The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:
- Articles 6 to 16 of the Mexican Constitution;
- The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
- The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
- The Federal Consumer Protection Law governs certain aspects concerning marketing activities.
Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.
The Protection of Personal Information Act 4 of 2013 (“POPI”). It is a comprehensive piece of data protection legislation that is comparable to the GDPR.
POPI came into effect on 1 July 2020. Businesses must ensure POPI compliance by no later than 30 June 2021.
POPI applies to the processing of personal information entered into a record by or for a responsible party (referred to as a data controller in the GDPR) by making use of automated or non-automated means, where the responsible party is domiciled in South Africa.
If not domiciled in South Africa, POPI applies if that responsible party makes use of automated or non-automated means in South Africa (unless those means are used only to forward personal information through South Africa).
‘Automated means’ is defined as any equipment capable of operating automatically in response to instructions given for the purpose of processing information.
‘Responsible party’ is defined as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
2. Data protection authority
Information Regulator (South Africa)
The Personal Data Protection Act 2012 (PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.
The PDPA also provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
Some key subsidiary legislation that operates alongside the PDPA include the Personal Data Protection Regulations 2021, Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection (Do Not Call Registry) Regulations 2013.
Personal Data Protection Act 2012: https://sso.agc.gov.sg/Act/PDPA2012