CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

  • Law no. 22/11, of 17 June (Data Protection Law);
  • Law no. 23/11, of 20 June (Law of Electronic Communications and Information Services);
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);
  • Presidential Decree no. 108/16, of 25 May (General Electronic Communications Regulation);
  • Presidential Decree no. 202/11, of 22 July (Regulation on Information Technologies and Services);
  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data protection);
  • Law no. 2/20, of 22 January (Video surveillance);
  • Law no. 11/20, of 23 April (Mobile Identification or Location and Electronic Surveillance);
  • Law no. 38/20, of 11 November (Angolan Criminal Code);
  • Presidential Decree 275/20, of 21st October (Regulation of the Activity of the Private Credit Information Centres).

The Personal Data Protection Act 2012 (PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA also provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Some key subsidiary legislation that operates alongside the PDPA include the Personal Data Protection Regulations 2021, Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection (Do Not Call Registry) Regulations 2013.

Personal Data Protection Act 2012: https://sso.agc.gov.sg/Act/PDPA2012 

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Agency of Data Protection (APD): https://www.apd.ao/ao/

The Personal Data Protection Commission (PDPC) 

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no relevant anticipated changes to local laws.

The following changes to the PDPA have been passed by Singapore’s Parliament, however they have not yet come into effect:

  • Data portability – mandatory obligation for organisations to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format; 
  • provisions which exempt organisations from the proposed data portability obligation and the obligations to provide an individual with access to or to correct personal data at the individual’s request in respect of “derived personal data” (i.e. new data that is created through the processing of other data by applying business-specific logic or rules); and
  • Higher penalties – an increase in the financial penalties that may be imposed on organisations: in the case of a breach of the data protection provisions, 10% of its annual turnover in Singapore or SGD 1m, whichever is higher; and in the case of a breach of the prohibitions on the use of dictionary attacks and address-harvesting software, 5% of its annual turnover in Singapore or SGD 1m, whichever is higher. 

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

APD under the current law has administrative supervision and enforcement powers.

According to Angolan Law, APD has the power to impose fines regarding Administrative Sanctions, as follows:

1. Law no. 22/11, of 17 June

Violation of specific requirements for the processing of personal data, non-compliance with the obligation of notifying APD and non-compliance with the APD provisions to cease access to open data transmission networks to data controllers who do not comply with the law from USD 75,000 up to USD 150,000

Violation of specific requirements for the processing of personal data, the violation of data processing principles and data processing without consent from data subjects from USD 65,000 up to USD 130,000.

Note: The attempt of any of the above-mentioned misdemeanour actions or omissions is punishable.

2. Law no. 23/11, of 20 June

Violation of security provisions, violation of confidentiality and violation of traffic data from USD 30,000 up to 150,000.

3. Law no. 7/17, of 16 February

Non-compliance with the provisions of this law, or the violation of any of the requirements in the scope of data protection and security in the networks and information systems leads to the application of fines set at the amount from AOA 7m up to AOA 200m.

Criminal sanctions

1. Law no. 22/11, of 17 June

Non-compliance with data protection obligations

Prison sentence of three months up to 18 months, or a corresponding fine.

Unauthorised access Tampering or destruction of personal data

Prison sentence from six months to two years.

Qualified disobedience

Prison sentence up to three years.

Breach of confidentiality duty

Prison sentence up to 18 months or a corresponding fine.

Note: The attempt of any of the above-mentioned crimes is punishable with prison sentence up to six months, or a corresponding fine.

2. Law no. 38/20, of 11 November (Angolan Criminal Code)

Electronic Falsehood

Whoever, with intent to mislead or harm, inputs, alters, deletes or suppresses data in an information system or, in general, interferes with the processing of such data in such a way as to produce false data that may be considered true and used as evidence, shall be punished prison sentence up to two years or the application of a fine up to 240 days.

Information Technology Data Damage

Whoever, with intent to cause damage to a third party or to obtain benefit for himself or for a third party, alters, deteriorates, renders useless, deletes, suppresses or destroys, in whole or in part, or in any way renders other people's data inaccessible, shall be punished prison sentence from one year up to 12 years or the application of a fine up to 360 days.

Illegitimate reproduction of computer program, databases and topography of semiconductor products

Prison sentence from two years up to three years or the application of a fine from 240 days up to 360 days.

Note: The attempt of any of the above-mentioned crimes is punishable.

Administrative sanctions:
  • In relation to the enforcement of the data protection provisions, the PDPC may issue fines of up to SGD 1m for each breach.
  • In relation to the enforcement of the DNC Registry provisions and the prohibition on use of dictionary attacks and address-harvesting software, the PDPC may issue a fine up to an amount not exceeding SGD 200,000 in the case of an individual, and up to SGD 1m in any other case.
  • The PDPC may also issue directions for non-compliance, which includes directions to stop collection, use or disclosure of personal data, and to destroy personal data collected. 
Criminal sanctions:
  • Imprisonment for a term not exceeding: 
    • Two years – for knowing or reckless unauthorised disclosure of personal data; knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; or knowing or reckless unauthorised re-identification of anonymised information;
    • 12 months – for unauthorised request to access or correct personal data about another individual; obstructing or hindering the PDPC in the exercise of its powers or duties; knowing or reckless false statement made to the PDPC; or knowing attempts to mislead the PDPC; or
    • Six months – for neglect or refusal to provide any information or produce any document to the PDPC or attend before the PDPC without reasonable excuse; or unauthorised use of a symbol or representation identical to or which resembles that of the PDPC. 
  • Criminal fines may also be imposed and varies depending on the specific offence, although in general not exceeding SGD 10,000 in the case of individuals, and SGD 100,000 in the case of organisations.
Others: 
  • Individuals have a private right of action and may seek relief by way of injunction, declaration or damages for damages or losses suffered directly as a result of a contravention of the PDPA.     

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

According to Law no. 22/11, of 17 June, the processing of personal data is subject to prior notification or authorisation by the Data Protection Agency.

If mere notification is required, the Data Protection Agency must take a decision on the request made by the data controller within 30 days of receipt of the request.

The notifications and requests for authorisation sent to the APD must contain the following information:

  • Identification of the data controller;
  • Purpose of processing;
  • Description of the category of data and respective data subjects;
  • Identification of the recipients;
  • Any interconnection of processing of personal data;
  • Period of data retention;
  • How the exercise of the rights of the data subjects is guaranteed;
  • Planned data transfers to third countries;
  • Preliminary description of the security measures adopted.

There is no requirement for organisations to register with the PDPC. However, voluntary registration of the Data Protection Officer is encouraged. 

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

In accordance with the APD's guidelines and the national data protection law itself, the data controller's obligations are:

  • To notify the APD in advance of any processing or combination of processing of personal data, totally or partially autonomous, intended to serve one or more interrelated purposes;
  • To notify the APD of any subsequent changes that may occur;
  • To process data lawfully, legally and in good faith;
  • To collect data for specified, explicit and legitimate purposes;
  • Collect data that is adequate, relevant and not excessive in relation to the purposes for which it is collected and subsequently processed;
  • Ensure that data are accurate and up-to-date and take reasonable steps to ensure that inaccurate or incomplete data are erased or rectified;
  • To provide the data subject with all information required by law, without forgetting the specific information required when data is collected over open networks;
  • Not to process personal data in a way incompatible with the purposes for which they have been collected. If the data controller intends to carry out processing, it must first request the authorisation of the APD or the consent of the data subjects;
  • To guarantee the data subject a right of access, freely and without restrictions, at reasonable intervals and without excessive delays or costs;
  • Guarantee the data subject the right to freely exercise the right to object to processing for the purposes of direct marketing or any other form of prospecting;
  • Obtain prior consent from data subjects for the purposes of direct marketing using automated calls or fax machines;
  • Obtain and maintain consent from the data subject for the processing of personal data;
  • Implement technical and organisational measures to ensure data protection against accidental loss, destruction, alteration, unauthorised disclosure or access. It shall also enforce the legal obligation of professional secrecy with respect to the processed personal data;
  • Not to interconnect personal data unless authorised by the APD or required by law;
  • Whoever has access to personal data obtain through video-surveillance systems is obliged to comply with professional secrecy;
  • Personal data accidentally obtained by the video-surveillance systems, relating to intimate or personal data of a purely social nature and which do not have criminal relevance, should be destroyed immediately by the responsible person for the system;
  • Not to communicate data to third parties that have not notified their processing to the APD;
  • To destroy the personal data once the authorised storage period has expired;
  • To stop the processing of personal data when a situation arises that is not in accordance with the law and has been instructed to do so by the competent authority.

Other obligations are established in separate legislation, which are foreseen in Law no. 7/17, of 16 February, that determines the Network and IT Systems Protection legal regime, as follows:

  • Operators of information systems shall proceed with the encryption of electronic communication networks in order to guarantee the technical and security conditions under which communication is carried out for the transmission of traffic and location data relating to natural and legal persons;
  • Cyberspace operators and service providers must submit to APD and INACOM an accident and incident management plan, in the event of a computer emergency, before commencing activities;
  • The use of databases must obey the technical standards and specialised procedures of adequate protection of access, storage, duplication of files, treatment and recovery of automated information.
  • Electronic communications operators shall ensure that retained data are of the same quality and subject to the same security and protection as those data on the network;
  • Electronic communications operators shall take appropriate technical and organisational measures to protect data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure;
  • Electronic communications operators shall take appropriate technical and organisational measures to ensure that only authorised employees and partners (including processors) have access to personal data;
  • Electronic communications operators must destroy personal data as soon as the information is no longer necessary for the purpose for which it was collected or if required by instruction of the competent authorities.

Organisations, wherever located, that process personal data of individuals in Singapore are required to comply with the PDPA.

The PDPA sets out ten main data protection obligations which are to be complied with when processing personal data.

Under the PDPA, to collect and process personal data lawfully, organisations must comply with the following obligations:

  1. Consent Obligation – to obtain the consent of the individual; 
  2. Purpose Limitation Obligation – to collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
  3. Notification Obligation – to notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
  4. Access and Correction Obligation – upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
  5. Accuracy Obligation – make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
  6. Protection Obligation – make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
  7. Retention Limitation Obligation – cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
  8. Transfer Limitation Obligation – ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA; 
  9. Data Breach Notification Obligation – assess whether a data breach is notifiable and notify the affected individuals and/or PDPC where it is assessed to be notifiable; and
  10. Accountability Obligation – implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available and to appoint a data protection officer.

Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”. 

A data intermediary that processes personal data pursuant to a written contract will only be responsible for the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation – protecting the personal data in its care, ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so, and notifying the organisation or public agency for which it is processing personal data on behalf of where the data intermediary discovers that a data breach has occurred.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

Law no. 22/11, of 17 June, comprises the following rights that may be exercised by data subjects:

  • Right to information;
  • Right of access;
  • Right to object;
  • Right of rectification and erasure;
  • Right to non-automated individual decisions.

Under the PDPA, individuals have the following rights:

  • private right of action for direct loss or damage suffered directly as a result of the contravention of the PDPA; 
  • right to ask the organisation to provide the contact of a person who can answer, on behalf of the organisation, their questions about the collection, use or disclosure of the personal data;
  • right to withdraw their consent for the collection, use or disclosure of their personal data by an organisation at any time, with reasonable notice;
  • right to request access to their personal data that an organisation possesses or controls, including to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request;
  • right to request an organisation to correct an error or omission in their personal data; and
  • right to file a complaint.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

Personal data may only be communicated to a data processor under a contract or other legal document, in writing, which establishes the obligation of the processor to comply with the provisions of the Angolan Data Protection Law and act in accordance with the instructions of the data controller. Subsequently, it will be necessary to notify the APD of such transfer.

An organisation must observe the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself.

Data intermediaries that process personal data on behalf of and for the purposes of another organisation pursuant to a written contract will only be subject to the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

International transfer of data to countries that ensure an adequate level of protection (guarantee of protection as established in Angolan law) is subject to notification to the Data Protection Agency (APD), which will issue an assessment report.

The transfer of data to a country that does not guarantee an adequate level of protection is subject to authorisation by the APD, which can only be granted if one of the following circumstances or others established in specific legislation are verified:

  • Consent of the data subject;
  • Transfer arises from the application of international law;
  • Humanitarian purpose;
  • Transfer necessary for the execution of a contract, at the request of the parties;
  • Necessary transfer to protect public interests or to defend a right in legal proceedings;
  • Transfer necessary to protect the vital interests of the data subject;
  • Transfer through a source accessible to the public;
  • If the recipient guarantees contractually adequate data protection.

Data transfer by electronic means should be carried out at a high level of encryption and protection according to the state of the art, including encoding, ciphering or other methods.

There is a limitation on transfers of personal data outside Singapore unless conditions are met. The transfers of personal data outside of Singapore requires the recipient of the personal data to provide safeguards equivalent to or greater than the requirements under the PDPA. The PDPA does not provide a white-list of countries that are deemed to have equivalent protection.

As such, organisations may transfer personal data overseas if they have taken appropriate steps to comply with the data protection provisions in respect of the transferred personal data while such personal data remains in their possession or control. When the personal data is transferred to a recipient outside of Singapore, organisations need to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Such legally enforceable obligations include obligations imposed under law, any contract or binding corporate rules. In addition, organisations and data intermediaries that are certified under the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System are deemed to be bound by legally enforceable obligations for the purpose of transfers of personal data outside Singapore. 

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The appointment of a data protection officer is not legally required.

Organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. 

The business contact information of the DPO must be made available to the public. Although not a legal requirement, in practice, the PDPC does request for the information of the DPO to be registered with it.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

Law no. 22/11, of 17 June, clearly provides that the data controller must implement appropriate technical and organisational measures to safeguard the data processing risks, for example:

  • Prevent unauthorised persons from having access to the files and processing facilities;
  • Prevent unauthorised persons from reading, copying, use, modify or remove data supports;
  • Ensure the verification of the entities to whom the personal data may be transmitted through the data transmission facilities.

Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and the loss of any storage medium or device on which personal data is stored.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There is no legal or institutional provision for reporting mechanisms on personal data breaches. The APD recommends direct contact with the data controller by the data subject and, in the event of non-compliance practices, the data subject should file a complaint before the APD, mentioning the identification of the alleged perpetrator and documents or other evidence to support the allegations.

Notwithstanding, regarding a security breach that compromises the integrity of personal data and other information, Law no. 23/11, of 20 June, establishes that the operator must notify immediately the APD and INACOM.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

Organisations are required to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach is assessed to be notifiable where: 

  • the scale of the data breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals; or 
  • the data breach causes significant harm to affected individual(s) where the compromised personal data relates to: 
    • the individual’s full name or alias or identification, in combination with: (a) financial information that is not publicly disclosed; (b) identification of vulnerable individuals; (c) life, accident and health insurance information that is not publicly disclosed; (d) specified medical information; or (e) information related to adoption matters; or (f) private key used to authenticate or sign an electronic record or transaction; or 
    • individual’s account identifier and data for access into the account.

Organisations must notify the PDPC as soon as practicable, but no later than 72 hours after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC). 

In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation or a public agency are not required to assess whether the breach is notifiable or to notify the PDPC, but are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay. 

Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification under different timelines. 

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Regarding advertising and marketing matters, Angola enacted Law no. 23/11, of 20 June referent to Electronic Communications and Information Services which foresees the consumer's right not to receive unsolicited emails and the right to the protection of their rights when acquiring products and services on the internet and in relation to advertising.

For this matter, Resolution no. 33/19 of 9 July (African Union Convention on Cybersecurity and Data Protection) establishes that the direct marketing is authorised in the following situations:

  • The address details of the recipient are obtained directly from the recipient;
  • The recipient has consented to be contacted by the marketing partners of the issuer;
  • Direct marketing refers to similar products or services provided by the same individual or company.

The DNC provisions of the PDPA generally prohibit organisations from sending marketing messages (in the form of voice calls, text or fax messages) of a commercial nature to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry, unless the consumer has provided their clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.

The organisation may still send a direct marketing message where the sole purpose of the message is: 

  • to facilitate, complete or confirm an earlier transaction between the sender and recipient; 
  • to provide warranty information, product recall information, or safety or security information with respect to a product/service purchased by the recipient;
  • to deliver goods or services that the recipient is entitled to receive under an existing transaction; or 
  • related to the subject matter of an ongoing relationship between the sender and the recipient. 

Individuals may subsequently opt out of receiving direct marketing messages. Upon receiving an individual’s opt-out request, the organisation must stop sending such messages to that individual's telephone number 21 days after the opt-out.

Under the PDPA, organisations are not permitted to send, cause to be sent or authorise to send any message with a Singapore link to telephone numbers generated or obtained through the use of a dictionary attack or address harvesting software. This prohibition also applies with respect to electronic messages generated or obtained through the use of a dictionary attack or address harvesting software under the Spam Control Act. 

In addition, under the Spam Control Act, organisations are prohibited to send, cause to be sent or authorise to send any unsolicited commercial electronic messages in bulk if they do not comply with the statutory conditions (e.g. the message needs to include an email address to which the recipient may submit an unsubscribe request).

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

Angola has no particular rule regarding the use of Cookies. Hence, the general legal framework on data protection shall apply.

The PDPA applies to the collection, use or disclosure of personal data using cookies.

However, consent is not required for cookies that:

  • do not collect personal data; and
  • for internet activities clearly requested by the user where the individual is aware of the purposes of such collection, use and disclosure and has voluntarily provided his personal data for such purposes.

If the individual configures his browser to accept certain cookies but rejects other, he may be found to have consented to the collection, use and disclosure of his personal data by the cookies he has chosen to accept. In such a circumstance, the PDPC has confirmed that consent can be implied. However, the failure of an individual to actively manage his browser settings does not imply that he has consented to the collection, use and disclosure of his personal data.

15. Risk scale

Moderate

Low

Moderate

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data protection);
  • Law 38/20, of 11 November (Angolan Criminal Code);
  • Law no. 23/11, of 20 June (Law of Electronic Communications and Information Services);
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);
  • Presidential Decree no. 108/16, of 25 May (General Electronic Communications Regulation);
  • Presidential Decree no. 202/11, of 22 July (Regulation on Information Technologies and Services);
  • Presidential Decree 275/20, of 21st October (Regulation of the Activity of the Private Credit Information Centres).

The Cybersecurity Act 2018 governs the prevention, management and response to cybersecurity threats and incidents, and regulates owners of critical information infrastructure and cybersecurity service providers. The provisions generally apply to any critical information infrastructure, computer and computer system located wholly or partly in Singapore. The provisions also apply to the Singapore Government, except that the Singapore Government will not be liable to prosecution for an offence. 

The related regulations and code of practice that operate alongside the Cybersecurity Act 2018 are the Cybersecurity (Critical Information Infrastructure) Regulations 2018, Cybersecurity (Confidential Treatment of Information) Regulations 2018 and the Cybersecurity Code of Practice for Critical Information Infrastructure. 

The Computer Misuse Act (CMA) is the principal legislation on cybercrimes. The CMA applies to any person regardless of nationality and citizenship, outside as well as within Singapore, where the accused, computer program or data was in Singapore at the material time of the offence or the offence causes or creates a significant risk of serious harm in Singapore.  

Local cybersecurity laws also include sector-specific rules, such as guidelines and notices issued by the Monetary Authority of Singapore for the financial sector (MAS rules). 

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There are no relevant anticipated changes.

Cybersecurity Act 2018: Provisions relating to the licensing of cybersecurity service providers are not yet in effect. The Cyber Security Agency of Singapore has stated that the implementation of the licensing framework will be communicated at a later date.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data Protection);
  • Law no. 38/20, of 11 November (Angolan Criminal Code).
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);
  • Cybersecurity Act 2018: The Cybersecurity Act 2018 requires and authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents; regulates owners of critical information infrastructures (CIIs); establishes the framework for the sharing of cybersecurity information; and regulates cybersecurity service providers. It also provides the regulator with the power to investigate cybersecurity threats or incidents in order to determine their impact, prevent further harm and future incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore; not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.
  • CMA: The CMA makes provision for securing computer material against unauthorised access or modification, and to require or authorise the taking of measures to ensure cybersecurity. In particular, the CMA criminalises cybercrime such as ecommerce scams and hacking, and also makes it illegal for: (a) any person to provide or receive personal information which he suspects was obtained through unauthorised means; and (b) any person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programmes, passwords or access codes).
  • MAS Rules: The MAS Rules, amongst other things, require regulated entities to: (a) conduct system and penetration testing; (b) continuously monitor and detect network and other types of cyber intrusions; and (c) require the board and senior management of the regulated entities to effectively implement that entity’s cyber resilience programme.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

However, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

  • According to Law no. 7/17, of 16 February (Law of Network and IT Systems Protection), cyberspace networks should ensure the integrity, confidentiality and privacy of communications by implementing logical and physical security services.
  • The body responsible for promoting the information society service providers and operators must ensure the security of any device or set of devices for storing, processing, retrieving or transmitting digital data when running a computer program.
  • Internet operators and service providers shall promote the registration of users and the implementation of measures and necessary tools for the anticipation, detection, reaction and recovery in situations of network security threats.
  • Cyberspace operators and service providers must submit to APD and INACOM an accident and incident management plan, in the event of a computer emergency, before commencing activities.
  • Additionally, operators shall proceed with the encryption of electronic communication networks in order to guarantee the technical and security conditions under which communication is carried out for the transmission of traffic and location data relating to natural and legal persons.
Cybersecurity Act 2018:
  • Owners of critical information infrastructure must: (a) comply with codes and directions; (b) conduct audits and risk assessments; (c) report cybersecurity incidents; and (d) participate in cybersecurity exercises; and
  • Certain cybersecurity service providers will need to be licensed.
CMA:
  • The following activities are prohibited: (a) unauthorised access or modification of computer material; (b) unauthorised use or intercept of computer services; (c) obstructing the use of computers; (d) unauthorised disclosure of computer access codes; (e) providing, receiving or supplying personal information which the person knows or suspects was obtained through unauthorised means; and (f) dealing with items designed for, adapted to and used to commit computer crimes. 
MAS Rules:
  • Establish methodologies for system testing, conduct penetration testing and source code review, and enable recovery measures and user access controls;
  • Board and senior management of regulated entities are to: (a) ensure appropriate accountability structure and organisational risk culture is in place, and (b) be trained in technology risk and cybersecurity;
  • Notify the MAS of breaches of security and confidentiality of financial institutions’ customer information (MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing); and
  • Implement cybersecurity measures to protect IT systems, and prevent and mitigate against cyberattacks (MAS Notices on Cyber Hygiene).   

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Criminal sanctions:

1. Law no. 38/20, of 11 November (Angolan Criminal Code)

Illegal access to information system and raid through information system

Prison sentence from two years up to eight years, or an application of a fine up to 240 days.

Illegitimate interception in information system

Prison sentence from two years up to eight years, or the application of a fine up to 240 days.

IT sabotage

Crimes against communications and information systems are punishable with prison sentence from two years up to eight years, or the application of a fine up to 240 days.

IT Falsehood

Prison sentence from two years up to ten years, or the application of a fine from 240 days up to 360 days.

Illegitimate reproduction of computer program, databases and topography of semiconductor products

Prison sentence from two years up to three years, or the application of a fine from 240 days up to 360 days.

Illegitimate interception in information system

Whoever, by technical means, intercepts or records non-public transmissions of data processed within an information system shall be punished by a prison sentence from two to eight years, or a fine up to 240 days.

Note: An attempt of any of the above-mentioned crimes is also punishable.

Administrative sanctions:

Cybersecurity Act 2018: 

  • Fines not exceeding SGD 10,000 for each contravention or non-compliance which is not an offence, but not exceeding SGD 50,000 in aggregate.
Criminal sanctions:

Cybersecurity Act 2018:

  • Varies depending on the specific offence, although in general a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding two to ten years or both.

CMA:

  • A criminal fine not exceeding SGD 50,000 or imprisonment for a term not exceeding ten years or both; and
  • In respect of protected computers, a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding 20 years or both.
Others: 

CMA: 

  • Compensation for damage caused to computer, programme or data. 

MAS Rules:

  • Varies depending on the type of regulatory instrument that set out the specific rules (e.g. directives, guidelines, notices or circulars). For example, the contravention of guidelines is not a criminal offence and does not attract civil penalties but may have an impact on the regulator's overall risk assessment of that entity and renewal of licences issued by the regulator. Circulars, on the other hand, are documents sent for the relevant entities’ information have no legal effect. Notices primarily impose legally binding requirements on a specified class of financial institutions or persons. 

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

Thus, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

Yes, the Singapore Computer Emergency Response Team (SingCERT) responds to cybersecurity incidents for its Singapore constituents. It was set up to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

Thus, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

According to Singapore’s Cybersecurity Strategy, the National Cyber Security Centre (part of the CSA) will coordinate with sector regulators to provide a national level response and facilitate quick alerts to cross-sector threats.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

A national framework to strengthen cybersecurity is being planned, however, prior to execution, a convention has been concluded among African countries to create guidelines to combat cybersecurity, which is the only specific legislative instrument in force.

Singapore’s Cybersecurity Strategy sets out Singapore’s vision, goals and priorities for cybersecurity. It engenders coordinated action and facilitates international partnerships for a resilient and trusted cyber environment - see more here.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of João Leitão Figueiredo
João Leitão Figueiredo
Partner
Lisbon
Portrait of João Mendes Rodrigues
João Mendes Rodrigues
Senior Associate
Lisbon
Sheena Jacob