﻿On the sidelines a stamp with the National Shield, which says: United Mexican states.- Presidency of the Republic.


ENRIQUE Peña NIETO, President of the United Mexican states, to its inhabitants:
That the Honourable Congress of the Union, it has served to address me the following
DECREE
"THE GENERAL CONGRESS OF THE MEXICAN UNITED STATES, D E C R E T A:
THE GENERAL LAW ON THE PROTECTION OF PERSONAL DATA IN POSSESSION OF OBLIGED SUBJECTS IS ISSUED
Unique Article.- The General Law on the protection of personal data in the possession of obliged subjects is issued.
General law on the protection of personal data in the possession of obliged subjects
TITLE FIRST
GENERAL PROVISIONS
Chapter I
Of the object of the law
Article 1. This law is of Public Order and of general observance throughout the Republic, regulatory of articles 6o., Base A and 16, second paragraph, of the Political Constitution of the United Mexican states, regarding the protection of personal data in possession of obliged subjects.
All provisions of this General law, as appropriate, and within the scope of its competence, are of direct application and observance for obliged subjects belonging to the federal order.
The institute shall exercise the powers and powers granted to it by this law, independently of those granted in the other applicable provisions.
It aims to establish the bases, principles and procedures to guarantee the right that everyone has to the protection of their personal data, in the possession of obliged subjects.
Any authority, entity, body and body of the executive, legislative and Judicial branches, autonomous bodies, political parties, trusts and public funds are bound by this law at the federal, state and municipal level.
Trade unions and any other natural or legal person who receives and exercises public resources or performs acts of authority at the federal, state and municipal level will be responsible for personal data, in accordance with the applicable regulations for the protection of personal data held by individuals.
In all other cases other than those mentioned in the previous paragraph, natural and legal persons will be subject to the provisions of the federal law on the protection of personal data held by individuals.
Article 2. Are objectives of this law:
I. distribute powers between the guarantor bodies of the Federation and the federal entities, in the field of protection of personal data in possession of obliged subjects;
II. Establish the minimum bases and homogeneous conditions that will govern the processing of personal data and the exercise of the rights of access, rectification, cancellation and opposition, through simple and expeditious procedures;
III. Regulate the organization and operation of the National System of transparency, access to Information and protection of personal data to which this law and the General Law on transparency and access to public information refer, in relation to its functions for the protection of personal data in the possession of obliged subjects;
IV. Ensure compliance with the principles of protection of personal data provided for in this law and other provisions that are applicable in the matter;
V. protect personal data in the possession of any authority, entity, body and agency of the executive, legislative and Judicial powers, autonomous bodies, political parties, trusts and public funds, of the Federation, Federative entities and municipalities, with
the purpose of regulating their due treatment;
SEE. Ensure that everyone can exercise the right to the protection of personal data;
You come. Promote, promote and disseminate a culture of personal data protection;
VIII. Establish mechanisms to ensure compliance and effective application of the appropriate enforcement measures for conduct that contravene the provisions of this law, and
IX. Regulate the means of challenge and procedures for the filing of actions of unconstitutionality and constitutional disputes by the local guarantor bodies and the Federation; in accordance with their respective powers.
Article 3. For the purposes of this law, it shall be understood as:
I. areas: instances of the obliged subjects provided for in the respective internal regulations, organic statutes or equivalent instruments, which count or can count, treat, and be responsible or in charge of personal data;
II. Privacy notice: document available to the owner in physical form, electronic or in any format generated by the responsible, from the moment in which your personal data are collected, in order to inform you of the purposes of the treatment thereof;
III. Databases: an ordered set of personal data relating to an identified or identifiable natural person, conditioned to certain criteria, regardless of the form or modality of its creation, type of support, processing, storage and organization;
IV. Lock: The identification and conservation of personal data once the purpose for which they were collected, with the sole purpose of determining any liability in connection with your treatment, or until the statute of limitations statutory or contractual. During this period, personal data may not be processed and after this, it will be deleted in the corresponding database;
V. Transparency Committee: a body referred to in Article 43 of the General Law on transparency and access to Public Information;
SEE. Cloud computing: the model of external provision of on-demand computing services, which involves the provision of infrastructure, platform or software, flexibly distributed, through virtual procedures, on dynamically shared resources;
You come. National Council: National Council for transparency, access to Information and protection of personal data referred to in Article 32 of the General Law on transparency and access to Public Information;
VIII. Consent: manifestation of the free, specific and informed will of the owner of the data through which the treatment of the same is carried out;
IX. Personal data: any information concerning an identified or identifiable natural person. A person is considered identifiable when his or her identity can be directly or indirectly determined through any information;
X. sensitive personal data: those that refer to the most intimate sphere of its owner, or whose misuse may give rise to discrimination or entail a serious risk for him. In a more non-limiting way, personal data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical and moral beliefs, political opinions and sexual preference are considered sensitive;
XI. Arco rights: the rights of access, rectification, cancellation and opposition to the processing of personal data;
XII. Days: business days;
XIII. Dissociation: the procedure by which personal data can not be associated with the holder or allow, due to its structure, content or degree of disaggregation, the identification of the same;
XIV. Security document: an instrument that describes and gives a general account of the technical, physical and administrative security measures adopted by the responsible for
guarantee the confidentiality, integrity and availability of the personal data you hold;
FIFTEENTH. Processor: the natural or legal person, public or private, outside the organization of the controller, which alone or jointly with others processes personal data in the name and on behalf of the controller;
XVI. Impact assessment on the protection of personal data: a document by which obliged subjects who intend to put into operation or modify public policies, programs, systems or computer platforms, electronic applications or any other technology that involves the intensive or relevant processing of personal data, assess the real impacts regarding certain processing of personal data, in order to identify and mitigate possible risks related to the principles, , as well as the duties of those responsible and in charge, provided for in the applicable regulations;
XVII. Sources of public access: those databases, systems or files that by law can be consulted publicly when there is no impediment by a limiting rule and without more requirement than, where appropriate, the payment of a consideration, fee or contribution. It will not be considered a source of public access when the information contained therein is obtained or has an illicit origin, in accordance with the provisions established by this law and other applicable regulations;
XVIII. Institute: National Institute of transparency, access to Information and protection of personal data, which is the guarantor body of the Federation regarding the protection of personal data held by The obliged subjects;
XIX. Compensatory measures: alternative mechanisms to make the owners of the Privacy Notice known, through its dissemination by mass media or other wide-ranging;
XX. Security measures: set of actions, activities, controls or administrative, technical and physical mechanisms that allow the protection of personal data;
XXI. Administrative security measures: policies and procedures for the management, support and review of information security at the organizational level, the identification, classification and secure erasure of information, as well as the awareness and training of staff, in the field of personal data protection;
XXII. Physical security measures: set of actions and mechanisms to protect the physical environment of personal data and resources involved in its treatment. In a more non-limiting way, the following activities should be considered:
A) prevent unauthorized access to the perimeter of the organization, its physical facilities, critical areas, resources and information;
B) prevent damage or interference to physical facilities, critical areas of the organization, resources and information;
(c) protect mobile, portable and any physical or electronic media that may leave the organization; and
d) provide equipment containing or storing personal data with effective maintenance, ensuring its availability and integrity;
XXIII. Technical security measures: set of actions and mechanisms that use technology related to hardware and software to protect the digital environment of personal data and resources involved in its treatment. In a more non-limiting way, the following activities should be considered:
A) prevent access to databases or information, as well as resources, by identified and authorized users;
B) generate a privilege scheme for the user to carry out the activities required for their functions;
C) review security settings in the acquisition, operation, development and maintenance of software and hardware; and
d) manage communications, operations and means of storage of computer resources in the processing of personal data;
XXIV. Guarantor bodies: those with constitutional autonomy specialized in matters of
access to information and protection of personal data, in terms of articles 6o. and 116, Section VIII of the Political Constitution of the United Mexican states;
XXV. National platform: the National transparency platform referred to in Article 49 of the General Law on transparency and access to Public Information;
XXVI. National Personal Data Protection Programme: National Personal Data Protection Programme;
XXVII. Referral: any communication of personal data made exclusively between the responsible and responsible, inside or outside the Mexican territory;
XXVIII. Responsible: The obliged subjects referred to in Article 1 of this law who decide on the processing of personal data;
XXIX. National system: the National System of transparency, access to Information and protection of personal data;
XXX. Deletion: the archival deletion of personal data in accordance with applicable archival regulations, resulting in the deletion, deletion or destruction of personal data under the security measures previously established by the responsible;
XXXI. Owner: the natural person to whom the personal data correspond;
XXXII. Transfer: any communication of personal data inside or outside the Mexican territory, made to a person other than the owner, the person in charge or the person in charge;
XXXIII. Processing: any operation or set of operations carried out through manual or automated procedures applied to personal data, related to the collection, use, registration, organization, storage, processing, use, communication, dissemination, storage, possession, access, management, use, disclosure, transfer or disposal of personal data, and
XXXIV. Transparency Unit: The Body referred to in Article 45 of the General Law on transparency and access to Public Information.
Article 4. This law shall apply to any processing of personal data that operates on physical or electronic media, regardless of the form or modality of its creation, type of support, processing, storage and organization.
Article 5. For the purposes of this law, they will be considered as sources of public access:
I. internet pages or remote or local means of Electronic, Optical and other technology communication, provided that the site where the personal data are located is designed to provide information to the public and is open to general consultation;
II. Telephone directories in terms of specific regulations;
III. Newspapers, gazettes or official bulletins, in accordance with their regulations;
IV. Social media, and
V. Public Records in accordance with the provisions applicable to them.
For the cases listed in this article to be considered sources of public access it will be necessary that your consultation can be carried out by any person not prevented by a limiting rule, or without more requirement than, where appropriate, the payment of a counter benefit, right or fee. It shall not be considered a source of Public Access where the information contained therein is or has an illicit origin.
Article 6. The state will guarantee the privacy of individuals and must ensure that third parties do not engage in conduct that may affect it arbitrarily.
The right to the protection of personal data shall be limited only for reasons of national security, in terms of the relevant law, public order provisions, public safety and health or to protect the rights of third parties.
Article 7. As a general rule, sensitive personal data may not be processed, unless you have the express consent of its owner or failing that, in the cases established in Article 22 of this law.
In the processing of personal data of minors, the best interests of the child and the adolescent must be privileged, in terms of the applicable legal provisions.
Article 8. The application and interpretation of the present Law shall be made pursuant to the provisions of the Political Constitution of the united Mexican States, International Treaties of which the mexican State is a party, as well as the resolutions and binding rulings issued by national and international bodies, specialized, fostering at all times the right to privacy, the protection of personal data and on the people more extensive protection.
In the case of interpretation, the criteria, determinations and opinions of national and international bodies regarding the protection of personal data may be taken into account.
Article 9. In the absence of an express provision in this law, the provisions of the Federal Code of Civil Procedures and the federal law on administrative procedure shall apply in a supplementary manner.
The laws of the federal entities, within the scope of their respective powers, must determine the provisions that are applicable to them in additional matters to the guarantor bodies in the application and interpretation of this law.
Chapter II
Of the National System of transparency, access to Information and protection of personal data
Article 10. The National system will be formed in accordance with the provisions of the General Law on transparency and access to Public Information. In the matter of protection of personal data, such a System has the function of coordinating and evaluating the actions relating to public policy, cross-protection of personal data, as well as establish and implement criteria and guidelines on the matter, in conformity with what is stated in this Law, the General Law of Transparency and Access to Public Information, and other applicable regulations.
Article 11. The National system will contribute to maintaining the full validity of the right to the protection of personal data at the national level, in the three orders of government.
This joint and comprehensive effort will contribute to the implementation of public policies with strict adherence to the applicable regulations in the matter; the full exercise and respect of the right to the protection of personal data and the dissemination of a culture of this right and its accessibility.
Article 12. In addition to the objectives provided for in the General Law on transparency and access to Public Information, The National system will aim to design, implement and evaluate a National Personal Data Protection Program that defines public policy and establishes, at a minimum, objectives, strategies, actions and goals for:
I. promote education and a culture of personal data protection among Mexican society;
II. Promote the exercise of the rights of access, rectification, cancellation and opposition;
III. To train obliged subjects in the field of personal data protection;
IV. To promote the implementation and maintenance of a security management system referred to in Article 34 of this law, as well as to promote the adoption of national and international standards and good practices in this area, and
V. provide mechanisms to measure, report and verify established targets.
The National Program for the protection of personal data will be constituted as a guiding instrument for the integration and coordination of the National System, and must determine and prioritize the objectives and goals that it must meet, as well as define the general lines of action that are necessary.
The National Personal Data Protection Programme shall be evaluated and updated at the end of each annual financial year and shall define the set of activities and projects to be implemented during the following financial year.
Article 13. The National system will have a National Council. The integration, organization, functioning and powers of the National Council shall be in accordance with the General Law on transparency and access to Public Information and other applicable provisions.
Article 14. The National System, in addition to the provisions of the General Law on transparency and access to Public Information and other applicable regulations, will have the following functions regarding the protection of personal data:


I. promote the exercise of the right to the protection of personal data throughout the Mexican Republic;
II. Promote a culture of personal data protection among society;
III. Analyze, give an opinion and propose to the bodies authorized for this purpose projects for reform or modification of the regulations in the matter;
IV. Agree and establish coordination mechanisms that allow the formulation and implementation of comprehensive, systematic, continuous and evaluable public instruments and policies, aimed at meeting the objectives and purposes of the National System, of this law and other provisions that may be applicable in this area;
V. issuing general agreements and resolutions for the functioning of the National System;
SEE. Formulate, establish and implement general policies on the protection of personal data;
You come. Promote the effective coordination of the bodies that make up the National System and follow up on the actions that are established for this purpose;
VIII. Promote the approval and development of the procedures provided for in this law and evaluate their progress;
IX. Design and implement personal data protection policies;
X. establish effective mechanisms for society to participate in the evaluation processes of policies and institutions that are part of the National System;
XI. Develop common projects of national scope to measure compliance and progress of those responsible;
XII. To sign collaboration agreements that aim to contribute to the fulfillment of the objectives of the National System and those provided for in this law and other provisions that are applicable in the matter;
XIII. Promote and implement actions to ensure accessibility conditions so that vulnerable groups can exercise, in equal circumstances, their right to the protection of personal data;
XIV. Propose codes of good practice or models for the protection of personal data;
FIFTEENTH. Promote communication and coordination with national, federal, state, municipal, authorities and international organizations, in order to promote and promote the objectives of this law;
XVI. Propose actions to link the National System with other national, regional or local systems and programmes;
XVII. Promote and promote the exercise and protection of the right to the protection of personal data, through the implementation, organization and operation of the national platform, referred to in the General Law on transparency and access to Public Information and other applicable regulations;
XVIII. Approve the National Program for the protection of personal data referred to in Article 12 of this law;
XIX. Issue additional criteria to determine the cases in which intensive or relevant processing of personal data is being conducted, in accordance with the provisions of articles 70 and 71 of this law;
XX. Issue the administrative provisions necessary for the evaluation of the content presented by the subjects obliged in the impact assessment on the protection of personal data, in order to issue the corresponding non-binding recommendations; and
XXI. Other provisions on the subject for the functioning of the National System.
Article 15. The National Council shall operate in accordance with the provisions of the General Law on transparency and access to Public Information and other applicable laws.


TITLE TWO
PRINCIPLES AND DUTIES
Chapter I
Principles
Article 16. The data controller must observe the principles of lawfulness, purpose, loyalty, consent, quality, proportionality, information and responsibility in the processing of personal data.
Article 17. The processing of personal data by the controller must be subject to the powers or powers conferred by the applicable regulations.
Article 18. Any processing of personal data carried out by the controller must be justified for specific, lawful, explicit and legitimate purposes, related to the powers that the applicable regulations confer on them.
The data controller may process personal data for purposes other than those established in the privacy notice, provided that it has powers conferred by law and mediates the consent of the owner, unless it is a person reported as missing, in the terms provided for in this law and other provisions that are applicable in the matter.
Article 19. The data controller shall not obtain and process personal data, through misleading or fraudulent means, giving priority to the protection of the interests of the data controller and the reasonable expectation of privacy.
Article 20. When some of the reasons for exception provided for in Article 22 of this law are not updated, the data controller must have the prior consent of the owner for the processing of personal data, which must be granted in a form:
I. free: without error, bad faith, violence or intent that may affect the manifestation of the owner's will;
II. Specific: referring to specific, lawful, explicit and legitimate purposes that justify the processing, and
III. Informed: that the owner has knowledge of the privacy notice prior to the treatment to which his personal data will be subjected.
In obtaining the consent of minors or persons who are in a state of interdiction or incapacity declared in accordance with the law, the provisions of the rules of representation provided for in the civil legislation that is applicable shall be complied with.
Article 21. Consent may be expressed expressly or tacitly. It should be understood that the consent is Express when the will of the owner is manifested verbally, in writing, by Electronic, Optical, unequivocal signs or by any other technology.
The consent will be tacit when having made available to the owner the privacy notice, he does not express his will to the contrary.
As a general rule, tacit consent will be valid, unless the law or the applicable provisions require that the will of the holder is expressly manifested.
In the case of sensitive personal data to the responsible party must obtain the express written consent of the owner for his treatment, through its signature, e-signature or any authentication mechanism to be established, except in the cases provided for in article 22 of this Law.
Article 22. The data controller will not be obliged to obtain the consent of the data controller for the processing of your personal data in the following cases:
I. When a law so provides, and such assumptions must be in accordance with the bases, principles and provisions established in this law, in no case, may contravene it;
II. When the transfers that are made between controllers, are on personal data that are used for the exercise of their own, compatible or similar powers for the purpose that motivated the processing of personal data;
III. Where there is a well-founded and reasoned court order, resolution or mandate from a competent authority;
IV. For the recognition or defense of rights of the holder before competent authority;
V. When personal data are required to exercise a right or fulfil obligations arising from a legal relationship between the data controller and the data controller;


SEE. When there is an emergency situation that could potentially harm an individual in his person or property;
You come. When personal data are necessary to carry out treatment for prevention, diagnosis, provision of health care;
VIII. Where personal data is contained in publicly accessible sources;
IX. Where the personal data is subject to a prior decoupling procedure, or
X. When the owner of the personal data is a person reported as missing in the terms of the law in the matter.
Article 23. The data controller must take the necessary measures to keep the personal data in his possession accurate, complete, correct and updated, so as not to alter the veracity of these.
It is presumed that the quality of the personal data is complied with when these are provided directly by the owner and until the latter declares and proves otherwise.
When the personal data are no longer necessary for the fulfilment of the purposes set out in the privacy notice and that motivated its treatment pursuant to the applicable provisions shall be deleted, prior to locking in your case, and once the end of the period of conservation of the same.
The retention periods of personal data must not exceed those necessary for the fulfillment of the purposes that justified their processing, and must comply with the applicable provisions in the matter in question and consider the administrative, accounting, tax, legal and historical aspects of the personal data.
Article 24. The data controller must establish and document the procedures for the conservation and, where appropriate, blocking and deletion of the personal data carried out, which include the periods of conservation thereof, in accordance with the provisions of the previous article of this law.
In the procedures referred to in the previous paragraph, the controller must include mechanisms that allow him to comply with the deadlines set for the deletion of personal data, as well as to carry out a periodic review on the need to retain personal data.
Article 25. The data controller shall only process personal data that is adequate, relevant and strictly necessary for the purpose justifying its processing.
Article 26. The data controller must inform the owner, through the privacy notice, the existence and main characteristics of the treatment to which your personal data will be subjected, so that he can make informed decisions about it.
As a general rule, the privacy notice must be disseminated by the electronic and physical means that the person responsible has.
For the privacy notice to efficiently fulfill its reporting function, it must be written and structured in a clear and simple way.
When it is impossible to disclose the privacy notice to the owner, directly or it requires disproportionate efforts, the responsible may implement compensatory Mass Communication measures in accordance with the criteria issued for this purpose by the National System of transparency, access to Public Information and protection of personal data.
Article 27. The Privacy Notice referred to in Article 3, Section II, will be made available to the owner in two ways: simplified and comprehensive. The simplified notice shall contain the following information:
I. the name of the person responsible;
II. The purposes of the processing for which the personal data are obtained, distinguishing those that require the consent of the owner;
III. When transfers of personal data are made that require consent, you must inform:
a) the authorities, powers, entities, bodies and governmental bodies of the three orders of government and the natural or legal persons to whom the personal data are transferred; and
b) the purposes of these transfers;


IV. The mechanisms and means available for the holder, where appropriate, to express his refusal to process his personal data for purposes and transfers of personal data that require the consent of the holder, and
V. the site where the comprehensive privacy notice can be consulted.
The provision of the Privacy Notice referred to in this article does not exempt the person responsible from its obligation to provide the mechanisms so that the owner can know the content of the Privacy Notice referred to in the following article.
The mechanisms and Means referred to in Section IV of this article must be available so that the holder can express his refusal to the processing of his personal data for the purposes or transfers that require the consent of the holder, prior to the occurrence of such treatment.
Article 28. The comprehensive privacy notice, in addition to the provisions of the fractions of the previous article, referred to in fraction V of the previous article must contain, at least, the following information:
I. The Address of the person responsible;
II. The personal data that will be subjected to treatment, identifying those that are sensitive;
III. The legal basis that empowers the data controller to carry out the treatment;
IV. The purposes of the processing for which the personal data are obtained, distinguishing those that require the consent of the owner;
V. the mechanisms, means and procedures available to exercise ARCO rights;
SEE. The address of the Transparency Unit; and
You come. The means through which the responsible will communicate to the owners the changes to the privacy notice.
Article 29. The data controller shall implement the mechanisms provided for in Article 30 of this law to prove compliance with the principles, duties and obligations established in this law and account for the processing of personal data in its possession to the holder and institute or the guarantor bodies, as appropriate, in which case it shall observe the Constitution and international treaties to which the Mexican state; in what is not contrary to Mexican regulations, national or international standards or best practices may be used for such purposes.
Article 30. Among the mechanisms to be adopted by the responsible party to comply with the principle of responsibility established in this law are, at least, the following:
I. allocate resources authorized for this purpose for the implementation of personal data protection programs and policies;
II. Develop policies and programs for the protection of personal data, mandatory and enforceable within the organization of the data controller;
III. Implement a programme of training and updating staff on obligations and other duties in the field of personal data protection;
IV. Periodically review personal data security policies and programs to determine any changes that may be required;
V. establish a system of internal and/or external supervision and surveillance, including audits, to verify compliance with personal data protection policies;
SEE. Establish procedures for receiving and responding to questions and complaints from headlines;
You come. Design, develop and implement public policies, programs, services, systems or computing platforms, applications, electronic or any other technology that involves the processing of personal data, in accordance with the provisions laid down in this Law and others that are applicable in the matter, and
VIII. Guarantee that its public policies, programs, services, computer systems or platforms, electronic applications or any other technology that involves the processing of personal data, comply by default with the obligations provided for in this law and the others that are applicable in the matter.


Chapter II
Of duties
Article 31. Regardless of the type of system in which the personal data or the type of treatment that is carried out, the responsible party shall establish and maintain the security measures of an administrative, physical and technical, to the protection of personal data, which allow to protect them against damage, loss, alteration, destruction, or its use, or unauthorized access, as well as to ensure their confidentiality, integrity and availability.
Article 32. The security measures adopted by the responsible must consider:
I. the risk inherent in the personal data processed;
II. The sensitivity of the personal data processed;
III. Technological development;
IV. The possible consequences of a breach for the headlines;
V. transfers of personal data that take place;
SEE. The number of holders;
You come. Previous violations occurred in treatment systems; and
VIII. The risk for the potential quantitative or qualitative value that the personal data processed may have for a third party not authorized for its possession.
Article 33. In order to establish and maintain security measures for the protection of personal data, the data controller must perform, at least, the following interrelated activities:
I. create internal policies for the management and processing of personal data, which take into account the context in which the processing takes place and the life cycle of personal data, that is, its collection, use and subsequent deletion;
II. Define the functions and obligations of the personnel involved in the processing of personal data;
III. Draw up an inventory of personal data and processing systems;
IV. Perform a risk analysis of personal data, considering the threats and vulnerabilities existing for personal data and resources involved in its treatment, such as, but not limited to, hardware, software, personnel of the responsible, among others;
V. perform a gap analysis, comparing existing security measures against those missing in the responsible organization;
SEE. Develop a work plan for the implementation of the missing security measures, as well as measures for the Daily compliance with the policies of management and processing of personal data;
You come. Monitor and periodically review the security measures implemented, as well as the threats and breaches to which the personal data are subject, and
VIII. Design and implement different levels of training of personnel under your command, depending on their roles and responsibilities regarding the processing of personal data.
Article 34. Actions related to security measures for the processing of personal data must be documented and contained in a management system.
A management system shall mean the set of interrelated elements and activities to establish, implement, operate, monitor, review, maintain and improve the processing and security of personal data, in accordance with the provisions of this law and the other provisions applicable to it in the matter.
Article 35. In particular, the responsible must draw up a security document containing at least the following:
I. inventory of personal data and processing systems;
II. The functions and obligations of persons who process personal data;


III. Risk analysis;
IV. Gap analysis;
V. The Work plan;
SEE. Mechanisms for monitoring and reviewing security measures; and
You come. The general training program.
Article 36. The person responsible must update the security document when the following events occur:
I. There may be substantial changes to the processing of personal data resulting in a change in the level of risk;
II. As a result of a process of continuous improvement, derived from the monitoring and revision of the management system;
III. As a result of an improvement process to mitigate the impact of a security breach that occurred, and
IV. Implementation of corrective and preventive actions in the event of a security breach.
Article 37. In the event of a security breach, the responsible party must analyze the causes for which it was presented and implement in its work plan the preventive and corrective actions to adapt the security measures and the processing of personal data if it were the case in order to prevent the breach from being repeated.
Article 38. In addition to those indicated by the respective laws and the applicable regulations, at any stage of the data processing, at least the following shall be considered as security breaches:
I. unauthorized loss or destruction;
II. Theft, loss or unauthorized copying;
III. Unauthorized use, access or treatment, or
IV. Damage, alteration or unauthorized modification.
Article 39. The person responsible must keep a log of the security breaches in which it is described, the date on which it occurred, the reason for it and the corrective actions implemented immediately and definitively.
Article 40. The person responsible must inform without delay the owner, and as appropriate, to the Institute and to the Agencies, guarantors of the Federative Entities, the violations that affect in a significant way the economic rights or moral, in as soon as you confirm which occurred the breach and that the head has begun to take actions to trigger a process of thorough review of the magnitude of the effect, so that the affected holders can take the appropriate measures for the defence of their rights.
Article 41. The controller must inform the controller at least the following:
I. The nature of the incident;
II. Compromised personal data;
III. Recommendations to the holder on the measures he can take to protect his interests;
IV. Corrective actions taken immediately; and
V. The media where you can get more information about it.
Article 42. The data controller must establish controls or mechanisms that aim to ensure that all those who intervene in any phase of the processing of personal data, keep confidentiality with respect to these, an obligation that will remain even after the end of their relations with the same.
The foregoing, without prejudice to the provisions of access to public information.


THIRD TITLE
RIGHTS OF HOLDERS AND THEIR EXERCISE
Chapter I
Rights of access, rectification,
Cancellation and opposition
Article 43. At any time the owner or his representative may request the responsible, access, rectification, cancellation or opposition to the processing of personal data concerning him, in accordance with the provisions of this title. The exercise of any of the ARCO rights is not a prerequisite, nor does it prevent the exercise of another.
Article 44. The owner will have the right to access his personal data in the possession of the responsible, as well as to know the information related to the conditions and generalities of its treatment.
Article 45. The owner will have the right to request the responsible for the rectification or correction of his personal data, when these prove to be inaccurate, incomplete or not updated.
Article 46. The holder will have the right to request the cancellation of his personal data from the files, records, records and systems of the responsible, so that they are no longer in his possession and are no longer treated by the latter.
Article 47. The holder may object to the processing of his personal data or demand that it be stopped in it, when:
I. Even if the processing is lawful, it must cease to prevent its persistence from causing damage or harm to the holder, and
II. Your personal data are subject to automated processing, which produces legal effects or unwanted significantly affect its interests, rights or freedoms, and are intended to assess, without human intervention, certain personal aspects of the same, or to analyze or predict, in particular, their professional performance, economic situation, health status, sexual preferences, reliability or behaviour.
Chapter II
Of the exercise of the rights of access, rectification,
Cancellation and opposition
Article 48. The receipt and processing of requests for the exercise of the Arco rights that are formulated to those responsible, will be subject to the procedure established in this title and other provisions that are applicable in the matter.
Article 49. For the exercise of ARCO rights it will be necessary to prove the identity of the holder and, where appropriate, the identity and personality with which the representative acts.
The exercise of ARCO rights by a person other than its owner or its representative, will be possible, exceptionally, in those cases provided for by legal provision, or where appropriate, by court order.
In the exercise of the ARCO rights of minors or persons who are in a state of interdiction or incapacity, in accordance with civil laws, the rules of representation provided for in the same legislation shall be complied with.
In the case of personal data concerning deceased persons, the person who proves to have a legal interest, in accordance with the applicable laws, may exercise the rights conferred on him by this chapter, provided that the owner of the rights has faithfully expressed his will to this effect or that there is a judicial mandate for this purpose.
Article 50. The exercise of ARCO rights must be free of charge. Charges may only be made to recover the costs of reproduction, certification or shipping, in accordance with the applicable regulations.
For purposes of access to personal data, laws establishing the costs of reproduction and certification must consider in their determination that the amounts allow or facilitate the exercise of this right.
When the holder provides the magnetic, electronic means or the necessary mechanism to reproduce the personal data, they must be delivered at no cost to the latter.


The information must be delivered at no cost, when it involves the delivery of no more than twenty simple sheets. Transparency units may exempt the payment of reproduction and shipping according to the socio-economic circumstances of the holder.
The responsible party may not establish for the submission of requests for the exercise of ARCO rights any service or means that involves a cost to the holder.
Article 51. The person responsible must establish simple procedures that allow the exercise of ARCO rights, whose response period must not exceed twenty days from the day following receipt of the request.
The period referred to in the previous paragraph may be extended for one time up to ten days when circumstances so Justify, and provided that the holder is notified within the reply period.
In the event that the exercise of ARCO rights is appropriate, the responsible must make it effective within a period that may not exceed fifteen days counted from the next day in which the response has been notified to the holder.
Article 52. In the application for the exercise of ARCO rights no greater requirements may be imposed than the following:
I. the name of the holder and his / her address or any other means of receiving notifications;
II. Documents proving the identity of the holder and, where appropriate, the personality and identity of his representative;
III. If possible, the responsible area that processes the personal data and before which the request is submitted;
IV. The clear and precise description of the personal data with respect to which one seeks to exercise any of the Arco rights, except in the case of the right of access;
V. the description of the Arco right that is intended to be exercised, or what the holder requests, and
SEE. Any other element or document that facilitates the location of personal data, where appropriate.
In the case of a request for access to personal data, the holder must indicate the mode in which he prefers that these are reproduced. The person responsible must attend to the request in the manner required by the owner, unless there is a physical or legal impossibility that limits him to reproduce the personal data in said manner, in this case he must offer other modalities of delivery of the personal data founding and motivating said action.
Where the request for data protection does not satisfy any of the requirements referred to in this article, and the Institute or the guarantor bodies do not have elements to correct it, the data subject shall be notified within five days of the submission of the request for the exercise of the ARCO rights, on one occasion only, to correct the omissions within ten days from the day following that of the notification.
After the period has elapsed without discharging the Prevention, the request for the exercise of ARCO rights will be deemed not to have been submitted.
The prevention will have the effect of interrupting the period that the Institute, or where appropriate, the guarantor bodies, has to resolve the request for the exercise of ARCO rights.
With regard to a request for cancellation, the holder must indicate the causes that motivate him to request the deletion of his personal data in the files, records or databases of the responsible.
In the case of the opposition, the holder shall declare the causes legitimate or specific situation that lead him to request the cessation of the treatment, as well as the damage or prejudice that would cause the persistence of the treatment, or in your case, the specific purposes in respect of which requires the exercise of the right of opposition.
Requests for the exercise of ARCO rights must be filed with the Transparency Unit of the person responsible, that the holder is deemed competent, through free writing, formats, media, electronic or any other means to establish the Institute and the Agencies, guarantors, in the scope of their respective competences.
The person responsible must process any request for the exercise of ARCO rights and deliver the corresponding acknowledgement of receipt.
The Institute and the guarantor bodies, as appropriate, may establish simplified forms, systems and other methods to facilitate the exercise of ARCO rights by holders.
The means and procedures enabled by the controller to respond to requests for the exercise of ARCO rights must be easily accessible and with the greatest possible coverage considering the profile of the holders and the way in which they maintain daily or common contact with the controller.
Article 53. When the responsible party is not competent to respond to the request for the exercise of the Arco rights, it must inform the holder of this situation within three days following the submission of the request, and if it can be determined, direct it to the responsible party.
In the event that the data controller declares the absence of personal data in his files, records, systems or file, such declaration must be contained in a resolution of the Transparency Committee confirming the absence of personal data.
In the event that the responsible warns that the request for the exercise of the Arco rights corresponds to a different right than those provided for in this law, he must redirect the way by making it known to the owner.
Article 54. When the provisions applicable to certain processing of personal data establish a specific procedure or procedure to request the exercise of ARCO rights, the controller must inform the owner of the existence of the same, within a period not exceeding five days following the submission of the request for the exercise of ARCO rights, in order for the latter to decide whether to exercise its rights through the specific procedure, or, by means of the procedure that the person responsible has institutionalized for the attention of requests for the exercise of ARCO rights in accordance with the provisions established in this chapter.
Article 55. The only causes in which the exercise of ARCO rights will not be appropriate are:
I. When the holder or his representative is not duly accredited to do so;
II. When the personal data are not in the possession of the data controller;
III. Where there is a legal impediment;
IV. When the rights of a third party are injured;
V. When judicial or administrative proceedings are impeded;
SEE. When there is a resolution of competent authority that restricts access to personal data or does not allow the rectification, cancellation or opposition thereof;
You come. When the cancellation or opposition has been previously made;
VIII. When the responsible party is not competent;
IX. When they are necessary to protect legally protected interests of the holder;
X. When they are necessary to comply with obligations legally acquired by the holder;
XI. When, depending on its legal powers, daily use, protection and management are necessary and proportionate to maintain the integrity, stability and permanence of the Mexican state, or
XII. When the personal data are part of the information that the entities subject to the regulation and financial supervision of the obliged subject have provided to the latter, in compliance with the requirements of said information about their operations, organization and activities.
In all the above cases, the responsible party must inform the owner the reason of its determination, in the term of up to twenty days referred to in the first paragraph of article 51 of this Law and other applicable provisions, and by the same means in which it is carried out the request, enclosing in his case, the evidence that is pertinent.
Article 56. Against the refusal to process any request for the exercise of ARCO rights or for lack of response from the person responsible, the appeal for review referred to in Article 94 of this law shall proceed.


Chapter III
Data portability
Article 57. When personal data are processed electronically in a structured and commonly used format, the holder will have the right to obtain from the controller a copy of the data subject to processing in a structured and commonly used electronic format that allows him to continue using them.
Where the data controller has provided the personal data and the processing is based on consent or a contract, it shall have the right to transmit such personal data and any other information that it has provided and that is stored in an automated processing system to another system in a commonly used electronic format, without hindrance from the controller from whom the personal data is withdrawn.
The National System shall establish by means of guidelines the parameters to be considered in order to determine the cases in which a structured and commonly used format is present, as well as the technical standards, modalities and procedures for the transfer of personal data.
TITLE FOUR
RELATIONSHIP OF THE RESPONSIBLE AND RESPONSIBLE
Single Chapter
Responsible and responsible
Article 58. The person in charge must carry out the processing activities of personal data without having any power of decision on the scope and content of the same, as well as limit its actions to the terms set by the person in charge.
Article 59. The relationship between the manager and the manager must be formalized by means of contract or any other legal instrument that decides the responsible, in accordance with the rules applicable and, to prove his existence, scope and content.
In the contract or legal instrument decided by the responsible shall provide, at least, the following general clauses related to the services provided by the responsible:
I. perform the processing of personal data in accordance with the instructions of the controller;
II. Refrain from processing personal data for purposes other than those instructed by the controller;
III. Implement security measures in accordance with applicable legal instruments;
IV. Inform the data controller when a breach occurs to the personal data that it processes by its instructions;
V. Keep confidentiality with respect to the personal data processed;
SEE. Delete or return the personal data subject to processing once the legal relationship with the controller has been fulfilled, provided that there is no legal provision requiring the retention of personal data; and
You come. Refrain from transferring personal data except in the event that the controller so determines, or the communication derives from a subcontracting, or by express mandate of the competent authority.
The agreements between the controller and the processor related to the processing of personal data must not contravene this law and other applicable provisions, as well as the provisions of the corresponding privacy notice.
Article 60. Where the controller fails to comply with the instructions of the controller and decides for himself on the processing of personal data, he will assume the character of controller in accordance with the relevant legislation applicable to him.
Article 61. The person in charge may, in turn, subcontract services that involve the processing of personal data on behalf of the person in charge, provided that the express authorization of the latter is obtained. The subcontractor shall assume the character of processor in the terms of this law and other provisions that are applicable in the matter.
When the contract or the legal instrument by which formalized the relation between the charge and the charge, providing that the latter is able to perform the contract services, the authorization referred to in the previous paragraph shall be construed as granting by what is stipulated in these.


Article 62. Once you have obtained the express permission of the responsible, the manager will have to formalize the relationship acquired with the outsourced through a contract or any other legal instrument that decides, in accordance with applicable laws and regulations that is applicable, and allows to prove the existence, scope and content of the provision of the service in terms of the provisions of this Chapter.
Article 63. The data controller may contract or adhere to services, applications and infrastructure in cloud computing, and other matters that involve the processing of personal data, provided that the external provider guarantees personal data protection policies equivalent to the principles and duties established in this law and other provisions that are applicable in the matter.
Where appropriate, the data controller must define the processing of personal data by the external provider through contractual clauses or other legal instruments.
Article 64. For the processing of personal data in services, applications and computing infrastructure in the cloud and other matters, in which the responsible party adheres to them through general conditions or clauses of contract, may only use those services in which the provider:
I. comply with at least the following:
A) have and apply personal data protection policies related to the applicable principles and duties established by this law and other applicable regulations;
B) transparency of subcontracts involving the information on which the service is provided;
c) refrain from including conditions in the provision of the service that authorize or allow you to assume ownership or ownership of the information on which you provide the service; and
d) keep confidentiality with respect to the personal data on which the service is provided;
II. Have mechanisms, at least, to:
a) make known changes to your privacy policies or terms of service you provide;
B) allow the controller to limit the type of processing of the personal data on which the service is provided;
C) establish and maintain security measures for the protection of personal data on which the service is provided;
(d) ensure the erasure of personal data once the service provided to the data controller has been completed and the data controller has been able to recover it; and
E) prevent access to personal data to persons who do not have access privileges, or, if it is at the well-founded and reasoned request of a competent authority, inform the data controller of this fact.
In any case, the responsible may not adhere to services that do not guarantee the proper protection of personal data, in accordance with this law and other provisions that are applicable in the matter.
TITLE FIVE
COMMUNICATIONS OF PERSONAL DATA
Single Chapter
Transfers and referrals of
Personal Data
Article 65. Any transfer of personal data, whether national or international, is subject to the consent of its owner, except for the exceptions provided for in articles 22, 66 and 70 of this law.
Article 66. Any transfer must be formalized by signing contractual clauses, collaboration agreements or any other legal instrument, in accordance with the regulations that are applicable to the controller, which allows to demonstrate the scope of the processing of personal data, as well as the obligations and responsibilities assumed by the parties.
The provisions of the previous paragraph shall not apply in the following cases:
I. where the transfer is national and is carried out between responsible persons pursuant to compliance with a legal provision or in the exercise of powers expressly conferred on them; or


II. When the transfer is International and is provided for in a law or treaty signed and ratified by Mexico, or is carried out at the request of a foreign authority or international body competent in its capacity as receiver, provided that the powers between the transferor and receiver are equivalent, or the purposes that motivate the transfer are analogous or compatible with those that gave rise to the treatment of the transferor.
Article 67. When the transfer is national, the recipient of the personal data, you must treat the personal data, guaranteeing your privacy and will only use them for the purposes that were transferred according to what is agreed in the privacy notice will be communicated by the responsible transfer.
Article 68. The data controller may only transfer or transfer personal data outside the national territory when the third party receiver or the processor undertakes to protect the personal data in accordance with the principles and duties established by this law and the provisions that are applicable in the matter.
Article 69. In any transfer of personal data, the data controller must communicate to the recipient of the personal data the privacy notice according to which the personal data are processed in front of the owner.
Article 70. The data controller may transfer personal data without requiring the consent of the data controller, in the following cases:
I. When the transfer is provided for in this law or other international laws, conventions or treaties signed and ratified by Mexico;
II. When the transfer is made between controllers, as long as the personal data are used for the exercise of their own, compatible or similar powers for the purpose that motivated the processing of personal data;
III. When the transfer is legally required for the investigation and prosecution of crimes, as well as the prosecution or administration of Justice;
IV. When the transfer is necessary for the recognition, exercise or defence of a right before a competent authority, provided that the latter is required;
V. When the transfer is necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the management of health services, provided that such purposes are accredited;
SEE. When the transfer is necessary for the maintenance or fulfillment of a legal relationship between the controller and the holder;
You come. Where the transfer is necessary by virtue of a contract concluded or to be concluded in the interests of the holder, by the responsible party and a third party;
VIII. When it comes to cases in which the controller is not obliged to obtain the consent of the controller for the processing and transmission of his personal data, in accordance with the provisions of Article 22 of this law, or
IX. When the transfer is necessary for reasons of national security.
The updating of some of the exceptions provided for in this article, does not exempt the person responsible from complying with the obligations provided for in this chapter that are applicable.
Article 71. National and international referrals of personal data that are made between responsible and responsible do not require to be informed to the owner, nor have their consent.
TITLE SIXTH
PREVENTIVE ACTION IN THE FIELD OF
PROTECTION OF PERSONAL DATA
Chapter I
Best practices
Article 72. For the fulfillment of the obligations provided for in this law, the responsible may develop or adopt, individually or in agreement with other managers, managers or organizations, schemes of best practices that have as their object:
I. raising the level of protection of personal data;
II. Harmonise the processing of personal data in a specific sector;


III. Facilitate the exercise of ARCO rights by holders;
IV. Facilitate transfers of personal data;
V. supplement the provisions of the applicable regulations on the protection of personal data; and
SEE. Demonstrate to the Institute or, where appropriate, the guarantor bodies, compliance with the applicable regulations on the protection of personal data.
Article 73. Any scheme of best practices that seeks validation or recognition by the Institute or, where appropriate, by the guarantor Bodies shall:
I. comply with the parameters to that effect issued, as appropriate, by the Institute and the guarantor bodies in accordance with the criteria laid down by the former; and
II. Be notified to the Institute or, where appropriate, the guarantor bodies in accordance with the procedure laid down in the parameters indicated in the previous section, in order to be evaluated and, where appropriate, validated or recognized and entered in the Register referred to in the last paragraph of this article.
The Institute and the guarantor bodies, as appropriate, shall issue the rules of operation of the registries in which those validated or recognized best practice schemes will be entered. The guarantor bodies may register the best practice schemes that they have recognized or validated in the register administered by the Institute, in accordance with the rules established by the latter.
Article 74. Where the controller intends to put into operation, or modify public policies, systems or computing platforms, applications, electronic or any other technology that, in his judgment and in accordance with this Act involving the intensive treatment or relevant personal data, you must perform an impact Assessment on the protection of personal data and submitted to the Institute or Agencies, guarantors, as applicable, which will be able to issue non-binding recommendations that specialize in the field of protection of personal data.
The content of the impact assessment on the protection of personal data must be determined by the National System of transparency, access to Public Information and protection of personal data.
Article 75. For the purposes of this law, intensive or relevant processing of personal data shall be deemed to be in place when:
I. There are risks inherent to the personal data to be processed;
II. Sensitive personal data is processed, and
III. Transfers of personal data are made or intended to be made.
Article 76. The National system may issue additional criteria based on objective parameters that determine that there is intensive or relevant processing of personal data, in accordance with the provisions of the previous article, depending on:
I. number of holders;
II. The target audience;
III. The development of the technology used; and
IV. The relevance of the processing of personal data in attention to the social or economic impact of the same, or the public interest that is pursued.
Article 77. The subjects obliged to carry out an impact Assessment on the protection of personal data, shall be submitted to the Institute or Agencies, guarantors, as applicable, thirty days prior to the date on which it is intended to operate, or modify public policies, systems or computing platforms, applications, electronic, or other technology, to the Institute or agencies, guarantors, as applicable, to issue non-binding recommendations as appropriate.
Article 78. The Institute and the guarantor bodies, as appropriate, shall issue, where appropriate, non-binding recommendations on the impact assessment on the protection of personal data submitted by the controller.
The deadline for the issuance of the recommendations referred to in the preceding paragraph shall be within thirty days from the day following the submission of the assessment.


Article 79. When, in the opinion of the obligated party, the effects that are intended to be achieved can be compromised by the possible implementation or modification of public policies, computer systems or platforms, electronic applications or any other technology that involves the intensive or relevant processing of personal data or in emergency or urgent situations, it will not be necessary to carry out the impact assessment on the protection of personal data.
Chapter II
Of databases in possession of security, procurement and administration
Justice
Article 80. The collection and processing of personal data, in terms of what this law provides, by The obliged subjects competent in instances of security, procurement and administration of justice, is limited to those cases and categories of data that are necessary and proportional to the exercise of functions in matters of national security, public security, or for the prevention or prosecution of crimes. They must be stored in the databases established for this purpose.
The authorities that access and store the personal data collected by individuals in compliance with the corresponding legal provisions, must comply with the provisions set out in this chapter.
Article 81. In the processing of personal data as well as in the use of databases for storage, carried out by the competent obliged subjects of the security, procurement and administration of justice authorities must comply with the principles established in the second title of this law.
Private communications are inviolable. Only the federal judicial authority, at the request of the federal authority that authorizes the law or the head of the Public Prosecutor's Office of the corresponding federal entity, may authorize the intervention of any private communication.
Article 82. The leaders of the databases referred to in this Chapter, shall establish measures for the security level high, to ensure the integrity, availability and confidentiality of the information, to protect personal data against damage, loss, alteration, use or destruction, or unauthorized access.
TITLE SEVEN
RESPONSIBLE FOR THE PROTECTION OF PERSONAL DATA IN THE POSSESSION OF THE
OBLIGED SUBJECTS
Chapter I
Transparency Committee
Article 83. Each person responsible will have a Transparency Committee, which will be integrated and function in accordance with the provisions of the General Law on transparency and access to Public Information and other applicable regulations.
The Transparency Committee shall be the highest authority for the protection of personal data.
Article 84. For the purposes of this law and without prejudice to other powers conferred on it in the regulations applicable to it, the Transparency Committee shall have the following functions:
I. coordinate, supervise and carry out the necessary actions to guarantee the right to the protection of personal data in the organization of the data controller, in accordance with the provisions provided for in this law and in those provisions that are applicable in the matter;
II. Institute, where appropriate, internal procedures to ensure greater efficiency in the management of requests for the exercise of ARCO rights;
III. Confirm, modify or revoke the determinations in which the non-existence of personal data is declared, or for any reason the exercise of any of the Arco rights is denied;
IV. Establish and monitor the application of specific criteria that are necessary for better compliance with this law and in those provisions that are applicable in the matter;


V. supervise, in coordination with the competent administrative areas or units, compliance with the measures, controls and actions provided for in the security document;
SEE. Follow-up and compliance with the resolutions issued by the Institute and the guarantor bodies, as appropriate;
You come. Establish training and updating programmes for public servants on the protection of personal data; and
VIII. Give notice to the internal control body or equivalent instance in those cases in which it has knowledge, in the exercise of its powers, of an alleged irregularity with regard to certain processing of personal data; particularly in cases related to the declaration of non-existence made by the responsible.
Chapter II
Transparency Unit
Article 85. Each responsible will have a Transparency Unit, will be integrated and will function in accordance with the provisions of the General Law on transparency and access to Public Information, This law and other applicable regulations, which will have the following functions:
I. assist and guide the owner who requires it in relation to the exercise of the right to the protection of personal data;
II. Manage requests for the exercise of ARCO rights;
III. Establish mechanisms to ensure that personal data is only given to its duly accredited holder or representative;
IV. Inform the owner or his representative of the amount of costs to be covered for the reproduction and sending of personal data, based on the provisions of the applicable regulatory provisions;
V. propose to the Transparency Committee internal procedures that ensure and strengthen greater efficiency in the management of requests for the exercise of ARCO rights;
SEE. Implement quality assessment tools on the management of applications for the exercise of ARCO rights; and
You come. Advise the areas assigned to the data controller on the protection of personal data.
Those responsible who, in the exercise of their substantive functions, carry out relevant or intensive processing of personal data, may appoint a personal data protection officer, specialized in the matter, who will perform the powers mentioned in this article and will be part of the Transparency Unit.
Obliged subjects shall promote agreements with specialized public institutions that may assist them in the receipt, processing and delivery of responses to requests for information, in the indigenous language, braille or any corresponding accessible format, in a more efficient manner.
Article 86. The data controller shall ensure that persons with any type of disability or vulnerable groups can exercise, in equal circumstances, their right to the protection of personal data.
Article 87. In the appointment of the head of the Transparency Unit, the person responsible will be in accordance with the General Law on transparency and access to Public Information and other applicable regulations.
TITLE EIGHT
GUARANTOR BODIES
Chapter I
Of the National Institute for transparency, access to Information and protection of personal data
Article 88. The integration, designation and operation procedure of the Institute and the Advisory Council shall be in accordance with the General Law on transparency and access to public information, the federal law on transparency and access to Public Information and other applicable regulations.
Article 89. In addition to the powers conferred on it by the General Law on transparency and access to public information, the federal law on transparency and access to Public Information and other applicable regulations, the institute shall have the following powers:


I. guarantee the exercise of the right to the protection of personal data held by obliged subjects;
II. Interpreting this law in the administrative field;
III. Know and resolve the review appeals filed by the holders, in terms of the provisions of this law and other provisions that are applicable in the matter;
IV. Know and resolve, ex officio or at the request founded by the guarantor bodies, the review resources that due to their interest and significance so merit, in terms of the provisions of this law and other provisions that are applicable in the matter;
V. To Know and resolve the complaints of non-compliance filed by the holders, against the resolutions issued by the guarantor bodies, in accordance with the provisions of this law and other provisions that are applicable in the matter;
SEE. Know, substantiate and resolve verification procedures;
You come. Establish and implement the measures of pressure provided for in terms of the provisions of this law and other provisions that are applicable in the matter;
VIII. Report to the competent authorities the alleged violations of this law and, where appropriate, provide the evidence with which it has;
IX. Coordinate with the competent authorities so that applications for the exercise of ARCO rights and review appeals that are submitted in the indigenous language, are attended in the same language;
X. ensure, within the scope of their respective competence, accessibility conditions so that holders belonging to vulnerable groups can exercise, in equal circumstances, their right to the protection of personal data;
XI. Develop and publish studies and research to disseminate and expand knowledge on the subject of this law;
XII. Provide technical support to those responsible for the fulfillment of the obligations established in this law;
XIII. Disclose and issue recommendations, standards and best practices in matters regulated by this law;
XIV. Monitor and verify compliance with the provisions contained in this law;
FIFTEENTH. Manage the Register of best practice schemes referred to in this law and issue its operating rules;
XVI. Issue, where appropriate, the non-binding recommendations corresponding to the impact assessment on the protection of personal data that are presented to you;
XVII. Issue general provisions for the development of the verification procedure;
XVIII. Carry out the evaluations corresponding to the best practice schemes that are notified to them, in order to resolve on the origin of their recognition or validation and registration in the Register of best practice schemes, as well as promote the adoption thereof;
XIX. Issue, within the scope of its competence, the administrative provisions of a general nature for the proper fulfillment of the principles, duties and obligations established by this law, as well as for the exercise of the rights of the holders;
XX. Enter into agreements with those responsible to develop programmes aimed at approving the processing of personal data in specific sectors, raising the protection of personal data and making any improvements to practices in this area;
XXI. Define and develop the certification system in the field of personal data protection, in accordance with what is established in the parameters referred to in this law;
XXII. Presiding over the National system referred to in Article 10 of this law;
XXIII. Conclude agreements with the guarantor bodies that contribute to the fulfillment of the objectives provided for in this law and other provisions that are applicable in the matter;
XXIV. Carry out actions and activities that promote knowledge of the right to the protection of personal data, as well as its prerogatives;


XXV. Design and apply indicators and criteria to evaluate the performance of those responsible with respect to compliance with this law and other provisions that may be applicable in this area;
XXVI. Promote training and updating on the protection of personal data among data controllers;
XXVII. Issue general guidelines for the proper processing of personal data;
XXVIII. Issue guidelines to approve the exercise of ARCO rights;
XXIX. Issue general interpretation criteria to guarantee the right to the protection of personal data;
XXX. Cooperate with other supervisory authorities and national and international bodies, for the purpose of assisting in the protection of personal data, in accordance with the provisions provided for in this law and other applicable regulations;
XXXI. Promote and promote the exercise and protection of the right to the protection of personal data through the implementation and administration of the national platform, referred to in the General Law on transparency and access to Public Information and other applicable regulations;
XXXII. Bring, when approved by the majority of its commissioners, actions of unconstitutionality against federal or state laws, as well as international treaties concluded by the Federal Executive and approved by the Senate of the Republic, which violate the right to the protection of personal data;
XXXIII. Promote, when approved by a majority of its commissioners, constitutional disputes in terms of Article 105, section I, subparagraph (L), of the Political Constitution of the United Mexican states;
XXXIV. Cooperate with other national or international authorities to combat conduct related to the improper processing of personal data;
XXXV. Design, monitor and, where appropriate, operate the system of good practices in the field of personal data protection, as well as the certification system in the field, through regulations that the Institute issues for such purposes;
XXXVI. Conclude agreements with the guarantor and responsible bodies that contribute to the achievement of the objectives provided for in this law and other provisions that are applicable in this matter; and
XXXVII. This law and other applicable laws.
Chapter II
Of the guarantor bodies
Article 90. In the integration, procedure of designation and operation of the guarantor bodies will be in accordance with the provisions of the General Law on transparency and access to Public Information and other applicable regulations.
Article 91. For the purposes of this law and without prejudice to other powers conferred on them in the regulations that are applicable to them, the guarantor bodies shall have the following powers:
I. know, substantiate and resolve, within the scope of their respective powers, the review appeals filed by the holders, in terms of the provisions of this law and other provisions that are applicable in the matter;
II. Submit a well-founded petition to the Institute, so that it knows of the review resources that due to their interest and significance merit it, in terms of the provisions of this law and other provisions that are applicable in the matter;
III. Impose pressure measures to ensure compliance with its resolutions;
IV. Promote and disseminate the exercise of the right to the protection of personal data;
V. coordinate with the competent authorities to ensure that applications for the exercise of ARCO rights and review appeals submitted in indigenous languages are addressed in the same language;
SEE. Guarantee, within the scope of their respective competences, accessibility conditions so that holders belonging to vulnerable groups can exercise, in equal circumstances, their right to the protection of personal data;
You come. Develop and publish studies and research to disseminate and expand knowledge on the subject of this law;
VIII. To inform the competent authorities of the probable liability arising from the breach of the obligations provided for in this law and in the other provisions that are applicable;
IX. Provide the Institute with the elements it requires to resolve complaints of non-compliance that are presented to it, in terms of the provisions of Title ninth, chapter II of this law and other provisions that are applicable in the matter;
X. enter into collaboration agreements with the Institute for the fulfillment of the objectives provided for in this law and other applicable provisions;
XI. Monitor, within the scope of their respective powers, compliance with this law and other provisions that are applicable in the matter;
XII. Carry out actions and activities that promote knowledge of the right to the protection of personal data, as well as its prerogatives;
XIII. Apply indicators and criteria to assess the performance of those responsible with respect to compliance with this law and other applicable provisions;
XIV. Promote training and updating on the protection of personal data among data controllers;
FIFTEENTH. Request the cooperation of the Institute in the terms of Article 89, section XXX of this law;
XVI. Manage, within the scope of its competences, the National transparency platform;
XVII. As appropriate, bring actions of unconstitutionality against laws issued by the legislatures of the federal entities, which violate the right to the protection of personal data, and
XVIII. Issue, where appropriate, the non-binding recommendations corresponding to the personal data protection impact assessment that are presented to you.
Chapter III
Coordination and promotion of the right to the protection of personal data
Article 92. Those responsible should collaborate with the Institute and the guarantor bodies, as appropriate, to train and update on a permanent basis all their public servants in the field of personal data protection, through the provision of courses, seminars, workshops and any other form of teaching and training that is considered relevant.
Article 93. The Institute and the guarantor bodies, within the scope of their respective competences, shall:
I. Promote programs and curricula, books, and materials that are used in educational institutions of all levels and modalities of the State, to be included contents on the right to the protection of personal data, as well as a culture on the exercise of and respect for this;
II. To promote, together with higher education institutions, the integration of research, dissemination and teaching centres on the right to the protection of personal data that promote knowledge on this subject and assist the Institute and the guarantor bodies in their substantive tasks; and
III. Encourage the creation of spaces for social and citizen participation that stimulate the exchange of ideas between society, the bodies of citizen representation and those responsible.


TITLE NINTH
OF THE DATA PROTECTION DISPUTE PROCEDURES
PERSONAL IN POSSESSION OF OBLIGATED SUBJECTS
Chapter I
Common provisions for review and non-compliance remedies
Article 94. The holder or his representative may file an appeal for review or an appeal for non-compliance with the Institute or the guarantor bodies, as appropriate, or before the Transparency Unit, through the following means:
I. in free writing at the domicile of the Institute or the guarantor bodies, as appropriate, or in the authorized offices established for that purpose;
II. By certified mail with acknowledgement of receipt;
III. By formats issued for this purpose by the Institute or guarantor bodies, as appropriate;
IV. By electronic means authorised for that purpose; or
V. any other means to that effect established by the Institute or guarantor bodies, as appropriate.
It will be presumed that the holder accepts that the notifications are made to him by the same channel that submitted his writing, unless he proves to have indicated a different one to receive notifications.
Article 95. The holder may prove his identity through any of the following means:
I. official identification;
II. Advanced electronic signature or the electronic instrument replacing it; or
III. Authentication mechanisms authorized by the Institute and the guarantor bodies, as appropriate, published by general agreement in the Official Journal of the Federation or in the official journals and gazettes of the federal entities.
The use of the advanced electronic signature or the electronic instrument replacing it shall exempt the presentation of a copy of the identification document.
Article 96. When the holder acts through a representative, he must prove his personality in the following terms:
I. In the case of a natural person, by means of a simple power of attorney signed before two witnesses attaching a copy of the identification of the subscribers, or a public instrument, or a statement in personal appearance of the holder and the representative before the Institute.
II. If it is a moral person, by means of a public instrument.
Article 97. The filing of an appeal for review or non-compliance of personal data concerning deceased persons may be carried out by the person who proves to have a legal or legitimate interest.
Article 98. In the substantiation of review and non-compliance remedies, notifications issued by the Institute and the guarantor bodies, as appropriate, shall take effect on the same day as they are made.
Notifications may be made:
I. personally in the following cases:
(a) the first notification;
(b) the requirement of an act to the party to comply with it;
(c) the request for reports or documents;
(d) the resolution terminating the procedure in question; and
(e) in other cases provided for by law;
II. By certified mail with acknowledgement of receipt or digital means or systems authorized by the institute or guarantor bodies, as applicable, and published by general Agreement
in the Official Journal of the Federation or official journals or gazettes of the federal entities, when it comes to requirements, locations, requests for reports or documents and resolutions that can be challenged;
III. By ordinary postal mail or by ordinary e-mail in the case of acts other than those referred to in the preceding sections; or
IV. When the person to be notified cannot be located at his / her home, he / she or his / her representative is ignored.
Article 99. The time limits set out in this title shall be calculated from the day following the day on which the relevant notification takes effect.
After the deadlines set to the parties, the right that should have been exercised within them will be forfeited, without the need for an accusation of default by the Institute.
Article 100. The holder, the responsible and the guarantor bodies or any authority shall meet the information requirements within the deadlines and terms that the Institute and the guarantor bodies, as appropriate, establish.
Article 101. When the owner, the responsible Agencies, guarantors or any authority to refuse to meet or fulfill the requirements, requests for information and documentation, summons, subpoenas, or proceedings notified by the Institute or the Agencies, guarantors, as applicable, or to facilitate the practice of the procedures that have been ordered, or obstructs the proceedings of the Institute or the Agencies, guarantors, as applicable, shall have lost their right to do so to enforce at any other time of the procedure and the Institute and the Bodies guarantors, as appropriate, they will have the facts of the proceedings determined and will resolve with the elements available.
Article 102. In substantiating review remedies or non-compliance remedies, the parties may provide the following evidence:
I. the public documentary;
II. The private documentary;
III. Inspection;
IV. The expert;
V. the testimonial;
SEE. Confessional, except in the case of authorities;
You come. Photographic images, electronic pages, writings and other elements contributed by science and technology; and
VIII. The presumptive legal and human.
The Institute and the guarantor bodies, as appropriate, may attach such evidence as they deem necessary, without further limitation than those established by law.
Chapter II
Review appeal to the Institute and guarantor bodies
Article 103. The holder, by himself or through his representative, may file an appeal for review before the Institute or, in his case, to the Agencies, guarantors or the Transparency Unit of the responsible party that has known of the request for the exercise of the ARCO rights, within a period which may not exceed fifteen days from the date of the notification of the response.
After the deadline for responding to a request for the exercise of ARCO rights has elapsed without it having been issued, the holder or, where appropriate, his representative may file an appeal for review within fifteen days following the expiry of the deadline for responding.
Article 104. The review appeal will proceed in the following cases:
I. personal data are classified as confidential without complying with the characteristics indicated in the applicable laws;
II. The non-existence of personal data is declared;
III. Is declared incompetence by the responsible;
IV. Incomplete personal data is provided;
V. personal data that does not correspond to the requested;


SEE. The access, rectification, cancellation or opposition of personal data is denied;
You come. No response is given to a request for the exercise of ARCO rights within the deadlines established in this law and other provisions that are applicable in the matter;
VIII. Personal data is provided or made available in a form or format other than that requested, or in an incomprehensible format;
IX. The owner is dissatisfied with the costs of reproduction, shipping or delivery times of personal data;
X. The exercise of ARCO rights is hindered, despite the fact that the origin of the same was notified;
XI. An application for the exercise of ARCO rights is not processed; and
XII. In other cases provided by law.
Article 105. The only requirements in the notice of Appeal for review shall be as follows:
I. the area responsible to whom the application was submitted for the exercise of ARCO rights;
II. The name of the data controller or his representative and, where applicable, of the third party concerned, as well as the address or means indicated to receive notifications;
III. The date on which the reply was notified to the holder, or, in case of lack of reply, the date of submission of the application for the exercise of ARCO rights;
IV. The act to be appealed and the points requested, as well as the reasons or grounds of non-compliance;
V. if applicable, a copy of the contested response and the corresponding notification; and
SEE. Documents proving the identity of the holder and, where appropriate, the personality and identity of his representative.
The review appeal may be accompanied by evidence and other elements that the holder considers appropriate to submit to the judgment of the Institute or, where appropriate, of the guarantor bodies.
In no case will it be necessary for the holder to ratify the review appeal filed.
Article 106. Once the review appeal has been admitted, the Institute or, where appropriate, the guarantor bodies may seek a conciliation between the holder and the person responsible.
If an agreement is reached, it shall be recorded in writing and shall have binding effect. The review appeal shall be dismissed and the Institute, or where appropriate, the guarantor Bodies, shall verify compliance with the respective agreement.
Article 107. Having admitted the appeal for review and without prejudice to the provisions of Article 65 of this law, the institute shall promote conciliation between the parties, in accordance with the following procedure:
I. The Institute and the Agencies, guarantors, as applicable, shall require the parties to manifest, by any means, their willingness to reconcile, in a term of not more than seven days, counted from the notice of the said agreement, which will contain a summary of the appeal and the response of the responsible if any, by pointing out the common elements and points of dispute.
The conciliation may be concluded in person, by remote or local means of electronic communication or by any other means determined by the Institute or the guarantor bodies, as appropriate. In any case, the conciliation must be recorded by the means that makes it possible to prove its existence.
It is exempted from the conciliation stage, when the holder is a minor and has violated any of the rights contemplated in the law for the protection of the rights of children and adolescents, linked to the law and the regulations, unless it has duly accredited legal representation;
II. Accepted the possibility of conciliation by both parties, the Institute and the guarantor bodies,
as appropriate, indicate the place or medium, day and time for the holding of a conciliation hearing, which must be held within ten days of the Institute or the guarantor bodies, as appropriate, have received the manifestation of the willingness to conciliate of both parties, in which the interests between the holder and the responsible shall be sought.
The conciliator may, at any time during the conciliation stage, require the parties to submit within a maximum period of five days, the elements of conviction that it deems necessary for Conciliation.
The conciliator may suspend the hearing on one occasion when it deems it appropriate or at the request of both parties. If the hearing is suspended, the conciliator shall set the date and time for resumption within five days.
The respective minutes shall be drawn up of any conciliation hearing, setting out the outcome of the conciliation hearing. In the event that the responsible or the holder or their respective representatives do not sign the act, this will not affect its validity, and such refusal must be stated;
III. If one of the parties does not attend the conciliation hearing and justifies his absence within three days, he will be summoned to a second conciliation hearing, within five days; if he does not attend the latter, the review appeal will continue. When either party fails to attend the conciliation hearing without any justification, the procedure will be continued;
IV. If there is no agreement at the conciliation hearing, the review appeal will be continued;
V. If an agreement is reached, it shall be recorded in writing and shall have binding effect. The review appeal shall be dismissed and the Institute, or, where appropriate, the guarantor Bodies, shall verify compliance with the respective agreement; and
SEE. Compliance with the agreement will terminate the substantiation of the review appeal, otherwise the Institute will resume the procedure.
The period referred to in the following article of this law shall be suspended during the period of compliance with the conciliation agreement.
Article 108. The Institute and the guarantor Bodies shall resolve the review appeal within a period not exceeding forty days, which may be extended for up to twenty days at one time.
Article 109. During the procedure referred to in this chapter, The Institute and the guarantor bodies, as appropriate, shall apply the substitute of the complaint in favour of the holder, provided that it does not alter the original content of the review appeal, nor modify the facts or requests set out therein, and ensure that the parties are able to present the arguments and evidence which substantiate and give rise to their claims.
Article 110. If the holder does not comply with any of the requirements laid down in Article 105 of this law in the application for review and the Institute and the guarantor bodies, as the case may be, do not have elements to correct them, the latter shall require the holder, on a single occasion, the information to correct the omissions within a period not exceeding five days, counted from the day following the submission of the application.
The holder will have a period that may not exceed five days, counted from the day following that of the notification of the prevention, to correct the omissions, with the warning that in case of failure to comply with the requirement, the review appeal will be dismissed.
The prevention will have the effect of interrupting the time limit that the Institute and the guarantor bodies have to resolve the appeal, so it will begin to be counted from the day following its discharge.
Article 111. Decisions of the Institute or, where appropriate, the guarantor bodies may:
I. dismiss or dismiss the review appeal for inadmissibility;
II. Confirm the responder's response;
III. Revoke or modify the response of the controller, or
IV. Order the delivery of personal data, in case of omission of the responsible.


The resolutions shall establish, where appropriate, the deadlines and terms for their compliance and the procedures to ensure their execution. Those responsible must inform the Institute or, where appropriate, the guaranteeing bodies of compliance with their resolutions.
In the absence of a resolution by the Institute, or where appropriate, by the guarantor bodies, the response of the person responsible will be deemed confirmed.
When the Institute, or where appropriate, the guarantor bodies, determine during the examination of the review appeal that there may have been a probable liability for the breach of the obligations provided for in this law and other provisions that are applicable in the matter, they shall make it known to the internal control body or the competent authority so that it may initiate, where appropriate, the respective liability procedure.
Article 112. The review appeal may be dismissed as inadmissible when:
I. is extemporaneous because the period established in Article 103 of this law has elapsed;
II. The holder or his representative does not properly prove his identity and personality of the latter;
III. The Institute or, where appropriate, the guarantor bodies have previously decided definitively on the subject of the same;
IV. Do not update any of the grounds for the review appeal provided for in Article 104 of this law;
V. any remedy or means of defence brought by the appellant, or where appropriate, by the third party concerned, against the act appealed to the Institute or the guarantor bodies, as appropriate, is being processed before the competent courts;
SEE. The appellant modifies or extends his request in the review appeal, only with respect to the new content, or
You come. The appellant does not prove legal interest.
The dismissal does not preclude the right of the holder to file a new review appeal with the Institute or the guarantor bodies, as appropriate.
Article 113. The review resource can only be overridden when:
I. The appellant expressly withdraws;
II. The appellant dies;
III. Admitted the review appeal, any cause of impropriety in the terms of this law is updated;
IV. The controller modifies or revokes its response in such a way that the review remedy is without substance, or
V. the review appeal shall be dismissed.
Article 114. The Institute and the guarantor Bodies shall notify the parties and publish the resolutions, in public version, no later than the third day following their adoption.
Article 115. The resolutions of the Institute and the guarantor Bodies shall be binding, final and unassailable for those responsible.
The holders may challenge these resolutions before the judiciary of the Federation through the Amparo trial.
Article 116. In the case of resolutions to review appeals by the guarantor bodies of the federal entities, individuals may choose to go before the Institute by filing the appeal of non-compliance provided for in this law or before the judiciary of the Federation through the Amparo trial.
Chapter III
Of the appeal of nonconformity to the Institute
Article 117. The holder, by himself or through his representative, may challenge the decision of the review appeal issued by the guarantor body before the Institute, through the appeal of non-compliance.
An appeal for non-compliance may be submitted to the guarantor body that issued the decision or to the institute within fifteen days from the date of notification of the contested decision.


The guarantor bodies must send the appeal of non-compliance to the Institute the day after having received it; as well as the records that integrate the procedure that has given rise to the contested resolution, which will resolve close to the elements it deems appropriate.
Article 118. The appeal of non-compliance will proceed against the resolutions issued by the guarantor bodies of the federal entities that:
I. classify personal data without complying with the characteristics indicated in the applicable laws;
II. Determine the non-existence of personal data, or
III. Declare the refusal of personal data, i.e.:
a) incomplete personal data is provided;
b) personal data that do not correspond to those requested are provided;
c) the access, rectification, cancellation or opposition of personal data is denied;
d) personal data is delivered or made available in an incomprehensible format;
e) the owner is dissatisfied with the costs of reproduction, shipping, or delivery times of the personal data, or
(f) be directed to a specific procedure that contravenes the provisions of Article 54 of this law.
Article 119. The only requirements required and indispensable in the notice of application of the appeal for non-compliance are:
I. The Responsible area before which the application for the exercise of ARCO rights was submitted;
II. The guarantor body that issued the contested resolution;
III. The name of the data controller or his representative and, where applicable, the third party concerned, as well as his address or the means indicated for receiving notifications;
IV. The date on which the resolution was notified to the holder;
V. The act to be appealed and the points requested, as well as the reasons or grounds for non-compliance;
SEE. Where applicable, a copy of the contested decision and the relevant notification; and
You come. Documents proving the identity of the holder and, where appropriate, the personality and identity of his representative.
The Promoter may accompany his / her writing with the evidence and other elements that he / she considers appropriate to submit to the Institute's judgment.
Article 120. The institute shall resolve the appeal for non-compliance within a period not exceeding thirty days from the day following the filing of the appeal for non-compliance, a period which may be extended only once and for up to an equal period.
Article 121. During the procedure referred to in this chapter, The Institute shall apply the substitute of the complaint in favor of the holder, provided that it does not alter the original content of the appeal for non-compliance, nor modify the facts or requests set forth therein, as well as ensure that the parties can present the arguments and evidence that substantiate and motivate their claims.
Article 122. If in the writing of the filing of the grievance, the holder does not comply with any of the requirements laid down in article 119 of this Law and the Institute does not have elements to correct, it should require the holder, for a single occasion, the information to remedy the omissions in a time period that may not exceed five days, counted from the day following the filing of the written statement.
The owner shall have a period not to exceed fifteen days, counted from the day following the notification of prevention, to remedy the omission, with the warning that in case of not fulfilling the requirement, it will dismiss the grievance.
The prevention will have the effect of interrupting the time limit that the Institute has to resolve the appeal, so it will begin to be calculated from the day following its discharge.
Article 123. Once the evidentiary stage has been completed, the institute shall make the Proceedings of the proceedings available to the parties and shall grant them a period of five days to make pleadings from the date of notification of the agreement referred to in this article.


Article 124. The resolutions of the Institute may:
I. dismiss or dismiss the complaint;
II. Confirm the resolution of the guarantor body;
III. Revoke or amend the decision of the guarantor body; or
IV. Order the delivery of personal data, in case of omission of the responsible.
The resolutions shall establish, where appropriate, the deadlines and terms for their compliance and the procedures to ensure their execution. The guarantor Bodies shall inform the Institute of compliance with its resolutions.
If the Institute does not resolve within the time limit set out in this chapter, the resolution appealed against shall be deemed to be confirmed.
When the Institute determines during the pendency of the grievance process, which may have been incurred in a probable liability for the breach of the obligations laid down in this Law and other provisions applicable in the matter, you must do so in the knowledge of the internal control body or the court for it to start, in your case, the procedure of responsibility of the respective order.
The measures of pressure provided for in this law, will be applicable for the purposes of compliance with the resolutions that fall to the remedies of non-compliance. These urgent measures must be laid down in the resolution itself.
Article 125. The appeal for non-compliance may be dismissed as inadmissible when:
I. is extemporaneous because the period established in Article 117 of this law has elapsed;
II. The Institute has previously resolved definitively on the subject of the same;
III. The reasons of origin of the complaint of non-compliance, provided for in Article 118 of this law, are not updated;
IV. Any remedy or means of defense brought by the holder, or where appropriate, by the third party concerned, against the act appealed, or
V. the nonconformist extend its request in the nonconformist appeal, only with respect to the new contents.
Article 126. The appeal of nonconformity can only be dismissed when:
I. The appellant expressly withdraws;
II. The appellant dies;
III. The guarantor body modifies or revokes its reply in such a way that the appeal for non-compliance is dismissed; or
IV. Once the appeal is admitted, any ground of non-compliance in the terms of this law is updated.
Article 127. In cases in which through the use of nonconformity modify or revoke the resolution of the agency guarantor, it shall issue a new ruling addressing the guidelines that were set to resolve the complaint, within a period of fifteen days, counted from the day following the day on which it is notified or becomes aware of the decision on the complaint.
Article 128. It shall be the responsibility of the guarantor bodies, within the scope of their competence, to monitor and monitor the due compliance by the person responsible for the new resolution issued as a result of non-compliance in terms of this law.
Article 129. The resolutions of the institute shall be binding, final and unassailable for those responsible and the guarantor bodies.
The holders may challenge these resolutions before the judiciary of the Federation through the Amparo trial.


Chapter IV
Of the attraction of Review resources
Article 130. For the purposes of this Law, the Plenum of the Institute, upon approval by the majority of its Commissioners, ex officio or at the justified request of the Agencies, guarantors, may exercise the power of attraction to know of those resources review, pending resolution on the protection of personal data, for your interest and significance as well as merit and whose jurisdiction the original corresponds to the Agencies, guarantors, pursuant to the provisions of this Law and other applicable regulations.
Applicants may make the knowledge of the Institute the existence of review resources that they could know of themselves.
As for the guidelines and general criteria for mandatory that the Institute shall issue to determine the resources revision of interest and importance that it is obliged to know, according to the General Law of Transparency and Access to Public Information, in addition to the attraction of resources of review in the field of personal data protection shall consider the following factors:
I. The purpose of the processing of personal data;
II. The number and type of data subjects involved in the processing of personal data carried out by the data controller;
III. The sensitivity of the personal data processed;
IV. The possible consequences that would arise from improper or indiscriminate processing of personal data; and
V. The relevance of the processing of personal data, in attention to the social or economic impact of the same and the public interest to know the review resource attracted.
Article 131. For the purposes of exercising the Faculty of attraction referred to in this chapter, The Institute will motivate and substantiate that the case is of such relevance, novelty or complexity, that its resolution may have a substantial impact on the solution of future cases to guarantee the effective protection of the right to protection of personal data held by obliged subjects.
In cases where the guarantor body of the federal entity is the subject of appeal, it must notify the institute, within a period not exceeding three days, from the date of the appeal. The institute shall attract and resolve such review resources as set out in this chapter.
Article 132. The reasons given by the Institute to exercise the power of attraction of a case will only constitute a preliminary study to determine whether the matter meets the constitutional and legal requirements of interest and significance, in accordance with the previous precept, so it will not be necessary that they form part of the substantive analysis of the case.
Article 133. The Institute shall issue guidelines and general criteria that are mandatory to determine the resources revision of interest and importance that will be required to know, as well as the internal procedures for processing, according to the deadlines indicated for the remedy of revision.
Article 134. The Faculty of attraction conferred on the Institute must be exercised in accordance with the following rules:
I. When it is carried out ex officio, the plenary of the Institute, if approved by a majority of its commissioners, may exercise the appeal at any time, until the appeal for review has been resolved by the competent guarantor body, for which purpose it shall notify the parties and require the file to the corresponding guarantor body, or
II. When the request for attraction is made by the guarantor body of the federal entity, it shall have a period of no more than five days, except as provided for in the last paragraph of Article 105 of this law, to request the Institute to analyze and, where appropriate, exercise the power of attraction on the matter put to its consideration.
After this period, the right of the respective guarantor to make the application for attraction shall be excluded.
The institute shall have no more than ten days to determine whether it exercises the power of attraction, in which case it shall notify the parties and request the file of the respective review appeal.
Article 135. The application for appeal of the review resource will interrupt the period of time that the guarantor bodies have to resolve it. The computation shall continue from the day following the day on which the Institute has notified the determination not to appeal the review appeal.
Article 136. Prior to the decision of the Institute on the exercise of the power of attraction referred to in the previous article, the guarantor body of the federal entity to which the original knowledge of the case corresponds must complete the analysis of all aspects whose study is prior to the substance of the case, except in the case where the aspects of importance and significance derive from the origin of the appeal.
If the plenary of the Institute, when approved by a majority of its commissioners, decides to exercise the Faculty of attraction, it will advocate the knowledge or study of the subject matter of the appeal of review attracted.
The Commissioner (s) who at the time had voted against exercising the power of attraction shall not be prevented from ruling on the substance of the matter.
Article 137. The resolution of the institute shall be final and unassailable for the guaranteeing body and for the obliged subject concerned.
At any time, individuals may challenge the decisions of the Institute before the judiciary of the Federation.
Article 138. Only the Legal Adviser of the government may bring an appeal for review in matters of national security before the Supreme Court of Justice of the nation, in the event that the resolutions of the Institute to the remedies described in this title, may endanger national security.
That national security review appeal shall be dealt with in the terms set out in Chapter V, "National Security Review appeal", of this title.
Chapter V
National Security Review resource
Article 139. The legal counsel of the Federal Government may lodge an appeal for review in matters of national security directly with the Supreme Court of Justice of the nation, when it considers that the resolutions issued by the Institute endanger national security.
The appeal must be lodged within seven days of the day in which the guarantor notifies the obligor of the decision. The Supreme Court of Justice of the nation shall immediately determine, where appropriate, the suspension of the execution of the decision and within five days of the filing of the appeal shall decide on its admission or inadmissibility.
Article 140. In the statement of appeal, the legal counsel of the Federal Government shall state the decision being challenged, the grounds and grounds for which it considers that national security is endangered, as well as the necessary evidence.
Article 141. Any confidential or confidential information requested by the Supreme Court of justice because it is essential to resolve the matter must be kept in that capacity and will not be available in the file, except in the exceptions provided for in Article 120 of the General Law on transparency and access to Public Information.
At all times, Ministers shall have access to classified information to determine its nature, as required. Access will be given in accordance with the regulations previously established for the protection or safeguarding of information by The obliged subjects.
Article 142. The Supreme Court of Justice of the nation shall decide with full jurisdiction, and in no case shall the referral proceed.
Article 143. If the Supreme Court of Justice of the Nation confirms the meaning of the contested decision, The obliged subject shall comply in the terms established by the corresponding provision of this law.
In the event that the resolution is revoked, the institute shall act on the terms ordered by the Supreme Court of Justice of the nation.


Chapter VI
Interpretation criteria
Article 144. Once the decisions issued on the occasion of the appeals that are submitted to its competence have been enforceable, the Institute may issue the interpretation criteria that it considers relevant and that derive from what is resolved therein, in accordance with the provisions of the General Law on transparency and access to Public Information and other applicable regulations.
The Institute may issue criteria of a guiding nature for the guarantor bodies, which shall be established by repetition in the resolution of three similar cases consecutively in the same direction, by at least two thirds of the plenary of the Institute, derived from resolutions that have caused state.
Article 145. The criteria shall consist of an item, a text and the precedent or precedents which, if any, gave rise to their issue.
Any criteria issued by the Institute must contain a control key for its proper identification.
TITLE TENTH
FACULTY OF VERIFICATION OF THE INSTITUTE AND GUARANTOR BODIES
Single Chapter
Verification procedure
Article 146. The Institute and the guarantor bodies, within the scope of their respective powers, shall have the task of monitoring and verifying compliance with the provisions contained in this law and other regulations that derive from it.
In the exercise of monitoring and verification functions, the staff of the Institute or, where appropriate, of the guarantor Bodies shall be obliged to keep confidential the information to which they have access by virtue of the relevant verification.
The responsible party may not deny access to the documentation requested on the occasion of a verification, or to its personal databases, nor may it invoke the reservation or confidentiality of the information.
Article 147. Verification may be initiated:
I. ex officio when the Institute or the guarantor bodies have evidence to show that violations of the relevant laws are well founded and substantiated; or
II. By complaint of the holder when he considers that he has been affected by acts of the responsible that may be contrary to the provisions of this law and other applicable regulations, or where appropriate, by any person when he has knowledge of alleged breaches of the obligations provided for in this law and other provisions that are applicable in the matter.
The right to lodge a complaint shall preclude one year from the next day on which the facts or omissions relating to the complaint are made. When the acts or omissions are of successive tract, the term will begin to count from the working day following the last act performed.
The verification will not proceed in the cases of provenance of the review appeal or non-compliance provided for in this law.
The verification will not be admitted in the cases of provenance of the review appeal or non-compliance, provided for in this law.
Prior to the respective verification, the Institute or the guarantor bodies may carry out prior research, in order to have elements to base and motivate the respective initiation agreement.
Article 148. For the submission of a complaint, no greater requirements may be requested than those described below:
I. the name of the complainant, or, where applicable, his or her representative;
II. The address or means of receiving notifications from the Reporting Person;
III. The relationship of facts on which the complaint is based and the elements that you have to prove your claim;


IV. The data controller and his / her address, or where appropriate, the data for identification and / or location;
V. the signature of the complainant, or, where appropriate, his representative. If you do not know how to sign, the fingerprint will suffice.
The complaint may be submitted in free writing, or through the formats, electronic means or any other means established for that purpose by the Institute or the guarantor bodies, as appropriate.
Upon receipt of the complaint, the Institute and the guarantor bodies, as appropriate, must acknowledge receipt of the complaint. The corresponding agreement shall be notified to the complainant.
Article 149. The verification will begin by means of a written order that merges and motivates the origin of the action by the Institute or the guarantor bodies, which aims to require the responsible the necessary documentation and information related to the alleged violation and/or make visits to the offices or facilities of the responsible, or where appropriate, in the place where the respective personal databases are located.
For the verification in instances of national security and public safety, will be required in the resolution, the approval of the Plenary of the Institute, by a qualified majority of its Commissioners, or of the members of the Bodies guarantors of the Federal Entities, as appropriate, as well as a foundation and motivation strengthened the cause of the procedure, must be to ensure the information only for the exclusive use of the authority and for the purposes set forth in article 150.
The verification procedure shall have a maximum duration of fifty days.
The Institute or the guarantor bodies may order precautionary measures, if they warn of imminent or irreparable damage to the protection of personal data, provided that they do not prevent the performance of the functions or the securing of databases of the obliged subjects.
These measures may only have a corrective purpose and it will be temporary until then the subjects obliged to carry out the recommendations made by the Institute or the guarantor bodies as appropriate.
Article 150. The verification procedure shall conclude with a decision issued by the Institute or the guaranteeing bodies, in which the measures to be taken by the person responsible shall be laid down within the period determined by the institution.
Article 151. Those responsible may voluntarily submit to the conduct of audits by the Institute or the guarantor bodies, as appropriate, aimed at verifying the adaptation, adequacy and effectiveness of the controls, measures and mechanisms implemented to comply with the provisions provided for in this law and other applicable regulations.
The audit report must determine the adequacy of the measures and controls implemented by the responsible, identify their shortcomings, as well as propose complementary corrective actions, or recommendations that may apply.
ELEVENTH TITLE
ENFORCEMENT MEASURES AND RESPONSIBILITIES
Chapter I
Measures of urgency
Article 152. In order to comply with the resolutions issued by the Institute or the guarantor bodies, as appropriate, these bodies and the responsible, where appropriate, must observe the provisions of Chapter VI of title eight of the General Law on transparency and access to Public Information.
Article 153. The Institute and the guarantor bodies may impose the following pressure measures to ensure compliance with their determinations:
I. public admonition; or
II. The fine, equivalent to the amount of one hundred and fifty to one and a half thousand times the daily value of the unit of measurement and update.
The non-compliance of the obliged subjects will be disseminated in the portals of transparency obligations of the Institute and the guarantor bodies and considered in the evaluations carried out by them.


In the event that failure to comply with the determinations of the Institute and the guarantor bodies involves the alleged commission of a crime or one of the behaviors indicated in Article 163 of this law, they must report the facts to the competent authority. Measures of an economic nature may not be covered by public resources.
Article 154. If, despite the execution of the measures of pressure provided for in the previous article, the resolution is not complied with, the Superior will be required to comply so that within five days he obliges him to comply without delay.
If the non-compliance persists, they shall apply to those measures of pressure established in the previous article. After the period has elapsed, without having been complied with, the competent authority for responsibilities shall be consulted.
Article 155. The enforcement measures referred to in this chapter shall be applied by the Institute and the guarantor bodies, either on their own or with the support of the competent authority, in accordance with the procedures laid down in the respective laws.
Article 156. The fines fixed by the Institute and the guarantor bodies will be made effective by the Tax Administration Service or the Finance Secretariats of the federal entities, as appropriate, through the procedures established by the laws.
Article 157. In order to qualify the pressure measures set out in this chapter, The Institute and the guarantor Bodies shall consider::
I. the gravity of the fault of the person responsible, determined by elements such as the damage caused; indications of intent; the duration of the failure to comply with the determinations of the Institute or the guarantor bodies and the impact on the exercise of its powers;
II. The financial condition of the offender; and
III. Recidivism.
The Institute and the Bodies guarantors defined by guidelines of a general nature, the powers of the areas in charge of grading the severity of non-compliance to its determinations and of the notification and implementation of measures of constraint to apply and implement, in accordance with the elements developed in this Chapter.
Article 158. In the event of a repeat offence, the Institute or the guarantor bodies may impose a fine equivalent to twice the amount determined by the Institute or the guarantor bodies.
A recidivist shall be deemed to have committed an offence which has been sanctioned and committed another of the same type or nature.
Article 159. The enforcement measures must be applied and implemented within a maximum period of fifteen days, counted from the notification of the enforcement measure to the infringer.
Article 160. The public reprimand shall be imposed by the institute or guarantor bodies and shall be executed by the immediate superior of the offender with whom it relates.
Article 161. The Institute or guarantor bodies may require the infringer the information necessary to determine his financial condition, aware that in case of failure to provide it, the fines will be quantified based on the elements that are available, understood as those found in public records, those containing media or their own internet pages and, in general, anyone who evidences his financial condition., the Institute or guarantor Bodies shall be empowered to require such documentation as is deemed indispensable for that purpose from the competent authorities.
Article 162. Against the imposition of measures of pressure, the corresponding remedy is appropriate before the judiciary of the Federation, or where appropriate before the corresponding judiciary in the federal entities.
Chapter II
Sanctions
Article 163. The following shall be grounds for sanction for breach of the obligations established in the matter of this law::
I. Act with negligence, intent or bad faith during the substantiation of requests for the exercise of ARCO rights;
II. Failure to comply with the time limits provided for in this law to respond to requests for the exercise of ARCO rights or to make effective the right in question;


III. Use, subtract, disclose, conceal, alter, mutilate, destroy or otherwise misuse, in whole or in part, personal data that is in your custody or to which you have access or knowledge by reason of your employment, position or commission;
IV. Intentionally processing personal data in contravention of the principles and duties established in this law;
V. Not having the privacy notice, or, omit in it any of the elements referred to in Article 27 of this law, as the case may be, and other provisions that are applicable in the matter;
SEE. Classify as confidential, with intent or negligence, personal data without complying with the characteristics indicated in the applicable laws. The sanction will only proceed when there is a previous resolution, which has been firm, regarding the criterion of classification of personal data;
You come. Breach of the duty of confidentiality established in Article 42 of this law;
VIII. Not to establish security measures in the terms established by Articles 31, 32 and 33 of this law;
IX. Present violations of personal data due to the lack of implementation of security measures according to Articles 31, 32 and 33 of this law;
X. carry out the transfer of personal data, in contravention of the provisions of this law;
XI. Obstructing acts of authority verification;
XII. Create personal databases in contravention of the provisions of Article 5 of this law;
XIII. Failure to comply with the decisions issued by the Institute and the guarantor bodies; and
XIV. Omit the delivery of the annual report and other reports referred to in Article 44, Section VII of the General Law on transparency and access to public information, or deliver it extemporaneously.
The causes of liability provided for in sections I, II, IV, VI, X, XII, and XIV, as well as the recidivism in the conduct provided for in the rest of the sections of this article, shall be considered as serious for the purposes of their administrative sanction.
In the event that the alleged infringement has been committed by a member of a political party, the investigation and, where appropriate, sanction shall be the responsibility of the competent electoral authority.
Sanctions of an economic nature may not be covered by public resources.
Article 164. For the conduct referred to in the preceding article, the competent authority shall be consulted to impose or enforce the sanction.
Article 165. The responsibilities resulting from the corresponding administrative procedures, arising from the violation of the provisions of Article 163 of this law, are independent of those of the civil, criminal or any other type that may arise from the same facts.
Such responsibilities shall be determined, autonomously, through the procedures provided for in the applicable laws and the sanctions, if any, imposed by the competent authorities, shall also be carried out independently.
For this purpose, the Institute or the guarantor bodies may report to the competent authorities any act or omission in violation of this law and provide such evidence as they consider relevant, in accordance with the applicable laws.
Article 166. In the event of non-compliance by political parties, the competent Institute or guarantor body will, as appropriate, give notice to the National Electoral Institute or local public electoral bodies of the Competent Federal entities, to resolve the issue, without prejudice to the sanctions established for political parties in the applicable laws.
In the case of probable infringements relating to trusts or public funds, the competent Institute or guarantor body shall give notice to the internal control body of the obligated person related to them, when they are public servants, in order to implement the administrative procedures to which they take place.


Article 167. In cases where the alleged offender has the capacity of public servant, the Institute or the guarantor body, he must send to the Competent Authority, together with the corresponding complaint, a file containing all the elements that support the alleged administrative responsibility.
The authority familiar with the matter shall inform the Institute or the guarantor body, as appropriate, of the conclusion of the procedure and, where appropriate, of the enforcement of the sanction.
In order to carry out the procedure referred to in this article, The Institute, or the relevant guarantor body, shall draw up a complaint addressed to the Comptroller's office, an internal control body or equivalent, with a precise description of the acts or omissions which, in its consideration, have an impact on the proper application of this law and which could constitute a possible liability.
It shall also prepare a file containing all the evidence it considers relevant to support the existence of possible liability. To that end, the causal link between the facts at issue and the evidence presented must be established.
The complaint and the file must be sent to the Comptroller's Office, internal control body or equivalent within fifteen days after the Institute or the corresponding guarantor body becomes aware of the facts.
Article 168. Where failure to comply with the determinations of the guarantor bodies implies the alleged commission of an offence, the respective guarantor body shall report the facts to the competent authority.
TRANSITIONAL
First. This law shall enter into force on the day following its publication in the Official Journal of the Federation.
Second. The federal law on transparency and access .to public information, the other federal laws and the laws in force of the federal entities regarding the protection of personal data, must comply with the provisions provided for in this rule within a period of six months following the entry into force of this law.
In the event that the Congress of the Union or the Legislatures of the States may omit or partially perform the adjustments in the legislature that may, in the term set forth in the preceding paragraph, shall be applicable directly in this Law, with the possibility of continuing to apply suppletorily the laws existing in everything that he does not object to it, to not comply with the condition imposed in the present article.
Third. The Chamber of Deputies, the legislatures of the federal entities, within the scope of their respective powers, shall make the budget forecasts necessary for the operation of this law and establish the specific budget items in the budget of the Federation and in the budgets of the federal entities, as appropriate, for the next fiscal year when it enters into force.
Bathroom. All provisions regarding the protection of personal data, federal, state and municipal, that contravene the provisions of this law are repealed.
Fifth. The Institute and the guarantor Bodies shall issue the guidelines referred to in this law and publish them in the Official Journal of the Federation, or in its official local Gazettes or newspapers, respectively, no later than one year from the entry into force of this decree.
Sixth. The National System of transparency, access to Information and protection of personal data shall issue the National Program for the protection of personal data referred to in this law and publish it in the Official Gazette of the Federation, no later than one year from the entry into force of this decree, regardless of the exercise of other powers that derive from the General Law on transparency and access to Public Information.
Seventh. The corresponding obliged subjects must process, issue or modify their internal regulations at the latest within eighteen months following the entry into force of this law.
Eighth. The current procedures and deadlines applicable in the matter may not be reduced or extended in the regulations of the federal entities, to the detriment of the owners of personal data.


Mexico City, December 13, 2016.- Sen. Pablo Escudero Morales, President.- Dip. Edmundo Javier Bolaños Aguilar, President.- Sen. Lorena Cuellar Cisneros, Secretary.- Dip. María Eugenia Ocampo Bedolla, Secretary.- Rubrics."
In compliance with the provisions of section I of Article 89 of the Political Constitution of the United Mexican States, and for its proper publication and observance, I issue this decree at the residence of the Federal Executive power, in Mexico City, on January twenty-four, Two Thousand And Seventeen.- Henry
Peña Nieto.- Rubric.- The Secretary of the Interior, Miguel Ánggel Osorio Chong.- Rubric.