Americas Implementation Programs

Click on the blocks available below to check out our privacy programs based on your requirements and jurisdiction

USA

Canada

Mexico

California

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA), the first of comprehensive data-privacy legislation
in the US, was introduced in 2018 and has been enforced from January 1 2020, by the State of
California. The legislation seeks to establish the procedure for identifying, managing, securing,
tracking, producing and deleting consumer privacy information so as to protect the privacy
rights of the users. CCPA includes within its ambit the entities that do for-profit business in the territory of California involving the personal data of the Californian resident where the business meets one of the thresholds:

  • annual gross revenue over US $25 Million;
  • receive or disclose the personal information of 50,000 or more California residents;
  • or derive 50 percent or more of their annual revenues from selling California residents’ personal information.

This legislation operates for the protection of person data entailing a broad interpretation, including items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses.

Rights of Consumers

CCPA seeks to provide a strong legal protective cover to consumers through their enumerated rights. Firstly, the consumers have the

  • Right to know: The consumers have the right to know the details of the personal information being collected by the business entity along with the source and purpose of such collection. The consumers have the right to access such personal information which has been collected by way of requests to the entity that must be disclosed to them free of charge within 45 days.
  • Right to delete: The consumers have a right under the CCPA to ask the business entity to delete the personal information in their possession pertaining to the consumer with certain exceptions such as information that must be retained for legal and regulatory purposes.
  • Right to op out of sale: The consumers must also have access to know if and to whom their personal information is sold or disclosed/shared. In such a case, the consumers further have the right to opt out of such a sail subject to certain exceptions.
  • Right to non discrimination: Any business entity cannot deny the rights of any individual to not be treated equally. They cannot discriminate against a consumer, who has exercised their CCPA rights.

Compliance Obligations

CCPA puts various obligations on the business entities to ensure protection of personal information from unrestrained transfers and processing.

  • All business entities must public a Privacy Policy complying with the CCPA Rules which must be updated at least once every 12 months.
  • They are also obligated to ensure that consumers are provided the information relating to the processing of their personal data.
  • In the interest of maintaining transparency consumers must be notified before or at the point of data collected that the permission is being asked to collect the specified data.
  • The consumers have to be granted the right to access the personal information that the entity holds.
  • It is the obligation of the entity to lay down the procedure for making requests and similarly, an opt out option for “Do Not Sell My Personal Information” must be maintained by the entity to enable the exercise of the consumer rights.
  • A data Inventory has to be maintained by the entity to track data processing history.

Basis for Processing of Data under CCPA

Under CCPA, data maybe processed for either business purposes or commercial. The general rule is that consent of the consumer is not required for collecting or using their personal information. The exception is that consent of the consumer is required when the business entity intends to sell the personal information of the consumer to a third party. In case of minors who are consumers less than 16 years of age, the guardian of the individual must grant an affirmative authorization for the sale by way of opting-in.

Penalties

Corresponding to the obligations laid down under CCPA, there is a provision for the imposition of penalties for accountability and compliance under the regulation. The strictness of the penalties varies with the intent, frequency and severity of the non-compliance by the entity. CCPA mandates maximum civil penalties of $7,500 for intentional violations of the CCPA whereas maximum civil penalties of $2,500 can be ordered for unintentional violations of CCPA.

Enforcement Mechanism

Under CCPA, the Office of the Attorney General of California has been granted exclusive authorization to bring civil actions against entities not complying with the obligations laid under CCPA such as failure to maintain CCPA compliant privacy policy or address Consumer requests etc. Alternatively, consumers also have the private right to action to pursue a civil claim within the jurisdiction of a Court only when their unencrypted or un-redacted personal information is breached.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act which shall be enforced on 1st of January 2023 gives the control of Data to the Data Subjects. These Rights those are conferred by the Act would play a major role in the data subject knowing the amount of data being processed, for the reason it is being processed and for the period they would be retaining it, as well as the extent to which it will be used. The key element to this is CPRA does not apply to Non-Profit Entities and other small businesses. CPRA also regulates 3rd parties who collect data from the entities that function in California. This act is also applicable on those entities that don’t function inside California but collect data of the citizens of California.

The CPRA applies to:-

  • Have a gross annual revenue of over $25 million;
  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
  • Derive 50% or more of their annual revenue from selling California residents’ personal information.

Rights of Consumers

  • Right to delete – The customer can ask the business to delete the personal data collected by them.
  • Right to limit use of data / Right to Opt-out– The consumer can opt out from sharing his data or can limit the use of his data.
  • Right to Access the data- The company needs to provide this data to the consumer on their demand as soon as possible. Right to Alter the data collected by the company.
  • Right to know- The consumer has a right to know what data is shared and with whom. Consumer shall have the right to request that a business that sells or shares the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer.

Compliance Obligations

  • The company needs to Map Data Collection, Flow and Processing activities. The company needs to maintain strong track of the data that is being collected and used.
  • The company needs to provide elaborate Privacy Notices to the consumers about the data they are collecting and the purpose for which they would be using it. They also need to provide information if such data is being shared, with whom and for what purpose.
  • The company needs to maintain Security Practices for preventing breach.
  • The company needs to maintain a procedure to process any request by the data subject immediately.

Basis of processing data

Consent is the key factor under CPRA for processing of Data. CPRA establishes that consent should be undisputed and clear. The company should clearly mention the purpose of processing such data. Also the company needs to take special consent when it comes to processing special data.  In case a service provider engages another person to process the personal data for the service provider, the existence of such engagement shall be notified. For the fulfillment of legal compliance obligation or in matters of special concerns such data can be processed.

Penalties

Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers.


Connecticut

Connecticut Data Breach Law (CDBL)

The Connecticut Data Breach Law is set to be enforced on 1st of October, 2021. This law provides the same kind of protection of data and rights as that of the California Privacy Rights Act. This Law applies to Non-Profit Organization as well, thus giving wider jurisdiction to the law.

The Personal Information that have been included under the ambit of this Act are:-

  • Individual taxpayer identification number
  • Identity protection personal identification number issued by the IRS
  • Passport number, military identification number or other identification number issued by the government that is used to verify identity
  • Medical information regarding an individual’s medical history, mental or physical condition or medical treatment or diagnosis by a healthcare professional
  • Health insurance policy number or subscriber identification number, or any unique identifier by a health insurer to identify the individual
  • Biometric information consisting of data generated by electronic measurements of an individual’s unique physical characteristics and used to authenticate or ascertain the individual’s identity, such as a fingerprint, voice print, retina or iris image; and
  • User name or electronic mail address, in combination with a password or security question and answer that would permit access to an online account.

Rights of Data Consumers

  • The consumer can choose to opt-out from sharing any data. They can request the company to stop sharing their data to any 3rd party.
  • The consumer can on request get all the data that the company stores related to them.
  • The consumer can request the company to delete all the data related to them.
  • The consumer can make corrections to the data they earlier provided to the company.

Compliance Obligations

  • The company should do a thorough Data assessment and should map what are the data they are collecting and what are the data they are sharing.
  • They have a duty to send Data Breach Notification to State Residents, License of Personal Information and Third Party and the Attorney General about who’s Personal Data is breached or believed to be breached.

Basis of Processing of Data

The basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user.  The processing of data between the processor and controller shall be governed by a contract. The data can be processed without consent for fulfillment of any legal obligation or in case there is a necessity to protect someone’s interest. However while processing such data; it needs to take care that there is no damage to be caused by the processing of such data to the interest of the consumer.

Enforcement Obligations

The law shall be enforced by the Attorney General of Connecticut. Civil Penalties shall be imposed for Unfair Trade Practices and Private Right of Action granted to Data Subjects.

Penalties

Any controller or processor shall be liable for a civil penalty of not more than $7500 for each violation.


Virginia

Virginia Consumer Data Protection Act (VCDPA)

The State of Virginia has enacted their Data Protection Law- Consumer Data Protection Act on the date of March 2, 2021.  The Act shall be enforced from 1st of January, 2023.  The legislation is on the framework of the General Data Protection Regulation (GDPR) and California Consumer Privacy Act of 2018 (CCPA). The law provides the individuals of the state with certain rights when their data is being collected. Such rights ensure a control over the processing of their data. 

The legislation applies to those entities that conducts business in Virginia or produces products or services that are targeted to Virginia residents, and those which:-

  • Annually controls or processes the personal data of at least 100,000 Virginia residents, or
  • Controls or processes the personal data of at least 25,000 Virginia residents and derives over 50% of its gross revenue from the sale of personal data.

Rights of the Consumers

  • To confirm the processing of personal data by the controller;
  • access the personal data processed;  
  • To correct inaccuracies in the personal data;
  • To delete personal data provided to company;
  • To obtain a copy of the personal data provided to the controller;
  • To opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Compliance Obligations

  • The company needs to do annual Data Assessment and Map the flow of data.
  • They need to give maintain list of all the data they are collecting and need to provide a reason for such collection of data.
  • Privacy Notices & Policies should be provided to consumers to provide the information for purpose of collected, retention and termination of processing.
  • Upon selling or sharing the collected data, there needs to be appropriate safeguards in place and ensure that there are appropriate safeguards maintained by the recipient company.
  • If the data is being transferred out of country, then the company should ensure that such data is safe and the company maintains strong privacy policies to avoid any breach of data.

Basis of processing of Data

The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user.

Penalties

This law gives special focus on data mapping the procedures that are being followed to sell or share the data and also exclusively provides the Right to opt-out to the data subject unlike the CPRA and CDBL. For any violation of this act, fines upto 7500$ for each violation can be imposed.


Colorado

Colorado Privacy Act (CPA)

The Colorado Privacy Act was passed on June 8, 2021 and will be enforced on July 1, 2023. The scope of the Colorado Privacy Act (CPA) is reminiscent of the CDPA and CCPA but includes a few notable differences.

The CPA applies to any controller that:

  • Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and
  • Controls or processes the personal data of at least 100,000 consumers or more during a calendar year; or
  • Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Rights of Consumers

  • Right to Opt-out – The data subject can choose to opt-out from sharing any data.
  • Right to Access – The company needs to provide the user with all the data that the company has related to the user on request.
  • Right to Correction – The user has the right to rectify any error in the data that has been provided earlier.
  • Right to Deletion – The user can opt to delete any data that they have earlier provided to the user.
  • Right to Data Portability – If the user wants to transfer their data from one company to another, they can request the company to transfer their data to the concerned company.

Compliance Obligations

  • The company needs to map from where the data is being collected and used.
  • The company needs conduct Privacy Impact Assessments from time to time to ensure that there is no possibility of breach of data of any sort.
  • Data security measures need to be checked at regular intervals.
  • The company needs to maintain Privacy Notices and Policies.
  • Maintaining a procedure to process any request by the data subject immediately.

Basis for processing of data

The Basis of Processing Data is consent. The controller has to collect data from user only after an affirmative consent in written form. The controller shall not process any sensitive data without the consent of the user.  The data being processed by the processor for the controller shall be governed by a contract. The data processing can be allowed without consent for reasons of public interest in the areas of public health but solely to that extent. The data cannot be transferred to a third party without the consent of consumer. In case of a contractual obligation, such must be notified to the consumer.

Enforcement Obligations

The Attorney General and District Attorneys have the exclusive authority to enforce this Act. The party would be held liable for any of the breach that happens.


Utah

Utah Consumer Privacy Act

The Utah Consumer Privacy Act (“UCPA”) was introduced on February 17, 2022 ad was signed into law on March 24, 2022. The UCPA will take effect on December 31, 2023.

It applies to businesses with annual revenue of $25,000,000 or more that conduct business in Utah or produce products or services that target Utah residents and that:

  • Controls or processes personal data of 100,000 or more consumers; or
  • Derive over 50% of gross revenue from the sale of personal data of more than 25,000 consumers.

The UCPA does not apply to:

  • Government entities;
  • Higher Education institutions;
  • Non-profits;
  • Businesses that are covered entities according to HIPPA; and
  • Information subject to HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the Drivers Privacy Protection Act.

Under the law personal information has been defined as “information that is linked or reasonably linked to an identified individual or an identifiable individual ” and consumer as “an individual who is a resident of Utah acting in an individual or household context and only applies to the personal data of consumers”.

The act however provides an exception for de-identified data, aggregated data and publicly available information. Entities subject to the UCPA are not required to re-identify de-identified or pseudonymous data to comply with the statute’s obligations.

Rights of Consumers

The act has extended rights to its consumers relating to their personal data which is to be processed by controllers and processors. These rights can be exercised by consumers upon their request as per the methods specified by the controller in the required privacy notice. These consumer rights include:

  • Right to seek confirmation from the controller with respect to the processing of the consumer’s personal data.
  • Right to seek access to the data collected/provided by the consumer to the controller.
  • Right to seek deletion of the personal data that the consumer provided to the controller. 
  • Right to obtain a copy of the personal data, in a “portable” format, that the consumer provided to the controller.
  •  Right to opt-out from the sale and use of one’s personal data targeted advertising; disclosure to third parties is not equivalent to sale if the purpose is consistent with a consumer’s reasonable expectations.
  • Right against discrimination.

Compliance Obligations

UCPA requires the parties to enter into a contract establishing the details of the processing, along with the parties’ rights and obligations. Such a contract must set forth the instructions for processing, the nature and purpose of the processing, the type of data being processed and the duration of processing

For Controllers:

  • Providing consumers with privacy notices with information such as categories of personal data processed by the controller, purposes for such processing, how consumers can exercise their rights under the law, categories of personal data shared with third parties align with their details.
  •  Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
  • Outlining contractual requirements in engaging data processors;
  • Grant explicit notice to consumers before processing “sensitive data” and provide them with an opportunity to opt-out of processing.

For Processors:

  • Processors must adhere to the instructions of the controller and take appropriate technical and organizational measures to assist the controller in meeting its obligations, including as related to the security of personal data and breach notification.
  •  Ensure that all persons handling personal data are subject to a duty of confidentiality with respect to the personal data
  • Engage any subcontractors via a written agreement that requires the subcontractor to meet the same obligations as the processor with respect to the personal data.

Enforcement

There is no right of private action under the act however, it does provide for a bifurcated enforcement scheme. This includes the Utah Department of Commerce Division which is required to investigate companies based on consumer complaints, and it then sends cases it deems legitimate to the Attorney General’s office. Subsequently, the Attorney-General must first provide the business with written notice 30 days before and an opportunity to cure within 30 days of receipt of the notice before taking any action.

Penalties

The UCPA allows penalties to include the cost of actual damages and statutory penalties of up to $7,500 per violation of the statute


Oklahoma

Oklahoma Computer Data Privacy Act of 2022

The Oklahoma Computer Data Privacy Act of 2022 (“Bill”) would apply to for-profit businesses that do business in the state, collect the personal information of Oklahoma residents,  determine the purposes for and means of the processing, and that satisfies one or more of the following thresholds:

  • has annual gross revenues in excess of ten million dollars ($10,000,000.00) in the preceding calendar year;
  • alone or in combination, annually buys, receives, shares, or discloses for commercial purposes, alone or in combination, the personal information of twenty-five thousand (25,000) or more consumers, households or devices; or
  • derives fifty percent (50%) or more of its annual revenues from sharing consumers’ personal information;
  • any entity that controls or is controlled by a business and that shares common branding with the business and with whom the business shares consumers’ personal information;
  • a joint venture or partnership composed of businesses in which each business has at least a forty-percent (40%) interest.

Rights of Data Subjects

  • Right to access request disclosure of the categories and specific items of personal information the business has collected via verifiable consumer request
  • The right to seek deletion of personal information.
  • Right to be disclosed information regarding the sale/disclosure of one’s data
  • Right to right to prohibit retention, use or disclosure of their own personal data.
  • Right to opt-in to the sale of their personal information.
  • Right against non-discrimination
  • Right to data portability
  • Right to correct inaccurate information

Compliance Obligations

  • Reasonable steps must be taken to erase the personal information that the business, service provider or third party made public, taking into account available technology and the cost of implementation.
  • A business shall only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.
  • A business shall limit its use and retention of a consumer’s personal information to that which is reasonably necessary to provide a service or conduct an activity that a consumer has requested or for a related operational purpose.
  • A business shall apprise any consumer whose data is collected that the consumer has the right to opt-out of personalized advertising and the business shall have the duty to comply with the request promptly and free of charge.
  • A third party must notify the consumer of the third party’s new or changed practices in a conspicuous manner that allows the consumer to easily exercise a right provided under this act before the third-party collector uses or shares the personal information.
  • Provide a privacy policy with information regarding a consumer’s rights, a description of the consumer’s right to request the deletion of the consumer’s personal information, business or commercial purposes for collecting personal information, etc.
  • A business shall designate and make available to consumers, in a form that is reasonably accessible, at least two methods for submitting a verifiable consumer request for information required to be disclosed or deleted under this act.
  • Upon receiving a verifiable request from a consumer, must take all prompt steps to verify the details regarding the consumer making the request as detailed in the bill.
  • A business shall ensure that each person responsible for handling consumer inquiries about the business’s privacy practices or compliance with this act is informed of the requirements of the Bill.

Legal Basis for Processing

Any eligible business will be required to “only collect and/or share information with third parties that is reasonably necessary to provide a good or service to a consumer who has requested the same or is reasonably necessary for security purposes or fraud detection.”

It is also explicitly provided that the monetization of personal information shall never be considered reasonably necessary for any purpose.

Enforcement

The enforcement authority under the Bill is the Oklahoma Attorney General who is entitled to recover reasonable expenses, including reasonable attorney fees, court costs and investigatory costs, incurred in obtaining injunctive relief or civil penalties, or both, under this section. Amounts collected under this section shall be deposited in a dedicated account in the General Revenue Fund and shall be appropriated only for the purposes of the administration and enforcement of this act.

Penalties

Any person, business, or service provider that violates this act may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each intentional violation and up to two thousand five hundred dollars ($2,500) for each unintentional violation.


Canada

Personal Information Protection and Electronic Documents Act (‘PIPEDA’)

The Act applies to private-sector organizations across Canada that collect, use or disclose personal information during commercial activity. The act doesn’t apply to:

  • any government institution to which the Privacy Act applies;
  • any individual in respect of personal information that the individual collects, uses, or discloses for personal or domestic purposes and does not collect, use or disclose for any other purpose; or
  • any organization in respect of personal information that the organization collects, uses or discloses for journalistic, artistic, or literary purposes and does not collect, use or disclose for any other purpose.

Rights of Data Subjects

  • Right to Access
  • Right to Correct
  • Right to address a challenge concerning non-compliance with PIPEDA to the organization
  • Right to file a complaint with the OPC

Compliance Obligations

  • Obligated to take Consent for processing
  • Transparency
  • Implement security measures, including physical, organizational, and technological measures
  • Designating a Privacy Officer
  • Breach notification to the Office of the Privacy Commissioner and Individual
  • Transfer of Data to 3rd country only after informing about it to individual
  • Obligation to investigate all complaints
  • Maintain personal information as accurate, complete, and up-to-date

Legal Basis for Processing

  • Legal requirements
  • Consent
  • Performance of a Contract

Enforcement

The Office of the Privacy Commissioner of Canada provides advice and information for individuals about protecting personal information. We also enforce two federal privacy laws that set the rules for how federal government institutions and certain businesses must handle personal information. The privacy commissioner has the authority to audit, and publish information about personal information-handling practices in the public and private sector, conduct research into privacy issues and promote awareness and understanding of privacy issues from the public.

Penalties

Up to $10,000 (summary conviction) or $100,000 (indictable offense) when an individual obstructs the investigation of a complaint or an audit or fails to comply with breach notification provisions


Alberta

Personal Information Protection Act (PIPA Alberta)

The act protects personal information that is collected, used or disclosed by private-sector organizations in the province. Balances the rights of individuals and the needs of organizations to collect, use and disclose personal information for reasonable purposes. It applies to any organization that collects, uses or discloses personal information. It doesn’t apply to Health Information, which comes under the purview of (the Health Information Act) and personal information to which the Freedom of Information and Protection of Privacy Act (Alberta) applies. It also doesn’t apply to a public body or any personal information that is in the custody of or under the control of a public body.

Rights of Data Subjects

  • Right to Access
  • Right to Correct
  • Right to withdraw consent
  • Right to file a complaint

Compliance Obligations

  • Designating a privacy officer
  • Transparency with regards to their policies regarding usage, collection, etc. and compliance with the Law
  • Reasonable security measures against breaches, etc.
  • Breach notification to the authority and individual when there is a “real risk of significant harm.”
  • Transfer of Data to a country outside Canada must mention in the privacy policy which countries outside Canada can collect, use and process this information and for what purpose.
  • Either destroy the information that is no longer of use or render such information so it can’t be used to identify the individual.

Legal Basis for Processing

  • Contractual Performance
  • Legal complainces

Enforcement

Alberta’s Information and Privacy Commissioner is an independent officer of the Legislature who works independently of the government to protect the information access and privacy rights of all Albertans. The OIPC is the regulator responsible for ensuring compliance with the Freedom of Information and Protection of Privacy (FOIP) Act, Health Information Act and Personal Information and Protection of Privacy Act.

Penalties

Up to $10,000 for individuals and up to $100,000 for persons other than individuals if the authority determines the offense


British Colombia

Personal Information Protection Act (PIPA BC)

The purpose of this Act is to govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of individuals to protect their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. It applies to any organization that collects, uses, or discloses personal information except the information to which PIPEDA applies and personal information to which the Freedom of Information and Protection of Privacy Act (BC) applies to.

Rights of Data Subjects

  • Right to Access
  • Right to Correct
  • Right to withdraw consent
  • Right to file a complaint

Compliance Obligations

  • Transparency should give information regarding policies and practices when requested for.
  • Make reasonable security measures.
  • Not mandatory to notify the authority about the breach.
  • For Transfer to a country outside British Columbia, must ensure disclosing information regarding the kind and the purpose of transfer of such data.
  • Destroy information as soon as it has served its purpose.

Legal Basis for Processing

  • Contractual Performance
  • Legal compliances

Enforcement

The Information and Privacy Commissioner is independent of government and promotes and protects the information and privacy rights of British Columbians. The Commissioner shall investigate, mediate and resolve appeals concerning access to information disputes, including issuing binding orders; investigate and resolve privacy complaints and educate and inform the public about their access and privacy rights and the relevant laws.

Penalties

Liability up to $10,000 for individuals and up to $100,000 for persons other than individuals if the authority determines offence.


Quebec

Protection of Personal Information in the Private Sector (Quebec Privacy Act)

The purpose of this Act is to establish, for the exercise of the rights concerning the protection of personal information, particular rules with respect to personal information relating to other persons which a person collects, holds, uses or communicates to third persons in the course of carrying on an enterprise. The Act applies to such information whatever the nature of its medium and whatever the form in which it is accessible, whether written, graphic, taped, filmed, computerized, or other. This Act does not apply to journalistic, historical or genealogical material collected, held, used or communicated for the legitimate information of the public.

Rights of Data Subjects

  • Right to Access
  • Right to Correct
  • Right to request for examination of an issue

Compliance Obligations

  • Transparency. Must inform the individual of the use of data collected, its storage and who shall have access to the same.
  • Implementing reasonable security measures.
  • Transfer of information outside Quebec needs to be informed to the individual and only after their consent.
  • Ensure that the data stored is up-to-date and accurate

Legal Basis for Processing

  • Contractual Performance
  • Legal compliances

Enforcement

Chapter IV of the Access Act establishes the Commission d’accès à l’information (CAI), which has two sections, namely the monitoring section and the jurisdictional section. It sets out the various functions of the CAI and the powers attributed to it in order to allow them to be exercised, in addition to establishing the rules relating to its constitution and organization. Several articles contained in this chapter have been modified, in particular those related to the constitution and organization of the CAI, as well as the functions and powers of its two sections.

Penalties

  • $1,000 to $10,000 for a contravention of the provisions of the Act.
  • $5,000 to $50,000 for violating the rules governing the communication of personal information outside Québec.
  • Penalties for subsequent offenses are doubled.

Mexico

Ley Federal de Protección de Datos Personales en Posesión de los Particulares

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) entered into force on July 6, 2010. The law is applicable to the parties regulated under this law are private parties, whether individuals or private legal entities, that process personal data, with the exception of:

  • Credit reporting companies under the Law Regulating Credit Reporting Companies and other applicable laws, and
  • Persons carrying out the collection and storage of personal data that is exclusively for personal use, and without purposes of disclosure or commercial use.

Rights of Data Subjects

  • Right to Access
  • Right to rectify incorrect or incomplete data
  • Right to cancel their data
  • Right to object processing of data

Compliance Obligations

  • Notify Data Breach: Data controllers must immediately inform data subjects about security breaches occurring at any stage of the processing that can materially affect their moral or property rights
  • Data Protection Officer: It is compulsory for a controller to appoint a specific person or department for data protection.
  • Data Transfer: data controller intends to transfer personal data to domestic or foreign third parties, other than to the data processor, it must provide them with its privacy notice and the processing purposes the data subject consented to.
  • Data Retention Limitation: Personal data may be processed for as long as necessary to fulfil the purposes of the processing as specified in the privacy notice and for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, the data processing.
  • Sensitive Data: Sensitive data must not be processed unless certain conditions are met that are stipulated in the Act.
  • Contracts between controller and processor: The Act provides that where the processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall happen under a written contract stipulating certain specific conditions as laid out in the Act.

Legal Basis for Processing

Under the Mexico data protection law, there is a general principle that prohibits the processing of personal data without the consent of the data subject. However, the requirement for consent does not apply if the personal data is being processed for:

  • under any law
  • The data is contained in publicly available sources
  • The personal data is subject to a prior dissociation procedure
  • purpose of fulfilling obligations under a legal relationship between the data owner and the data controller
  • There is an emergency situation that could potentially harm an individual in his person or property

Enforcement

Información y Protección de Datos Personales) (INAI) and the Ministry of Economy (Secretaría de Economía) serve as Mexico’s data protection authorities. The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is an autonomous constitutional body responsible for upholding the right to access to public information held by any authority, entity, body or agency belonging to the executive, legislative and judicial branches, as well as by any individual, moral person or labour union that receives and spends public money or performs acts of authority at the federal level. The INAI is also in charge of upholding the right to protection of personal data held by the public and the private sectors.

Penalties

Fines range from 100 to 320,000 days of the current Mexico City minimum wage.


Our Services

We offer the following services to our clients as a part of our Implementation Programs:

  • Implementing Privacy Ecosystems
  • Providing Data Protection Impact Assessments
  • Providing GAP ecosystems
  • Acting as a Data Protection Officer
  • Data Protection and Privacy Consulting and Advisory
  • Evaluating and monitoring compliance levels from a legal standpoint under various jurisdiction
  • Drafting relevant agreements/ policies for securing consent, provision of notice etc.
  • Suggesting security and privacy best practices, policies and standards
  • Developing mitigation plan for possible privacy breaches
  • Assisting with disputes under the realm of data protection/ privacy, if any
  • Delivering trainings on the legal provisions to the concerned teams

Benefits of the America Compliance Program

As part of our USA compliance program, we help you to:

  • Provide compliance with the Privacy Laws efficiently and effectively.
  • Recognize, Access and Strategize Personal Data within your organization
  • Adapt, Improvise and leverage your existing privacy compliance in order to comply with the legislations.
  • Respond to Data Subject Rights and Fulfil Business obligations under the legislations.
  • Policy and Notice Management and maintain data privacy structures within the organizations.
  • Provide an effective solution to all organizational requirements in privacy.
  • Cost Effective solutions for privacy compliance with subject matter experts.
  • Implementation of the privacy program from industry professionals with prior experience with MNC’s of US.

Get in touch with us


© 2019 Reina Consulting LLP – All rights reserved