ARCO Rights for Data Subjects in Mexico

Under Mexico's Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP), individuals have a set of fundamental rights known as ARCO rights. ARCO is an acronym for Access (Acceso), Rectification (Rectificacion), Cancellation (Cancelacion) and Opposition (Oposicion). These rights empower data subjects to maintain control over their personal data and hold data controllers accountable for how that data is managed. Understanding and properly implementing ARCO procedures is essential for any organisation processing personal data in Mexico.

The Right of Access

The right of access allows data subjects to request confirmation from a data controller as to whether their personal data is being processed, and if so, to obtain a copy of that data along with information about the conditions and terms of the processing. This right serves as the foundation for all other ARCO rights, as individuals must first understand what data is held about them before they can exercise their other rights.

When a data subject exercises the right of access, the data controller must provide details including what personal data is held, the purposes for which it is processed, the conditions and terms of the processing as established in the privacy notice, and any transfers that have been made or are planned. The information must be provided in a clear, accessible format that the data subject can understand and, where applicable, in electronic form if the request was made electronically.

The Right of Rectification

The right of rectification enables data subjects to request the correction of personal data that is inaccurate, incomplete or outdated. This right ensures that data controllers maintain the quality principle required by the LFPDPPP, as personal data must be accurate and up to date for the purposes for which it was collected.

To exercise this right, the data subject must indicate what data they wish to have rectified and provide supporting documentation that justifies the requested changes. For example, if an individual's name has been misspelled in a database, they would submit a rectification request along with an official identification document showing the correct spelling. The data controller is then obligated to make the corrections and notify any third parties to whom the data has been transferred.

The Right of Cancellation

The right of cancellation allows data subjects to request the deletion of their personal data from the data controller's files and systems. This right is not absolute and is subject to certain limitations, but it provides individuals with a powerful mechanism for controlling the lifecycle of their personal data.

When a cancellation request is received and deemed valid, the data controller must first block the data during a retention period, after which the data must be permanently deleted. This blocking period allows the data controller to address any legal obligations or legitimate interests that may require continued retention. Cancellation may be refused when the data is necessary for compliance with a legal obligation, when there is a contractual relationship that requires continued processing, or when the data is subject to an ongoing legal proceeding.

The Right of Opposition

The right of opposition allows data subjects to object to the processing of their personal data for specific purposes. Unlike cancellation, which seeks the deletion of data, opposition focuses on stopping certain uses of the data while potentially allowing the data to remain in the controller's systems for other legitimate purposes.

Data subjects may exercise the right of opposition when they have a legitimate reason related to their particular situation, or when the processing is for purposes such as direct marketing. If the opposition is well-founded, the data controller must cease processing the data for the purposes to which the data subject has objected. This right is particularly relevant for organisations that use personal data for marketing, profiling or other secondary purposes beyond the primary reason for data collection.

How Data Subjects Exercise ARCO Rights

The LFPDPPP and its Regulations establish a clear process for how data subjects may exercise their ARCO rights. The request must be submitted to the data controller, either through the means specified in the privacy notice or through any other method that allows the request to be documented and a response to be provided.

An ARCO request must contain the following elements:

• Identification: The name and address of the data subject, or another means of communicating the response
• Proof of identity: Documents that prove the identity of the data subject, or legal authorisation if the request is made through a representative
• Clear description: A detailed and precise description of the personal data to which the request relates
• Supporting elements: Any other element or document that facilitates locating the personal data in question

For rectification requests, the data subject must also include the specific modifications sought and the documentation supporting the requested changes.

Response Timelines and Procedures

The LFPDPPP establishes strict timelines for responding to ARCO requests. Once a data controller receives a complete request, they have 20 business days to communicate their decision to the data subject. If the request is approved, the data controller has an additional 15 business days to implement the requested action.

The response timeline can be summarised as follows:

1. Receipt and acknowledgement: The data controller receives the ARCO request and verifies its completeness
2. Evaluation period: Up to 20 business days to evaluate the request and communicate the decision
3. Implementation period: If approved, up to 15 additional business days to carry out the requested action
4. Extension: In justified cases, the evaluation period may be extended once for an equal period, provided the data subject is notified of the reasons

If the ARCO request is incomplete, the data controller must notify the data subject within 5 business days of receipt, requesting the missing information. The data subject then has 10 business days to complete their request.

Grounds for Refusal

While data controllers are generally obligated to honour ARCO requests, the LFPDPPP recognises several grounds on which a request may be denied:

• The requestor is not the data subject or lacks proper legal authorisation
• The personal data is not found in the data controller's databases
• The rights of a third party would be harmed by complying with the request
• There is a legal obligation that prevents the action requested
• A judicial or administrative order restricts the exercise of the right
• The cancellation or opposition has already been exercised and properly addressed
• The request is repetitive within a short period without there being a justified reason

When a request is denied, the data controller must clearly communicate the reasons for the refusal and inform the data subject of their right to file a complaint with INAI.

The Role of INAI in Mediating Disputes

When a data subject is dissatisfied with the response to their ARCO request, or if the data controller fails to respond within the established timelines, the data subject may file a complaint with the Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales (INAI). INAI serves as the mediating and enforcement authority in data protection disputes.

The INAI process typically begins with a conciliation phase, during which INAI attempts to reach an agreement between the data subject and the data controller. If conciliation fails, INAI may initiate a formal investigation and can issue binding resolutions, including orders to comply with the ARCO request and the imposition of sanctions for non-compliance.

Practical Procedures for Businesses

Organisations should establish clear, documented procedures for handling ARCO requests. A well-designed ARCO management process typically includes the following components:

1. Designated contact point: Appoint a person or department responsible for receiving and processing ARCO requests, and publish their contact details in your privacy notice
2. Standard intake form: Create a standardised form that captures all required information, making it easier for data subjects to submit complete requests
3. Identity verification process: Establish procedures for verifying the identity of the requestor to prevent unauthorised access to personal data
4. Internal workflow: Define clear escalation paths and responsibilities for evaluating requests across different departments
5. Timeline tracking: Implement a system to track deadlines and ensure responses are provided within the legally required timeframes
6. Response templates: Develop standard response templates for approvals, denials and requests for additional information
7. Documentation and audit trail: Maintain comprehensive records of all ARCO requests received, actions taken and responses provided

Our Data Protection Manager module provides built-in workflows for managing ARCO requests, including automated deadline tracking, response templates and complete audit trails to ensure compliance with all LFPDPPP requirements.

Documentation and Tracking Requirements

The LFPDPPP requires data controllers to maintain records that demonstrate compliance with their ARCO obligations. This documentation should include a register of all ARCO requests received, the identity of the requestor, the type of right exercised, the date of receipt, the response provided, the date of response, and the actions taken to fulfil the request. These records serve as evidence of compliance in the event of an INAI audit or investigation.

Organisations should also document their ARCO procedures in their internal data protection policies, ensuring that all employees who may receive or handle ARCO requests are properly trained. Regular awareness training should cover the recognition of ARCO requests, the proper handling procedures and the importance of adhering to response timelines.

Best Practices for ARCO Request Management

Beyond meeting the minimum legal requirements, organisations can adopt several best practices to improve their ARCO request management:

• Make it easy: Provide clear, accessible channels for submitting ARCO requests, including online forms and dedicated email addresses
• Respond promptly: Aim to respond well within the 20-business-day deadline rather than waiting until the last moment
• Communicate proactively: Keep data subjects informed about the status of their requests throughout the process
• Centralise management: Use a unified system to manage all ARCO requests, avoiding duplication and ensuring consistency
• Regular reviews: Periodically review your ARCO procedures to identify bottlenecks and areas for improvement
• Consider appointing a DPO: An experienced data protection officer can provide expert oversight of your ARCO process and ensure consistent compliance

Conclusion

ARCO rights are a fundamental component of Mexico's data protection framework, giving individuals meaningful control over their personal data. For organisations, establishing robust ARCO procedures is not only a legal obligation but also a demonstration of commitment to data protection and consumer trust. By implementing clear processes, training staff, tracking deadlines and maintaining thorough documentation, businesses can efficiently manage ARCO requests while building a strong compliance posture under the LFPDPPP.