principles, 
Duties and obligations provided for in the 
regulations (Cancellation); as well as opposing the 
use of your personal data for purposes 
specific (Opposition). These rights are 
known as ARCO rights. 
For the exercise of any of the rights 
ARCO, you must submit the request 
in [Describe the media]. 
To know the procedure and requirements for 
the exercise of ARCO rights, you may 
call the following telephone number […]; 
enter our website […] at 
section […], or contact 
our Privacy Department, which will give 
processing of applications for the exercise of 
these rights, and will answer any questions that 
may have regarding the treatment of your 
information. The contact details are the 
following: 
[Address, telephone, email of 
data department or person].
29 
Page 33 
Informational element Content to report Wording examples Exercise 
Note: The media that is 
choose for the exercise of 
ARCO rights, as well as 
to report on the 
respective procedure, 
must be easily accessible, 
free and with the largest 
possible coverage for 
Headlines, considering 
factors such as the profile of 
these and the channels with 
what I know maintains 
communication regularly. 
Example of the writing model that 
could be used by the person in charge 
when he chooses to punctually describe 
in the privacy notice the procedure 
that you have instrumented for care and 
management of revocation requests 
of consent: 
How can you revoke your consent 
for the use of your personal data? You 
You can revoke the consent that, in your 
case, you have granted us for the treatment of 
your personal information. However, it is 
important to note that not in 
in all cases we will be able to attend your request or 
Page 34 
(9) 
The mechanisms and procedures for 
that, in your case, the holder can revoke your consent to 
treatment of their personal information 
The privacy notice must 
describe the mechanisms and 
procedures that have 
implemented for it. On 
that sense must contain 
the next information: 
1. The media 
enabled to receive 
the requests from 
revocation of 
consent. 
two. The process 
to give attention and 
30 
Informational element Content to report Wording examples Exercise 
answer to said requests, pointing, to the 
less, the following information: 
• The way of accrediting 
the identity of the owner 
terminate use immediately, as it is 
possible that due to some legal obligation we require to continue treating your data personal. Also, you should consider 
that for certain purposes, the revocation of your consent will imply that we cannot 
and, where appropriate, that of your representative, 
as well as the 
personality of this 
latest. 
• The information or 
documentation that 
must accompany 
application; 
• The maximum term of 
answer, and 
• The means to give 
answer to the 
request. 
The obligation to inform 
about the procedure 
enabled and its requirements, 
can be fulfilled of two 
shapes: 
continue to provide the service you requested, or 
the conclusion of your relationship with us. 
To revoke your consent you must 
submit your request in [Describe the media]. 
The procedure and requirements for revocation 
of consent is as follows: 
[Procedure description]. 
A model for writing the present 
element informative when the responsable decide not include the description of the procedure for 
revocation of consent, but in 
change provide information about the 
means available for the holder 
know this procedure, it is the 
following: 
How can you revoke your consent 
for the use of your personal data? You 
You can revoke the consent that, in your 
case, you have granted us for the treatment 
Page 35 
• Detailing the 
information in the 
body of the notice, or 
well 
31 
Informational element Content to report Wording examples Exercise 
of your personal data. However, it is 
important to note that not in 
in all cases we will be able to attend your request or 
terminate use immediately, as it is 
possible that due to some legal obligation 
we require to continue treating your data 
personal. Also, you should consider 
that for certain purposes, the revocation of your 
consent will imply that we cannot 
continue to provide the service you requested, or 
the conclusion of your relationship with us. 
To revoke your consent you must 
submit your request in [Describe the media]. 
To know the procedure and requirements for 
revocation of consent, you may 
call the following telephone number […]; 
enter our website […] at 
section […], or contact 
our Privacy Department. 
How can you limit the use or disclosure 
of your personal information? 
In order for you to limit the use and 
disclosure of your personal information, 
we offer the following means: 
Page 36 
(10) 
Options and means that the responsible offer headlines 
to limit the use or 
Informing the medium to 
through which the holder 
may know the 
respective procedure, 
for example through a 
phone number, mail 
electronic or going 
directly to a 
branch of the person in charge, 
among others. 
Note: The media that is 
choose for the revocation of the 
consent, as well as 
to report on the 
respective procedure, 
must be easily accessible, 
free and with the largest 
possible coverage for 
Headlines, considering 
factors such as the profile of 
these and the channels with 
what I know maintains 
communication regularly. 
East contents from 
information refers to 
options and means that the 
responsable places to 
holder disposition 
32 
Informational element Content to report Wording examples Exercise 
• Your registration in the Registry 
Public to Avoid Advertising, which 
is in charge of the Attorney General's Office 
Federal Consumer, with the 
purpose of your data 
personal are not used for 
receive advertising or promotions from 
goods or services companies. 
For more information about this 
registration, you can check the 
PROFECO Internet portal, 
or get in direct contact 
with this. 
• Your registration in the list of 
exclusion "[List name]", to 
so that your personal data is not 
be treaties in order to purposes 
marketing, advertising or 
commercial prospecting by our 
part. For more information 
call the telephone number […], 
send an email to 
next address […], or 
consult our page 
Internet […]. 
Page 37 
disclosure of their personal information 
so that they can 
limit use or disclosure 
of personal data, which 
are different from the exercise of 
ARCO rights and the 
revocation of 
consent, What 
They may be: 
• The reference in order to 
register in the Registry 
Public to Avoid 
Advertising, (PROFECO), 
or the Public Registry of 
Users, (CONDUSEF). 
• Exclusion lists 
(for definition see 
Glossary) created by the 
responsible or those who 
this one belongs. I know 
must include name 
of list, the 
purposes for 
which is applicable 
exclusion and, where appropriate, 
the channel enabled for 
that the holder can 
obtain higher 
information about it. 
33 
Informational element Content to report Wording examples Exercise 
The means enabled to 
what the headline may 
express your refusal to 
follow, continue receiving 
releases or promotions 
by the person in charge, 
as: a link at the end of 
email or a 
phone number. 
The use of tracking technologies in our 
Internet portal 
We inform you that on our page 
Internet we use cookies, web beacons and 
other technologies through which it is 
possible to monitor their behavior as 
Internet user, provide you with a better service 
and user experience when browsing our 
page, as well as offer you new products and 
services based on your preferences. 
The personal data we obtain from these 
Tracking technologies are as follows: 
sailing schedule, sailing time 
on our website, sections 
consulted, and Internet pages accessed 
prior to ours. 
Likewise, we inform you that your data 
personal data obtained through these 
Page 38 
(eleven) 
The use of cookies, web beacons or any 
other similar technology or analogous 
When the responsible 
use mechanisms (cookies 
and web beacons, among others) 
in media such as the Internet, 
that allow you to collect 
personal data so 
automatic and simultaneous, 
time a user does 
contact with them, 
is obliged to report what 
following: 
• Personal data 
that are obtained at 
through from these 
technologies. 
• The purposes of 
treatment of 
personal data that 
are obtained. 
3. 4 
Informational element Content to report Wording examples Exercise 
• Yes I know perform transfers of these 
personal information. 
• The shape from disable them, except 
those what for technical issues be 
necessary for own 
operation of the 
website or 
system in question. 
These are considered 
technologies process data 
personal when it is possible to identify or make 
identifiable to the holder of the 
technologies we will share with the 
following people, companies, organizations or authorities other than us, for the 
following purposes: 
Recipient of the data 
personal Purpose Third receiver Purpose Third receiver Purpose Third receiver Purpose 
These technologies may be disabled 
by following these steps: 1. Access 
our website, section “Terms 
information what I know 
and site conditions ”, subsection“ Cookies ”; 
stores, it serves in order to 
2. Click on the "Cookies" subsection; 3. Read 
the warning message about 
disabling cookies, and 4. Click on the 
legend to activate the mechanism 
disabling cookies. 
For more information on the use of these 
technologies, you can consult the website 
[…]. 
Page 39 
generate profiles or make 
data crossing, among others 
purposes. 
For further reference of the 
terms cookies and web 
beacons can be consulted 
the Glossary . 
Note: East element 
informative only is 
35 
Informational element Content to report Wording examples Exercise 
necessary when I know 
collect personal data in 
line, and hereby give 
to know the notice of 
Privacy. 
In addition to including this 
information in the notice of 
privacy, the responsible 
must report on the use 
of these technologies and 
how they can be 
disable in your portal 
Internet, at the moment 
users make contact 
with himself, with a 
communication or warning 
placed in a conspicuous place. 
How can you know the changes to this 
Notice of Privacy? 
This privacy notice may suffer 
modifications, changes or updates 
derived from new legal requirements; from 
our own needs for the products 
or services we offer; of our 
privacy practices; of changes in our 
business model, or for other reasons. 
Page 40 
(12) 
Procedures and 
means by which 
the responsable will communicate to the headlines the changes 
in the notice of 
Privacy 
To keep the 
privacy notice, the 
responsible is obliged to 
inform the media and 
process 
implemented to give 
know any changes or 
upgrade. 
It is only necessary to include the 
information the 
36 
Informational element Content to report Wording examples Exercise 
We promise to keep you informed 
about the changes that the present may undergo 
privacy notice, through [Description of 
half]. 
The procedure through which they will be carried out 
notifications about changes or 
updates to this privacy notice 
It is as follows: [Description of the procedure]. 
Page 41 
procedure, when the 
means to publicize the 
changes not I know direct 
directly to each holder, 
such as: a 
publication on the page 
Internet. 
Note: Changes or 
modifications on the 
following items must 
result in a new notice 
of privacy, to be had 
to make known to 
holders when: 
• Change the identity of the 
responsable. 
• The person in charge requires 
collect personal data 
sensitive, patrimonial or 
financial additional to 
those informed in the 
Notice of Privacy 
original, when 
themselves are not obtained from 
personal or direct way 
of the holder and the 
consent. 
37 
Informational element Content to report Wording examples Exercise 
• Change the purposes 
that originated or are 
necessary in order to the 
legal relationship between 
responsible and the owner; or 
well, I know incorporate 
new ones that require the 
consent of the owner. 
• It modify the 
terms from the 
transfers or leave 
to make transfers 
not originally planned, 
and the consent of the 
holder as necessary. 
38 
Page 42 
Section IV. Good practices 
This section presents the informative content that is recommended to be included in the privacy notice, as good practices. 
Informational element Content to report Writing example Exercise 
We inform you that it is from 
our special interest to take care 
the personal information of 
minors and people in 
interdiction status and 
different capacities in 
terms of law, through the 
establishment of measures 
specific, such as: 
• The obtaining of 
consent of the 
parents and guardians by 
middle of […], for the 
data processing 
personal of this group 
of people. 
• Verification of the 
authenticity of 
consent 
Page 43 
1. The forecasts specials in order to the treatment from data personal minors and 
people with disabilities 
or in a state of interdiction 
Concrete actions and measures 
special that, where appropriate, 
have implemented the 
responsible for ensuring 
personal data protection 
minors and 
people in state of 
interdiction and with capabilities 
different determined by 
law. This in order that 
the owner has knowledge 
on practices regarding 
these vulnerable groups. 
39 
Informational element Content to report Writing example Exercise 
granted by parents 
or tutors, requesting 
[…]. 
The implementation and 
maintenance from 
security measures 
stricter for the purpose of 
to assure the 
confidentiality of 
minors and this group of 
people. 
If you consider that your 
right to protection of their 
personal data has been 
injured by some behavior 
or omission on our part, or 
presumes some violation of 
provisions provided in the 
Federal Law for the Protection of 
Personal Data in Possession 
from the Individuals, its 
Regulation Y the rest 
ordinances applicable, 
may interpose its 
disagreement or complaint before 
the National Institute of 
Transparency, Access to 
Information and Protection of 
Personal Data (INAI). In order to 
Page 44 
2. Information about the INAI 
The name of the authority 
in charge of watching over the 
effective protection of your 
personal data, as well as 
receive complaints or reports 
when you consider that your 
right has been violated. 
40 
Informational element Content to report Writing example Exercise 
higher information, you 
we suggest visiting their page 
official from Internet 
www.inai.org.mx . 
Consent example 
expressly and in writing: 
□ I give my consent 
so that my personal data 
are treated in accordance with 
indicated in this notice 
Of privacy. 
-------------------------- 
Name and handwritten signature 
of the holder 
Consent example 
express: 
□ I give my consent 
so that my personal data 
are treated in accordance with 
indicated in this notice 
Of privacy. 
Page 45 
3. A clause for 
get consent 
express or express and by letter of the holder, of agree to the terms and conditions provided in the Notice of Privacy 
When required in 
terms of the Law, and the 
responsible decide to get the 
express consent or 
express and in writing of the owner 
through the notice of 
privacy, we recommend 
inclusion of a clause for 
obtaining this type of 
consent 
41 
Section V. Modalities of the privacy notice 
The privacy notice can be presented in three forms: comprehensive, simplified and short. Each of them has content 
different and general rules for their application, which are explained below: 
Modality Informative content Cases in which it is used 
When the data is collected personally from the 
holder, that is, with the physical presence of the latter 
before the person in charge. 
When personal data is obtained from 
direct way of the holder, for example, to 
through the Internet or by phone. 
Page 46 
Comprehensive privacy notice All the items described in the 
section III of this document. 
Simplified privacy notice 1. The identity and address of the person in charge; two. 
The purposes of the treatment, distinguishing 
those that gave rise to and are necessary for the 
legal relationship between owner and manager, of 
those that are not; 
3. The mechanisms so that the holder can 
previously express your refusal for the 
processing of your personal data regarding 
those secondary or accessory purposes, and 
4 . The mechanisms for the holder to know 
the comprehensive privacy notice. 
42 
Modality Informative content Cases in which it is used 
Short privacy notice 1. The identity of the person in charge; two. The address of the person in charge; 
3. The purposes of the treatment, without 
it is necessary to distinguish the purposes 
secondary or accessory, and 
Four. The mechanisms for the holder 
know the comprehensive privacy notice. 
IMPORTANT: Although the person in charge makes the privacy notice available to the owners in its simplified or short, you are obliged to have the comprehensive privacy notice permanently and complementary to these modalities, to 
Through the means that it considers convenient and that allow its timely consultation. For the determination of the means for 
When the space used to obtain 
personal data is minimal and limited, of such that the personal information collected or the space for the diffusion or reproduction of the privacy notice are also, as 
could be the case of coupons or tickets for a raffle or raffle, or the ATM or a 
SMS message. 
disclose the comprehensive privacy notice, those that are easily accessible to the holders and with the greatest coverage should be privileged 
possible, considering factors such as their profile and the channels with which communication is maintained regularly. 
43 
Page 47 
Section VI. Privacy notice templates 
This section shows models of privacy notice in its comprehensive, simplified and short modalities. 
Model A. Comprehensive privacy notice 
NOTICE OF PRIVACY 
[ Full name of the person in charge if it is a natural person, or name or company name in case of being a 
Moral person. In your case, it is suggested to include the commercial name ] , with address at [ indicate street, number, neighborhood, 
city, municipality or delegation, postal code and federative entity of the address to hear and receive notifications ] , is the 
responsible for the use and protection of your personal data, and in this regard we inform you of the following: 
For what purposes will we use your personal data? 
The personal data that we collect from you, we will use for the following purposes that are necessary for the service 
requesting: 
• Main purpose A 
• Main purpose B 
• Main purpose C 
Additionally, we will use your personal information for the following purposes that are not necessary for the service 
requested, but that allow and facilitate us to provide you with better care: 
• Secondary purpose A 
44 
Page 48 
• Secondary purpose B 
In case you do not want your personal data to be processed for these additional purposes, from this moment you can 
communicate the above, [description of the mechanism implemented by the person in charge. Note: the mechanism of that 
in question must allow the owner to deny their consent prior to their personal data being processed for these 
purposes]. 
The refusal to use your personal data for these purposes may not be a reason for us to deny you services and 
products that you request or contract with us. 
What personal data will we use for these purposes? 
To carry out the purposes described in this privacy notice, we will use the following personal data: [list 
of personal data or its categories. For examples of categories see the Glossary]. 
In addition to the personal data mentioned above, for the purposes reported in this privacy notice 
We will use the following personal data considered sensitive, which require special protection: [list of data 
sensitive personnel or their categories. For example of categories see the Glossary]. 
With whom do we share your personal information and for what purposes? 
We inform you that your personal data is shared within and outside the country with the following people, companies, 
organizations and authorities other than us, for the following purposes: 
Purpose 
Purpose description 
Description of the purpose * 
Description of the purpose * 
Page 49
Addressee of the personal information 
Name of the third party recipient or sector to which it belongs 
Name of the third party recipient or sector to which it belongs 
Name of the third party recipient or sector to which it belongs 
Country 
(optional) 
Four. Five 
We inform you that for transfers indicated with an asterisk (*) we require your consent. If you do not 
You express your refusal for said transfers, we will understand that you have granted it to us [This only applies to consent 
tacit]. 
I do not authorize that my personal data be shared with the following third parties [NOTE: this example of clause 
corresponds to a tacit consent. For examples of clauses in which express consent is required 
and expressly and in writing, see numeral 7 of section III] : 
□ [Transfer 1]. 
□ [Transfer 2]. 
How can you access, rectify or cancel your personal data, or oppose its use? 
You have the right to know what personal data we have about you, what we use it for and the conditions of use that it 
we give (Access). Likewise, it is your right to request the correction of your personal information if it is outdated, be it 
inaccurate or incomplete (Rectification); that we remove it from our records or databases when it considers that it is not 
It is being used in accordance with the principles, duties and obligations set forth in the regulations (Cancellation); as well as oppose 
to the use of your personal data for specific purposes (Opposition). These rights are known as ARCO rights. 
To exercise any of the ARCO rights, you must submit the respective request in [Describe the media]. 
To know the procedure and requirements for the exercise of ARCO rights, you can call the following telephone number 
[…]; enter our website […] to section […], or contact our Privacy Department, 
that will process the requests for the exercise of these rights, and will answer any questions you may have regarding the 
treatment of your information. The contact details of the Privacy Department are as follows: 
[Address, phone, email of the data department or the person]. 
How can you revoke your consent to the use of your personal data? 
You can revoke the consent that, where appropriate, you have given us for the processing of your personal data. However, 
It is important that you bear in mind that not in all cases we will be able to respond to your request or terminate the use immediately, 
since it is possible that due to some legal obligation we require to continue treating your personal data. Also, you must 
46 
Page 50 
consider that for certain purposes, the revocation of your consent will imply that we cannot continue to provide the service that 
requested us, or the termination of your relationship with us. 
To revoke your consent, you must submit your request at [Describe the media]. 
To know the procedure and requirements for the revocation of consent, you can call the following telephone number 
[…]; enter our website […] in section […], or contact our Privacy Department. 
How can you limit the use or disclosure of your personal information? 
In order for you to limit the use and disclosure of your personal information, we offer you the following means: 
• Your registration in the Public Registry to Avoid Publicity, which is in charge of the Federal Consumer Prosecutor's Office, with 
the purpose that your personal data is not used to receive advertising or promotions from companies of goods or 
services. For more information on this registry, you can consult the PROFECO Internet portal, or 
get in direct contact with it. 
• Your registration in the exclusion list "[Name of the list]", so that your personal data is not processed for purposes 
marketing, advertising or commercial prospecting on our part. For more information call the number 
telephone […], send an email to the following address […], or consult our website […]. 
The use of tracking technologies on our Internet portal 
We inform you that on our website we use cookies , web beacons and other technologies through which it is 
possible to monitor your behavior as an Internet user, as well as provide you with a better service and user experience by 
browse our page. 
The personal data that we obtain from these tracking technologies are the following: [description of personal data], same 
that we use for [purpose description]. Likewise, we inform you that we will share this data with: 
Purpose 
Purpose description 
Page 51 
Addressee of the personal information 
Name of the third party recipient or sector to which it belongs 
Country 
(optional) 
47 
Name of the third party recipient or 
sector to which it belongs 
Name of the third party recipient or 
sector to which it belongs 
These technologies can be disabled by following the following steps: [description of the procedure]. 
For more information on the use of these technologies, you can consult the Internet site […] 
How can you know the changes to this privacy notice? 
This privacy notice may undergo modifications, changes or updates derived from new legal requirements; 
of our own needs for the products or services we offer; of our privacy practices; of changes in 
our business model, or for other reasons. 
We promise to keep you informed about the changes that this privacy notice may undergo, through 
[description of the medium]. 
The procedure through which notifications about changes or updates to this privacy notice will be carried out 
It is as follows: [description of the procedure]. 
Last update [day / month / year]. 
Page 52 
Model B. Simplified privacy notice 
NOTICE OF PRIVACY 
Purpose description 
Purpose description 
48 
About us? [ Full name of the person in charge, if it is a natural person, or name or company name in case of being a legal person. It is suggested, where appropriate, to include the 
commercial name ] , with address at [ indicate street, number, neighborhood, city, municipality or 
delegation, postal code and federative entity of the address to hear and receive 
notifications ] , is responsible for the use and protection of your personal data, and in this regard 
We inform you the following: 
The personal data that we collect from you, we will use for the following purposes that 
are necessary for the service you request: 
• Main purpose A 
• Main purpose B 
• Main purpose C 
Additionally, we will use your personal information for the following purposes that 
are not necessary for the requested service, but that allow and facilitate us to provide you with a 
better attention: 
• Secondary purpose A 
• Secondary purpose B 
In case you do not want your personal data to be processed for these additional purposes, 
from this moment you can communicate the above, [description of the mechanism that 
have the responsible in place. IMPORTANT: the mechanism to which it is made 
reference must allow the owner to express his refusal prior to treatment 
of your information]. 
Page 53 
The refusal to use your personal data for these purposes may not be a reason for 
that we deny the services and products that you request or contract with us. 
In order to what we will use their personal? 
purposes 
data 
49 
To learn more about the terms and conditions in which your data will be processed 
personal information, such as the third parties with whom we share your personal information and how we 
You can exercise your ARCO rights, you can consult the comprehensive privacy notice at [describe 
media]. 
Page 54 
Where can you consult the 
Notice of Privacy 
integral? 
fifty 
Model C. Short privacy notice 
NOTICE OF PRIVACY 
[ Full name or reason or company name of the person in charge ] , with address at [ street, number, neighborhood, 
delegation or municipality, city, postal code and federal entity ] will use your personal data collected to 
[description of the purposes ] . For more information about the treatment and the rights that you can assert, 
you can access the comprehensive privacy notice through [ medium description ]. 
51 
Page 55 
GLOSSARY 
Categories of personal data: 
• Identification data. Information concerning a natural person that allows to differentiate it from others in a 
collectivity, such as: name; civil status; handwritten and electronic signature; Federal Taxpayers Registry (RFC); 
Unique Population Registry Code (CURP); military card number; place and date of birth; nationality; 
Photography; age, among others. 
• Contact details. Information that allows you to keep or contact the owner, such as: address; mail 
electronic; landline; cell phone, among others. 
• Labor data. Information concerning a natural person related to their employment, position or commission; job performance 
and professional experience, generated from recruitment, selection, hiring, appointment, 
evaluation and training, such as: position, work address, institutional email, institutional telephone; 
job references; date of entry and exit from employment, among others. 
• Data on physical characteristics. Information about a natural person related to their physiognomy, anatomy, features or 
specific characteristics, such as: skin, iris or hair color; particular signs; height; weight; complexion; 
scars, blood type, among others. 
• Academic data. Information concerning a natural person that describes their preparation, aptitudes, development and 
professional or technical orientation, endorsed by educational institutions, such as: educational trajectory; Titles; identification card 
professional; certificates; recognitions; among others. 
• Asset or financial data. Information concerning a natural person regarding their assets, rights, charges 
or obligations susceptible of economic valuation, such as: movable and immovable property; tax information; 
credit history; income and expenses; bank accounts; insurance; afores; bonds, credit card number, number 
security, among others. 
• Biometric data. Information about a natural person related to the image of the iris, fingerprint, palm of the hand or 
other analogs. 
Sensitive personal data categories: 
• Ideological data . Information about the ideological, religious, philosophical or moral positions of a person. 
• Data on political opinions. Opinion of a person in relation to a political fact or about his political position in 
general. 
• Data on union membership. Belonging of a person to a union and the information derived from it. 
52 
Page 56 
• Health data. Information concerning a natural person related to the valuation, preservation, care, 
improvement and recovery of your state of physical or mental health, present, past or future, as well as information 
genetics. 
• Data on sexual life. Information of a natural person related to their behavior, preferences, practices 
or sexual habits, among others. 
• Ethnic or racial origin data. Information concerning a natural person related to their belonging to a town, 
ethnicity or region that distinguishes it by its social, cultural and economic conditions and identities, as well as by its 
customs, traditions, beliefs. 
IMPORTANT: The categories of personal data and sensitive personal data in this document are only one 
guidance, since the INAI Plenary has not issued institutional criteria in this regard, in addition to the fact that certain data 
Personal data that are not initially considered sensitive could become so depending on the context in which they are 
treats the information. 
Cookies: They are a data file that is stored on the hard drive of the computer equipment or the communications device. 
electronic data of a user when browsing a specific Internet site, which allows the exchange of status information between 
said site and the user's browser. Status information may reveal means of session identification, authentication, or 
User preferences, as well as any other data stored by the browser regarding the Internet site. 
Web beacons: They are a visible or hidden image inserted within a website or email, which is used to monitor 
user behavior on these media. Through these you can obtain information such as the source IP address, 
browser used, operating system, time the page was accessed, and in the case of email, the association of 
the above data with the recipient. 
Exclusion list: It is a database that aims to register, free of charge, those holders who do not want to 
that your information is processed by the person in charge for certain purposes, in order for the person in charge to avoid said 
treatments. 
53 
Page 57 
Single Appendix. Regulatory framework of the privacy notice 
The following table describes the regulatory framework applicable to the informational elements of the privacy notice in terms of the Law, 
its Regulations and Guidelines: 
Element Legal framework 
Article 16, section I of the Law: 
Article 16.- The privacy notice must contain, at least, the following 
information: I. The identity and address of the person responsible for collecting them; […] 
Twenty, fraction I of the Guidelines: 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, 
In accordance with what is established in the guidelines of this Section: I. The identity and 
address of the person responsible for processing the personal data; […] 
Twenty-first of the Guidelines: 
Identity and address of the person in charge 
Twenty first. The privacy notice must indicate the full name in the case of a person 
physical, or where appropriate the name or company name of the legal entity, as well as the full address of the 
responsible, in accordance with article 16, section I of the Law. 
The address of the person in charge must indicate, at least, the street, number, neighborhood, city, municipality or 
delegation, postal code and federal entity, and must correspond to that one to hear and receive 
notifications. 
Article 15 of the Law: 
Page 58 
Identity and 
address of 
responsable 
54 
Element Legal framework 
The 
data Article 15.- The person in charge will have the obligation to inform the owners of the data, the information 
that is collected from them and for what purposes, through the privacy notice. 
Twenty, section II of the Guidelines: 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
II. The personal data that will be subjected to treatment; […] 
Twenty-second of the Guidelines: 
Personal data to be processed 
Twenty second The privacy notice must indicate the personal data that the person in charge will process 
to achieve the purposes for which it obtains them, both those collected personally or directly 
of the owner, such as those obtained indirectly, through publicly accessible sources or 
transfers, in terms of article 15 of the Law. 
The person in charge may comply with this content by identifying the personal data it deals with or the categories 
thereof. 
The list of personal data or, where appropriate, the mention of the categories should not include inaccurate phrases, 
ambiguous or vague, such as “among other personal data” or “for example”. 
Article 15 of the Law: 
Article 15.- The person in charge will have the obligation to inform the owners of the data, the information that 
It is collected from them and for what purposes, through the privacy notice. 
Page 59 
personal 
treaties 
The data 
personal 
sensitive 
treaties 
55 
Element Legal framework Article 16 last paragraph of the Law: 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
In the case of sensitive personal data, the privacy notice must expressly state that it is 
of this type of data. 
Twenty, section III of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of in accordance with what is established in the guidelines of this Section: 
[…] 
III. The express indication of the sensitive personal data that will be processed; […] 
Twenty-third of the Guidelines: 
Express indication of sensitive personal data 
Twenty-third. In terms of article 16, last paragraph of the Law, the nominal list of data 
personnel that will be treated or the category of the same, to which the previous guideline refers, must expressly indicate which of these are sensitive, in accordance with the definition of article 3, section VI of the Law. 
Article 15 of the Law: 
Article 15.- The person in charge will have the obligation to inform the owners of the data, the information that 
It is collected from them and for what purposes, through the privacy notice. 
Article 16, section II of the Law: 
Page 60 
The purposes 
treatment 
56 
Element Legal framework 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
II. The purposes of data processing; […] 
Article 30 of the Regulation: 
Treatment for marketing, advertising or commercial prospecting purposes 
Article 30. Among the purposes of the treatment referred to in section II of article 16 of the Law, 
Where appropriate, those relating to treatment for marketing, advertising or marketing purposes must be included. 
commercial prospecting. 
The foregoing without prejudice to what is established by the current provisions that regulate the treatment for 
purposes indicated in the previous paragraph, when they provide greater protection for the owner than the 
provided in the Law and these Regulations. 
Article 40 of the Regulation: 
Purpose principle 
Article 40. Personal data may only be processed for the fulfillment of the purpose or purposes 
established in the privacy notice, in terms of article 12 of the Law. 
For the purposes of the previous paragraph, the purpose or purposes established in the privacy notice must 
be determined, which is achieved when clearly, without confusion and objectively 
specifies for what purpose the personal data will be processed. 
Article 41 of the Regulation: 
Differentiation of purposes 
57 
Page 61 
Element Legal framework 
Article 41. The person in charge will identify and distinguish in the privacy notice between the purposes that 
originated and are necessary for the legal relationship between the controller and the owner, of those that do not 
they are. 
Article 42 of the Regulation: 
Opposition of the treatment for different purposes 
Article 42. The owner may deny or revoke their consent, as well as oppose the treatment of 
your personal data for purposes that are different from those that are necessary and give rise to the 
legal relationship between the controller and the owner, without this resulting in the conclusion of the 
treatment for these last purposes. 
Article 43 of the Regulation: 
Treatment for different purposes 
Article 43. The person in charge may not carry out treatments for different purposes that are not 
compatible or analogous with those for which the personal data had been collected from origin and that 
have been provided for in the privacy notice, unless: 
I. It is explicitly permitted by law or regulation, or 
II. The person in charge has obtained the consent for the new treatment. 
Twenty, fraction IV of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
IV. The purposes of the treatment; 
[…] 
58 
Page 62 
Element Legal framework 
Twenty-fourth of the Guidelines: 
Purposes of the treatment 
Twenty fourth. In accordance with articles 16, section II of the Law, and 14, 30, 40, 41 and 42 of its 
Regulation, the privacy notice must describe the purposes for which the data will be processed 
personal, according to the following criteria: 
I. The list of purposes described must be complete and not use inaccurate, ambiguous or 
vague, such as "among other purposes", "other analogous purposes" or "for example"; 
II. The purposes described in the privacy notice must be determined, which is achieved, according to 
in accordance with article 40, second paragraph of the Regulation of the Law, when clearly, without 
lead to confusion and objectively it is specified for what purpose the data will be processed 
personal; 
III. The list of purposes must include those related to treatment for marketing purposes, 
advertising or commercial prospecting, in the event that the controller processes personal data to 
said purposes; 
IV. It must identify and distinguish between the purposes that originated and are necessary for the 
existence, maintenance and compliance with the legal relationship between the controller and the owner, of 
those that are not, and 
V. It must inform about the mechanism that the person in charge has implemented so that the owner 
can express their refusal to process their personal data in relation to the 
purposes that are not necessary for the legal relationship between the controller and the owner. 
Article 14, first and second paragraph of the Regulation: 
Request for tacit consent 
Article 14. When the person in charge intends to collect personal data directly or personally from his 
owner, must previously make the privacy notice available to him, which must contain a 
mechanism so that, where appropriate, the owner can express their refusal to process their data 
Page 63 
The mechanism 
to manifest 
negative prior to 
treatment 
59 
Element Legal framework 
personal for purposes that are different from those that are necessary and give rise to the relationship 
legal between the person in charge and the owner. 
In cases where personal data is obtained indirectly from the owner and a change takes place 
of the purposes that were consented to in the transfer, the person in charge must make available to the 
holder of the privacy notice prior to the use of personal data. When the notice of 
privacy is not made known to the owner directly or personally, the owner will have a deadline 
of five days so that, if it is the case, it expresses its refusal for the treatment of its personal data 
for purposes that are different from those that are necessary and give rise to the legal relationship between 
the person in charge and the owner. If the owner does not express his refusal to process his data from 
In accordance with the foregoing, it will be understood that you have given your consent for the treatment of 
themselves, unless proven otherwise. 
[…] 
Twenty, fraction V of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
V. The mechanisms so that the owner can express his refusal to process his data 
personal for those purposes that are not necessary, nor have given rise to the legal relationship with 
The responsible; 
[…] 
Twenty-fifth of the Guidelines: 
Mechanism to express refusal 
Twenty-fifth. The mechanism referred to in section V of the previous guideline may be 
implemented through the inclusion of boxes or marking options in the privacy notice itself, or 
60 
Page 64 
Element Legal framework 
well outside of this, by the means that the person in charge determines, which must be available at the time 
in which the owner consults the privacy notice. In all cases, this mechanism should allow the 
owner expresses his refusal prior to the processing of his personal data or the use of the 
themselves. 
In terms of the second paragraph of article 14 of the Regulation of the Law, when the privacy notice does not 
the owner is made aware of directly or personally, a statement must be included in it. 
or warning that informs the owner that he has a period of five business days so that, if applicable, 
express your refusal to process your personal data with respect to the purposes that are not 
they are necessary, nor did they give rise to the legal relationship with the person responsible. 
The rights of the owner to exercise their rights to the revocation of consent or 
opposition, in case you do not express the refusal to process your personal data prior to the 
delivery of the same or its use. 
Article 16, section V of the Law: 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
V. Where appropriate, the data transfers carried out, and […] 
Article 68 of the Regulation: 
Conditions for the transfer 
Article 68. Any transfer of personal data, whether national or international, is subject to 
to the consent of its owner, except for the exceptions provided in article 37 of the Law; should be 
informed to the latter through the privacy notice and limited to the purpose that justifies it. 
Twenty, fraction VI of the Guidelines: 
Page 65 
The 
transfers of 
personal information 
61 
Element Legal framework 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of in accordance with what is established in the guidelines of this Section: 
[…]
. Te transers o persona ata tat, were approprate, are mae; te tr party recpent o te ata 
personal, and the purposes thereof; […] 
Twenty-sixth of the Guidelines: 
Transfers of personal data 
Twenty sixth. In terms of articles 16, section V and 36 of the Law, and 68 of its Regulations, the notice 
of privacy must inform that, where appropriate, the treatment involves the national transfer or 
international personal data. To do this, it must contain the following information: 
I. Third-party recipients or recipients of personal data, either identifying each of these 
by name, denomination or company name; or, indicating its type, category or sector of activity, and 
II. The purposes that justify the transfers of personal data, which must be determined 
and distinguish between those that require the consent of the owner to be carried out, those that are 
may be carried out without said consent, in accordance with what is established in article 37 of the Law. 
The person in charge will not be obliged to inform in the privacy notice about data communications 
personal data that exist between him and those in charge, which is recognized as a referral, in terms of the 
Article 2, section IX of the Regulation of the Law. 
Article 36, second paragraph of the Law: 
62 
Page 66 
Element Legal framework 
Article 36.- When the person in charge intends to transfer personal data to national third parties or 
foreigners, other than the person in charge, must communicate to them the privacy notice and the purposes of the 
that the holder subjected his treatment. 
The data will be processed in accordance with what was agreed in the privacy notice, which will contain a 
clause indicating whether or not the owner accepts the transfer of their data, in the same way, the 
Third party recipient, will assume the same obligations that correspond to the person in charge who transferred the data. 
Twenty, section VII of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
VII. The clause that indicates whether or not the owner accepts the transfer, when required; 
[…] 
Twenty-seventh of the Guidelines: 
Clause to consent to the transfer of personal data 
Twenty-seventh. In terms of article 36, second paragraph of the Law, when transfers do not 
update the cases of exception to the consent established in article 37 of the Law, the notice of 
privacy must include a clause that allows the owner to indicate whether or not he consents to the transfer of his 
personal information. 
Article 16, section IV of the Law: 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
Page 67 
The clause 
Authorization of 
transfers 
The media and the 
process 
to exercise the 
ARCO rights 
63 
Element Legal framework 
IV. The means to exercise the rights of access, rectification, cancellation or opposition, of 
compliance with the provisions of this Law; […] 
Article 33 of the Law: 
Article 33.- The obligation of access to information will be considered fulfilled when they are made available 
the owner's personal data; or, by issuing simple copies, electronic documents 
or any other means determined by the person in charge in the privacy notice. 
In the event that the owner requests access to the data to a person who presumes is responsible and 
This turns out not to be, it will be enough that the owner is indicated in this way by any of the means to which he refers 
the previous paragraph, to have the request fulfilled. 
Article 90 of the Regulation: 
Means for the exercise of rights 
Article 90. The holder, for the exercise of ARCO rights, may present, by himself or through 
his representative, the request before the person in charge according to the means established in the notice of 
Privacy. For this purpose, the person in charge will make available to the owner, remote or local means of 
electronic communication or others that it deems pertinent. 
Likewise, the person in charge may establish forms, systems and other simplified methods to facilitate 
to the holders the exercise of ARCO rights, which must be reported in the privacy notice. 
Article 102 of the Regulation: 
Means for the fulfillment of the right of Access 
Article 102. The obligation of access will be considered fulfilled when the person in charge makes available to the 
holder of personal data on site, respecting the period indicated in article 99 of this 
Regulations, or, by issuing simple copies, magnetic, optical, sound media, 
64 
Page 68 
Element Legal framework 
visual or holographic, or using other information technologies that have been provided for in the notice of 
Privacy. In all cases, access must be in readable or understandable formats for the owner. 
When the person in charge considers it appropriate, he may agree with the owner means of reproduction of 
information other than those reported in the privacy notice. 
Twenty, section VIII of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
VIII. The means and the procedure to exercise ARCO rights; […] 
Twenty-eighth of the Guidelines: 
Means for the exercise of ARCO rights 
Twenty eighth. In accordance with the provisions of articles 16, section IV and 33 of the Law, and 90 and 102 
of its Regulations, the privacy notice must inform the owner about: 
I. The means enabled by the person in charge to respond to requests for the exercise of ARCO rights, 
which must be implemented in such a way that the exercise of these rights is not limited by 
part of the headlines; 
II. The procedures established for the exercise of ARCO rights; or, the media through 
of which the owner will be able to know said procedures, which must be easily accessible 
for headlines and with the widest possible coverage, considering their profile and the way they 
they maintain daily or common contact with the person in charge; free; that they are duly 
enabled, and make access to information easy. Identification and contact data 
from 
65 
Page 69 
Element Legal framework 
the person or department of personal data that will process the requests of the holders to 
the exercise of ARCO rights, referred to in article 30 of the Law. 
The procedures referred to in section II of this guideline must include, at least, what is 
following: 
to. The requirements, including the mechanisms for accreditation of the identity of the owner and personality 
of its representative, and the information or documentation that must accompany the request; b. The 
deadlines within the procedure; 
c. The means to respond; 
d. The mode or means of reproduction through which the owner may obtain the information or data 
personal requested through the exercise of the right of access, that is, simple copies, 
electronic documents or any other means, and 
and. The forms, systems and other simplified methods that, where appropriate, the person in charge has 
implemented to facilitate the holder the exercise of ARCO rights. 
Article 8 of the Law: 
Article 8.- […] 
The consent may be revoked at any time without retroactive effects being attributed to it. 
To revoke consent, the person in charge must, in the privacy notice, establish the mechanisms 
and procedures for it. 
Twenty, fraction IX of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: […] 
Page 70 
The mechanisms 
and procedures 
to revoke the 
consent 
66 
Element Legal framework 
IX. The mechanisms and procedures so that, where appropriate, the owner can revoke their consent to the 
processing of your personal data; […] 
Twenty-ninth of the Guidelines: 
Mechanisms and procedures for the revocation of consent 
Twenty-ninth. For the purposes of articles 8, last paragraph of the Law and 21 of its Regulations, the notice 
privacy policy must expressly indicate the following information: 
I. The means enabled by the person in charge to deal with requests for revocation of the 
consent of the holders, which must be implemented in such a way that the 
exercise of this right by the holders, and 
II. The procedure established for the attention of requests for revocation of consent, the 
which shall take into consideration the provisions of article 21 of the Regulations of the Law; O well, 
the means through which the owner may learn about said procedure, which must 
be easily accessible to the holders and with the widest possible coverage, considering their profile and the 
how they maintain daily or common contact with the person in charge; free; that they are 
duly authorized, and that make access to information easy. 
The procedures referred to in section II above must inform, at least, the following: 
to. The requirements, including the mechanisms for accreditation of the identity of the owner and the 
personality of its representative and, where appropriate, the information or documentation that must be 
accompany the application; 
b. The deadlines within the procedure, and 
c. The means to respond. 
Article 16, section III of the Law: 
Page 71 
The options and 
means for 
67 
Element Legal framework 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
III. The options and means that the person in charge offers to the holders to limit the use or disclosure of 
the data; 
[…] 
Twenty, fraction X of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
X. The options and means that the person in charge offers the owner to limit the use or disclosure of the data 
personal; 
[…] 
Thirtieth of the Guidelines: 
Options and means to limit the use or disclosure of personal data 
Thirtieth. The privacy notice must inform about the options and means that, where appropriate, the 
responsible has instrumented so that the owner can limit the use and disclosure of their data 
personal, other than the exercise of ARCO rights or the revocation of consent, in accordance with 
with article 16, section III of the Law, such as, among others: 
I. The registration of the owner in the Public Registry of Consumers provided for in the Federal Law on 
Consumer Protection, and in the Public Registry of Users in accordance with the Protection and 
Defense of the User of Financial Services, in terms of article 111 of the Regulation of the Law; 
II. The registration of the owner in exclusion lists of the person in charge, sectorial or general, of 
in accordance with the provisions of Article 110 of the Regulations of the Law, indicating the name of the 
Page 72 
limit use and 
divulgation from 
personal information 
68 
Element Legal framework 
list, the purposes for which the exclusion is applicable and, where appropriate, the channel enabled by 
the person in charge so that the owner can obtain more information in this regard, or 
III. The enabling of means by which the holder can express his refusal to continue receiving 
communications or promotions by the person in charge. 
When required, the privacy notice will describe the procedures for using these options or 
media; Or, it will inform the mechanisms by which the holder will be able to know these procedures. 
Article 14, last paragraph of the Regulation: 
Request for tacit consent 
Article 14. […] 
When the person in charge uses mechanisms in remote or local means of electronic, optical communication 
or other technology, that allow you to collect personal data automatically and simultaneously at the same time 
that the owner makes contact with them, at that time the owner must be informed about the use of 
these technologies, that through them personal data is obtained and the way in which it can be 
to disable. 
Twenty, fraction XI of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
XI. Information on the use of mechanisms in remote or local means of electronic communication, 
optical or other technology, that allow the collection of personal data automatically and simultaneously to the 
time that the owner makes contact with them, if applicable, and 
[…] 
Thirty-first of the Guidelines: 
Page 73 
The information 
about the use of 
mechanisms in 
remote media or 
local of 
communication 
electronics, 
optical or other 
technology 
69 
Element Legal framework 
Use of cookies, web beacons or other similar technologies 
Thirty-first. In terms of article 14, last paragraph of the Regulation of the Law, when the 
responsible uses mechanisms in remote or local means of electronic, optical or other communication 
technology, that allow you to collect personal data automatically and simultaneously while the 
owner makes contact with them, at that time he must inform the owner, through a 
communication or warning placed in a visible place, about the use of these technologies and about the fact 
that through them personal data is obtained, as well as the way in which they can be disabled, 
the latter unless said technologies are necessary for technical reasons. 
Likewise, the person in charge must include in the privacy notice the information referred to in the article 
14 of the Regulations of the Law and that which must be informed in the terms of these Guidelines, 
among them, the personal data that is collected and the purposes of the treatment. 
The 
Article 16, section VI of the Law: 
Article 16.- The privacy notice must contain, at least, the following information: 
[…] 
SAW. The procedure and means by which the person in charge will notify the holders of changes to the notice of 
privacy, in accordance with the provisions of this Law. 
[…] 
Twenty, section XII of the Guidelines: 
Informational elements of the comprehensive privacy notice 
Twentieth. The comprehensive privacy notice must contain, at least, the following information, of 
in accordance with what is established in the guidelines of this Section: 
[…] 
XII. The procedures and means through which the person in charge will communicate the changes to the owners 
to the privacy notice. 
Page 74 
procedures and 
means by 
which the 
responsable 
will communicate to 
Headlines the 
changes in 
notice of 
Privacy 
70 
Element Legal framework 
Thirty-second of the Guidelines: 
Changes to the privacy notice 
Thirty-second. In accordance with article 16, section VI of the Law, the privacy notice must 
indicate the means and procedure implemented by the person in charge to inform the owner of the changes 
or updates made to it. 
In relation to the procedure, the person in charge may include this element in the privacy notice when 
the means instrumented to publicize the changes or updates in the privacy notice is not 
target each headline directly, such as a widespread posting on your website.
71