CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.
  • Law no. 22/11, of 17 June (Data Protection Law);
  • Law no. 23/11, of 20 June (Law of Electronic Communications and Information Services);
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);
  • Presidential Decree no. 108/16, of 25 May (General Electronic Communications Regulation);
  • Presidential Decree no. 202/11, of 22 July (Regulation on Information Technologies and Services);
  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data protection);
  • Law no. 2/20, of 22 January (Video surveillance);
  • Law no. 11/20, of 23 April (Mobile Identification or Location and Electronic Surveillance);
  • Law no. 38/20, of 11 November (Angolan Criminal Code);
  • Presidential Decree 275/20, of 21st October (Regulation of the Activity of the Private Credit Information Centres).

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Chile does not have a Data Protection Authority.

Agency of Data Protection (APD): https://www.apd.ao/ao/

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

There are no relevant anticipated changes to local laws.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

APD under the current law has administrative supervision and enforcement powers.

According to Angolan Law, APD has the power to impose fines regarding Administrative Sanctions, as follows:

1. Law no. 22/11, of 17 June

Violation of specific requirements for the processing of personal data, non-compliance with the obligation of notifying APD and non-compliance with the APD provisions to cease access to open data transmission networks to data controllers who do not comply with the law from USD 75,000 up to USD 150,000

Violation of specific requirements for the processing of personal data, the violation of data processing principles and data processing without consent from data subjects from USD 65,000 up to USD 130,000.

Note: The attempt of any of the above-mentioned misdemeanour actions or omissions is punishable.

2. Law no. 23/11, of 20 June

Violation of security provisions, violation of confidentiality and violation of traffic data from USD 30,000 up to 150,000.

3. Law no. 7/17, of 16 February

Non-compliance with the provisions of this law, or the violation of any of the requirements in the scope of data protection and security in the networks and information systems leads to the application of fines set at the amount from AOA 7m up to AOA 200m.

Criminal sanctions

1. Law no. 22/11, of 17 June

Non-compliance with data protection obligations

Prison sentence of three months up to 18 months, or a corresponding fine.

Unauthorised access Tampering or destruction of personal data

Prison sentence from six months to two years.

Qualified disobedience

Prison sentence up to three years.

Breach of confidentiality duty

Prison sentence up to 18 months or a corresponding fine.

Note: The attempt of any of the above-mentioned crimes is punishable with prison sentence up to six months, or a corresponding fine.

2. Law no. 38/20, of 11 November (Angolan Criminal Code)

Electronic Falsehood

Whoever, with intent to mislead or harm, inputs, alters, deletes or suppresses data in an information system or, in general, interferes with the processing of such data in such a way as to produce false data that may be considered true and used as evidence, shall be punished prison sentence up to two years or the application of a fine up to 240 days.

Information Technology Data Damage

Whoever, with intent to cause damage to a third party or to obtain benefit for himself or for a third party, alters, deteriorates, renders useless, deletes, suppresses or destroys, in whole or in part, or in any way renders other people's data inaccessible, shall be punished prison sentence from one year up to 12 years or the application of a fine up to 360 days.

Illegitimate reproduction of computer program, databases and topography of semiconductor products

Prison sentence from two years up to three years or the application of a fine from 240 days up to 360 days.

Note: The attempt of any of the above-mentioned crimes is punishable.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

According to Law no. 22/11, of 17 June, the processing of personal data is subject to prior notification or authorisation by the Data Protection Agency.

If mere notification is required, the Data Protection Agency must take a decision on the request made by the data controller within 30 days of receipt of the request.

The notifications and requests for authorisation sent to the APD must contain the following information:

  • Identification of the data controller;
  • Purpose of processing;
  • Description of the category of data and respective data subjects;
  • Identification of the recipients;
  • Any interconnection of processing of personal data;
  • Period of data retention;
  • How the exercise of the rights of the data subjects is guaranteed;
  • Planned data transfers to third countries;
  • Preliminary description of the security measures adopted.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

In accordance with the APD's guidelines and the national data protection law itself, the data controller's obligations are:

  • To notify the APD in advance of any processing or combination of processing of personal data, totally or partially autonomous, intended to serve one or more interrelated purposes;
  • To notify the APD of any subsequent changes that may occur;
  • To process data lawfully, legally and in good faith;
  • To collect data for specified, explicit and legitimate purposes;
  • Collect data that is adequate, relevant and not excessive in relation to the purposes for which it is collected and subsequently processed;
  • Ensure that data are accurate and up-to-date and take reasonable steps to ensure that inaccurate or incomplete data are erased or rectified;
  • To provide the data subject with all information required by law, without forgetting the specific information required when data is collected over open networks;
  • Not to process personal data in a way incompatible with the purposes for which they have been collected. If the data controller intends to carry out processing, it must first request the authorisation of the APD or the consent of the data subjects;
  • To guarantee the data subject a right of access, freely and without restrictions, at reasonable intervals and without excessive delays or costs;
  • Guarantee the data subject the right to freely exercise the right to object to processing for the purposes of direct marketing or any other form of prospecting;
  • Obtain prior consent from data subjects for the purposes of direct marketing using automated calls or fax machines;
  • Obtain and maintain consent from the data subject for the processing of personal data;
  • Implement technical and organisational measures to ensure data protection against accidental loss, destruction, alteration, unauthorised disclosure or access. It shall also enforce the legal obligation of professional secrecy with respect to the processed personal data;
  • Not to interconnect personal data unless authorised by the APD or required by law;
  • Whoever has access to personal data obtain through video-surveillance systems is obliged to comply with professional secrecy;
  • Personal data accidentally obtained by the video-surveillance systems, relating to intimate or personal data of a purely social nature and which do not have criminal relevance, should be destroyed immediately by the responsible person for the system;
  • Not to communicate data to third parties that have not notified their processing to the APD;
  • To destroy the personal data once the authorised storage period has expired;
  • To stop the processing of personal data when a situation arises that is not in accordance with the law and has been instructed to do so by the competent authority.

Other obligations are established in separate legislation, which are foreseen in Law no. 7/17, of 16 February, that determines the Network and IT Systems Protection legal regime, as follows:

  • Operators of information systems shall proceed with the encryption of electronic communication networks in order to guarantee the technical and security conditions under which communication is carried out for the transmission of traffic and location data relating to natural and legal persons;
  • Cyberspace operators and service providers must submit to APD and INACOM an accident and incident management plan, in the event of a computer emergency, before commencing activities;
  • The use of databases must obey the technical standards and specialised procedures of adequate protection of access, storage, duplication of files, treatment and recovery of automated information.
  • Electronic communications operators shall ensure that retained data are of the same quality and subject to the same security and protection as those data on the network;
  • Electronic communications operators shall take appropriate technical and organisational measures to protect data against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure;
  • Electronic communications operators shall take appropriate technical and organisational measures to ensure that only authorised employees and partners (including processors) have access to personal data;
  • Electronic communications operators must destroy personal data as soon as the information is no longer necessary for the purpose for which it was collected or if required by instruction of the competent authorities.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.

Cancellation

The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

Law no. 22/11, of 17 June, comprises the following rights that may be exercised by data subjects:

  • Right to information;
  • Right of access;
  • Right to object;
  • Right of rectification and erasure;
  • Right to non-automated individual decisions.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

Personal data may only be communicated to a data processor under a contract or other legal document, in writing, which establishes the obligation of the processor to comply with the provisions of the Angolan Data Protection Law and act in accordance with the instructions of the data controller. Subsequently, it will be necessary to notify the APD of such transfer.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

International transfer of data to countries that ensure an adequate level of protection (guarantee of protection as established in Angolan law) is subject to notification to the Data Protection Agency (APD), which will issue an assessment report.

The transfer of data to a country that does not guarantee an adequate level of protection is subject to authorisation by the APD, which can only be granted if one of the following circumstances or others established in specific legislation are verified:

  • Consent of the data subject;
  • Transfer arises from the application of international law;
  • Humanitarian purpose;
  • Transfer necessary for the execution of a contract, at the request of the parties;
  • Necessary transfer to protect public interests or to defend a right in legal proceedings;
  • Transfer necessary to protect the vital interests of the data subject;
  • Transfer through a source accessible to the public;
  • If the recipient guarantees contractually adequate data protection.

Data transfer by electronic means should be carried out at a high level of encryption and protection according to the state of the art, including encoding, ciphering or other methods.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There is no legal requirement for the appointment of a Data Protection Officer.

The appointment of a data protection officer is not legally required.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

Law no. 22/11, of 17 June, clearly provides that the data controller must implement appropriate technical and organisational measures to safeguard the data processing risks, for example:

  • Prevent unauthorised persons from having access to the files and processing facilities;
  • Prevent unauthorised persons from reading, copying, use, modify or remove data supports;
  • Ensure the verification of the entities to whom the personal data may be transmitted through the data transmission facilities.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There is no legal obligation to notify to the authority data breach events.

There is no legal or institutional provision for reporting mechanisms on personal data breaches. The APD recommends direct contact with the data controller by the data subject and, in the event of non-compliance practices, the data subject should file a complaint before the APD, mentioning the identification of the alleged perpetrator and documents or other evidence to support the allegations.

Notwithstanding, regarding a security breach that compromises the integrity of personal data and other information, Law no. 23/11, of 20 June, establishes that the operator must notify immediately the APD and INACOM.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

Regarding advertising and marketing matters, Angola enacted Law no. 23/11, of 20 June referent to Electronic Communications and Information Services which foresees the consumer's right not to receive unsolicited emails and the right to the protection of their rights when acquiring products and services on the internet and in relation to advertising.

For this matter, Resolution no. 33/19 of 9 July (African Union Convention on Cybersecurity and Data Protection) establishes that the direct marketing is authorised in the following situations:

  • The address details of the recipient are obtained directly from the recipient;
  • The recipient has consented to be contacted by the marketing partners of the issuer;
  • Direct marketing refers to similar products or services provided by the same individual or company.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

The CDPL does not directly regulate the use of cookies or similar technologies. 

Angola has no particular rule regarding the use of Cookies. Hence, the general legal framework on data protection shall apply.

15. Risk scale

Moderate

Low

Low

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system
  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data protection);
  • Law 38/20, of 11 November (Angolan Criminal Code);
  • Law no. 23/11, of 20 June (Law of Electronic Communications and Information Services);
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);
  • Presidential Decree no. 108/16, of 25 May (General Electronic Communications Regulation);
  • Presidential Decree no. 202/11, of 22 July (Regulation on Information Technologies and Services);
  • Presidential Decree 275/20, of 21st October (Regulation of the Activity of the Private Credit Information Centres).

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

There are no relevant anticipated changes.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

N/A

  • Resolution 33/19 of 9 July (African Union Convention on Cybersecurity and Data Protection);
  • Law no. 38/20, of 11 November (Angolan Criminal Code).
  • Law no. 7/17, of 16 February (Law of Network and IT Systems Protection);

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

N/A

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

However, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

N/A

  • According to Law no. 7/17, of 16 February (Law of Network and IT Systems Protection), cyberspace networks should ensure the integrity, confidentiality and privacy of communications by implementing logical and physical security services.
  • The body responsible for promoting the information society service providers and operators must ensure the security of any device or set of devices for storing, processing, retrieving or transmitting digital data when running a computer program.
  • Internet operators and service providers shall promote the registration of users and the implementation of measures and necessary tools for the anticipation, detection, reaction and recovery in situations of network security threats.
  • Cyberspace operators and service providers must submit to APD and INACOM an accident and incident management plan, in the event of a computer emergency, before commencing activities.
  • Additionally, operators shall proceed with the encryption of electronic communication networks in order to guarantee the technical and security conditions under which communication is carried out for the transmission of traffic and location data relating to natural and legal persons.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

N/A

Criminal sanctions:

1. Law no. 38/20, of 11 November (Angolan Criminal Code)

Illegal access to information system and raid through information system

Prison sentence from two years up to eight years, or an application of a fine up to 240 days.

Illegitimate interception in information system

Prison sentence from two years up to eight years, or the application of a fine up to 240 days.

IT sabotage

Crimes against communications and information systems are punishable with prison sentence from two years up to eight years, or the application of a fine up to 240 days.

IT Falsehood

Prison sentence from two years up to ten years, or the application of a fine from 240 days up to 360 days.

Illegitimate reproduction of computer program, databases and topography of semiconductor products

Prison sentence from two years up to three years, or the application of a fine from 240 days up to 360 days.

Illegitimate interception in information system

Whoever, by technical means, intercepts or records non-public transmissions of data processed within an information system shall be punished by a prison sentence from two to eight years, or a fine up to 240 days.

Note: An attempt of any of the above-mentioned crimes is also punishable.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

Thus, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Yes, see above.

In Angola there is still no culture of cybersecurity in organisations and government bodies (executive). What does exist is an embryonic structure that has been in the process of carrying out some cybersecurity tests.

Thus, the creation of a cybersecurity regulatory authority and specific legislation to regulate this matter is still absent.

For any breach regarding information systems, within the scope of Law no. 7/17, of 16 February, it is the responsibility of the operators of electronic communication network services to implement the preventive services of warnings, alerts, recommendations and information on security, in order to ensure the continuous promotion of network integrity and reliability.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

No.

A national framework to strengthen cybersecurity is being planned, however, prior to execution, a convention has been concluded among African countries to create guidelines to combat cybersecurity, which is the only specific legislative instrument in force.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Partner
Santiago
Portrait of João Leitão Figueiredo
João Leitão Figueiredo
Partner
Lisbon
Portrait of João Mendes Rodrigues
João Mendes Rodrigues
Senior Associate
Lisbon