RRS :: Ramos, Ripoll & Schuster
Untitled Document
 
NEWSLETTERS
Newsletter
 
Corporate and Business
 
Personal data protection stored in cloud computing

October 10, 2017

Personal data protection stored in cloud computing
 
During the last decade the use for the transmission and data storage of the so-called “cloud” has been increasing. It is becoming rare to find people who does not make use of this infrastructure for enabling ubiquitous access to shared groups of configurable resources, such as computer
networks, servers, storage, applications and services)

As consequence of the cloud's emergence, the need for its regulation has arisen, known by its term in English as "Cloud Compliance".

The use of the cloud has been regulated around the world with different instruments, some of the most outstanding are the following documents:

- Federal Information Security Management Act of 2002 (United States of America) ,
- Health Insurance Portability and Accountability Act (United States of America),
- European Union Data Protection Directive (European Union); and
- Payment Card Industry Data Security Standard (United States of America).

In our country, the cloud is mainly regulated by the following instruments:
- NOM-151- SCFI 2016, Requirements that must be observed for the conservation of data messages and digitalization of documents,
- Federal Law on the Protection of Personal Data Held by Private Parties (hereafter referred as the Law),
- Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties (hereafter referred as the Regulations), and
- Guidelines of the Privacy Notice (hereinafter referred to as the Guidelines).

Regarding the Law, even though, there is no express regulation of the cloud, in its article 36 arises the obligation to notify and request consent of the data owner to transfer
them, and article 37 stipulates the hypothesis in which it is not necessary to request said express consent.

When hiring a cloud service provider, the data is being transmitted, so it is necessary to notify the data owners.

Pursuant to article 52 of the Regulations, a number of requirement must be met in order to hire cloud service provider, when dealing with information that contains personal data. In a general sense any cloud computing service that do not guarantee the protection of personal data may not be used for said data.

In that sense, said providers must:
- Have and apply personal data protection polices compatible with the principles and obligations established in the Law and the Regulations.
- Provide information regarding any subcontracting of services involving the information for which the service is provided.
- Refrain from including in their term, condition or clauses for service any which entitle them to assume property or ownership of the information for which the service is
provided.
- Maintain confidentiality regarding the information for which the service is provided.

Also, they most have mechanisms or measure in place to:
- Inform of any changes in their privacy policies or terms and conditions for the service.
- Allow to limit the usage of the information for which the service is provided.
- Establish and maintain security measures to protect the information.
- Guarantee the permanent deletion of the information once the service has ended.
- Prevent the access to the information from authorized parties, and if said access is required by authorities, inform that situation.

Accordingly with articles 62 and 63 of the Law, If the personal data is transferred to a cloud service provider thatdoes not meet all the requirements established by the Law and the Regulations, or the transferred is not properly notify to the owner of the data, the sending party could be sanctioned with a fine up to $25, 612,800.00 pesos.

According to the foregoing, in the event of being in possession of personal data, it is crucial to take into account the measures to take when hiring a cloud service provider

The original text of the Law can be consulted here, and the Regulations can be consulted here.

For additional information in this regard, please contact any of the members of our Corporate & Business Practice Team.
 
Rodolfo Ramos Menchaca
[email protected]
M. Alejandro Ripoll González
[email protected]
Diego A. Álvarez Ampudia
[email protected]
María Fernanda Lazcano Arregui
[email protected]
Abelardo Bernáldez Márquez
[email protected]
Karla M. Peña Medina
[email protected]
Lupita Esparza Sánchez
[email protected]
 
IMPORTANT: The information here contained is of general nature and for informative purposes only. Please consider that what is here stated does not apply circumstances of any individual or entity. We strongly recommend not performing any activity based on this information without the professional assistance of our lawyers considering your particular circumstances.
 
Our Corporativo y Negocios Practice Team can gladly support you in the following topics:
Immigration Law
Visas
Foreign Investment
Complex International Commercial
Transactions
Commercial and Civil Entities
Commercial and Civil Entities
Drafting and Negotiation of Contracts
Mergers & Acquisitions
Corporate Structures
<<   Back Archivo PDF
FIRM    ·    PRACTICES    ·    TEAM    ·    INVESTIGATION    ·    OFFICES 
Terms and Conditions    ·    Privacy Notice
 
 
 
  •     RRS. Ramos, Ripoll & Schuster Lawyers | | COPYRIGHT 2019