Laura Van Gompel – August 31st 2021 – The GDPR most certainly also had an impact outside the EU, for example in Mexico.
As a result of the GDPR, modified compliance and data protection programs worldwide, many Mexican companies had to adapt to new processes or practices imposed by their European business partners or parent companies.
However, Mexican companies also undergo a direct influence of the GDPR. First of all, the GDPR becomes applicable for Mexican companies that offer services or goods to data subjects located in the EEA.
Whether the Mexican company in question acts as a controller or processor is irrelevant, as well as the location of the processing activity. Also the fact whether the transaction was free or upon payment does not matter.
The mere condition that the processing concerns personal data of a EEA located data subject, due to goods or services being offered within the EEA, makes the provider/data processor accountable under the GDPR.
In second instance, shall the GDPR be an important regulator when Mexican companies receive, as result of a data transfer, access to personal data protected by the GDPR. For instance: when a European controller transfers personal data to a Mexican processor. In this case not only shall a written data processing agreement pursuant to article 28 GDPR be required, but also a sufficient transfer tool within the meaning of articles 46 ff. GDPR.
An article 28-data processing agreement a such, should not be problematic. As parties can “mould” the agreement in accordance to their data processing frame, their arrangements and respective liabilities, including of course all elements set out in article 28.
To give compliance to article 46 ff. GDPR, however, shall not be that self-evident. As Mexico has not received an adequacy decision in its favour, the most obvious tool shall be the Standard Contractual Clauses, as issued by the European Commission (see latest version of June 2021). Please not that also the official SCC’s are not necessarily enough to give “sufficient warranty” within the meaning of Chapter V GDPR. According to the EDPB recommendations of June 2021, for some outside EEA transfers, in addition to the SCC’s, supplementary measures shall need to be taken. This to guarantee “an essentially equivalent level of protection that meets the EU standards on fundamental rights, necessity and proportionality”.
The EDPB states that “Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum.” The exporting party should verify, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.
According to the EDPB, this assessment by the exporter must contain elements:
– on whether public authorities of the third country of your importer may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedents;
– on whether public authorities of the third country of your importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents
The Mexican “situation” has not been subject of any European case law. However, bearing in mind Schrems II and the abovementioned EDPB guidelines, it seems appropriate to combine the article 46 SCC’s with supplementary measures, for data transfers to Mexican importers. Certain local laws do indeed regulate and allow (communication) surveillance by public authorities (Código Nacional de Procedimientos Penales, Ley de la Policía Federal, Ley de Seguridad Nacional, Ley Federal de Telecomunicaciones y Radiodifusión, Ley Federal Contra de Delincuencia Organizada, Ley General para Prevenir y Sancionar los Delitos en Materia de Secuestro, etc.).