Senior management and organisation
Please identify the authority’s senior management, a brief description of their role and responsibilities, and contact details. If you have an internal organogram of senior management, please provide it.
The governing body of the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) is the Plenary, which is composed of seven commissioners. The President Commissioner is Francisco Javier Acuña Llamas.
When was the head of the authority appointed?
On 12 May 2017, INAI’s commissioners appointed Commissioner Francisco Javier Acuña Llamas as President Commissioner.
How long is their term of office?
The President Commissioner was elected for a period of three years.
What is the process for nominating the head of the authority?
According to INAI’s organic statute, the election of the President Commissioner will be held in an extraordinary and public session, with prior notice, in accordance with the guidelines for the functioning of the Plenary, and should be the only item on the agenda.
The attendance of all the Commissioners will be required, who must cast their vote in a secret manner. The Commissioner who obtains at least five votes in favour will be elected as President Commissioner.
The Commissioners who are interested in presiding over INAI must present and explain their work programme in the public session, detailing the objectives and actions to be taken to comply with them.
The Technical Secretary of the Plenary will act count the ballot papers and will read aloud the name that appears in each one of them, as well as the result of the voting.
If for the election of the President Commissioner there will be three rounds of voting without achieving the number of votes referred to in the second paragraph of this article, a new round of voting will be held. In this round of voting, only the two Commissioners who have obtained the highest number of votes in the third round will participate as candidates. Only in this case, the candidate with the most votes will be elected as the President Commissioner.
The new President will take office immediately after his election and will protest his position before the Plenary.
What was the authority’s budget for the most recently available financial year?
According to the Budget of Expenditures of the Federation for Fiscal Year 2018, the authorised budget of INAI was $1,098,478,640 Mexican pesos. It is important to highlight that INAI not only focuses on personal data protection, but also on transparency and access to public information.
How many data protection/privacy-focused staff does the authority employ?
The Secretariat of Personal Data Protection is composed of 126 employees. Additionally, 4 employees of the Directorate General for International Affairs work on data protection and privacy issues.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
According to the regulations on personal data protection, the obligated parties of the private sector do not have the obligation to notify a data breach before the supervisory authority (INAI or local supervisory authorities); however, they are obliged to notify the data subject.
However, if a company wishes to notify a data breach, it must contact INAI’s Secretariat of Personal Data Protection and comply with the requirements established in article 131 of the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties. For this purpose, the company must access the Personal Data Protection System (https://www.datospersonales.org.mx/) to file a complaint for non-compliance with the Federal Law on the Protection of Personal Data Held by Private Parties.
Legal and enforcement framework
What are your investigative powers?
According to the Federal Law on Protection of Personal Data Held by Private Parties, INAI will verify compliance with this Law and its subordinate regulations. Verification may be initiated of its own motion (ex officio) or by petition of an interested party.
Verification ex officio will be carried out in the event of non-fulfilment of decisions issued in rights protection procedures as referred to in the preceding Chapter, or where the existence of violations of this Law is presumed grounded in law and fact.
In the verification procedure, INAI should have access to all information and documentation it deems necessary, in accordance with the respective decision.
Federal public servants will be obliged to observe confidentiality of the information they have access to as a result of the relevant verification.
Articles 128 to 139 of the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties describe the form, terms and periods for the verification procedure.
Also, INAI’s organic statute establishes that the Secretariat of Personal Data Protection has the following functions in terms of verification procedures:
- The Secretariat of Personal Data Protection and the Directorate General for Research and Verification jointly adopt a decree for the initiation of the verification procedure ex officio or at the request of a party, as well as the extension of the period of final resolution of the verification procedure up to a term of one hundred and eighty days referred to in Article 132 of the Regulations of the Law on Protection of Personal Data, without prejudice to its direct exercise by the Plenary of INAI;
- To execute the instructions issued by the Plenary of INAI regarding the verification procedure provided for in the Law on Protection of Personal Data; to issue the verification orders and subscribe the commission offices for the substantiation of the verification procedure in accordance with the aforementioned legal system and the other applicable provisions; as well as to issue verification credentials to public servants who perform such functions.
On the other hand, the Directorate General for Research and Verification has the following attributions:
- To carry out investigation procedures, including those relating to security breaches, issue opinions and issue opinions regarding surveillance and verification related to compliance with the provisions of the Personal Data Protection Law, the Federal Law, its regulations and other provisions applicable;
- The Directorate General for Research and Verification and the Secretary of Personal Data Protection jointly adopt a decree for the initiation of the verification procedure ex officio or at the request of a party, as well as the extension of the period of final resolution of the verification procedure up to a term of one hundred and eighty days referred to in Article 132 of the Regulations of the Law on Protection of Personal Data, without prejudice to its direct exercise by the Plenary of INAI;
- To substantiate the verification procedure in accordance with the provisions of the Personal Data Protection Law, its Regulation and the other applicable legal provisions;
- To prepare reports and reports on alleged infractions and breaches, in terms of personal data, both in the public and private sectors, in accordance with the applicable legal provisions;
- To coordinate with federal, state and municipal authorities, under the supervision of the Secretary of Personal Data Protection, and through the Executive Secretary of the National Transparency System, if necessary, to obtain the necessary support in the exercise of their powers;
- To require individuals and authorities the information or documentation necessary to investigate the probable breach of the Law on Protection of Personal Data, the Federal Law, its Regulations and other applicable provisions on the protection of personal data;
- To adopt all types of actions and resolutions for the development of investigations for probable breaches of the Law on Protection of Personal Data, its regulations and other applicable provisions, both for the public and private sector, in terms of personal data;
- To adopt all types of actions and resolutions for the substantiation of the verification procedure, in accordance with the provisions of the Law on Protection of Personal Data, the Federal Law, the Federal Law of Administrative Procedure and other applicable provisions;
- To make notifications within the scope of its competence;
- To prepare and turn over the draft resolutions that correspond to the substantiation of the verification procedure provided for in the Law on Protection of Personal Data, and
- Other actions deriving from the applicable regulations in the matter, and those provided by the Plenary, the President Commissioner and the Secretary of Personal Data Protection.
Can you search premises or force the disclosure of information without having to approach the courts?
What fines can you impose on companies that breach data protection rules?
According to the Federal Law on Protection of Personal Data Held by Private Parties, violations of this Law will be punished by INAI as follows:
- A warning instructing the data controller to carry out the actions requested by the data owner, under the terms established by this Law, in the cases described in section I of the preceding article;
- A fine from 100 to 160,000 days of the Mexico City minimum wage (currently Update Measurement Unit or UMA), in the cases described in sections II to VII of the preceding article;
- A fine from 200 to 320,000 days of the Mexico City minimum wage (currently UMA), in the cases described in sections VIII to XVIII of the preceding article; and
- In the event of repeated occurrences of the violations described in the preceding paragraphs, an additional fine will be imposed from 100 to 320,000 days of the current Mexico City minimum wage (currently UMA). With regard to violations committed in processing sensitive data, sanctions may be increased up to double the established amounts.
The sanctions indicated above will be imposed without prejudice to the resulting civil or criminal liability.
What other measures can you take against companies that breach data protection rules?
For the private sector, none.
What measures other than fines can you impose on a company that is breaching data protection rules?
For the private sector, none.
What emergency or interim measures can you take pending the full conclusion of your investigations?
For the private sector, none.
Priorities and the future
What are your enforcement priorities over the next year? For example, are you targeting any particular topics, or industry sectors?
The priorities in the near future are focused on speeding up verification procedures. To that effect, it would be a priority to design performance indicators.
Would you like to see further reforms to your laws (beyond GDPR implementation legislation, if applicable) or to your enforcement framework? If so, what?
We are currently working on schemes to improve the implementation of personal data protection legislation.