handbook for the management of personal data of
"h52 mexico," s.a. de c.v.
chapter i - general provisions
article 1.- applicable law. this manual was developed taking into account the provisions contained in articles 6(a) of the political constitution of the united mexican states, the federal law on the protection of personal data in possession of individuals and its regulations.
article 2.- scope of application. this document applies to the processing of personal and sensitive data that "h52 mexico", s.a. de c.v. collects in the ordinary turnover of its business and that must be processed by it.
article 3.- databases. the policies and procedures and contents in this policy apply to the databases handled by "h52 mexico", s.a. de c.v. that will be registered in accordance with the provisions of the federal law on the protection of personal data in possession of individuals and regulation, the period of which shall be counted from the date of authorisation to the term reasonably necessary, in accordance with the purposes justifying its processing.
article 4.- object. this manual complies with the provisions of article 48 of the regulations of the federal law on the protection of personal data in possession of individuals which regulates the duties of those responsible for the processing of personal data, within which is the adoption of internal policies to ensure proper compliance with the law and especially for the attention of inquiries and complaints of the holders of the information. it also aims to regulate the procedures for the collection, handling and processing of personal data carried out by "h52 mexico", s.a. de c.v., in order to guarantee and protect the fundamental right of habeas dates in the framework of what is established by the law.
article 5.- definitions. for the purposes of the application of the rules contained in this manual and in accordance with the provisions of article 3 of the federal law on the protection of personal data in possession of individuals, it is understood by:
i) privacy notice: physical, electronic document or in any other format generated by the controller that is made available to the owner, prior to the processing of his personal data, in accordance with article 15 of this law.
ii) databases: the ordered set of personal data relating to an identified or identifiable person.
iii) blocking: the identification and retention of personal data once the purpose for which they were collected was fulfilled, for the sole purpose of determining possible responsibilities in relation to their processing, until the legal limitation period or contract of these. during this period, the personal data may not be processed and after this, it will be canceled in the corresponding database.
iv) consent: manifestation of the will of the data subject through which the dataisprocessed.
v) personal data: any information concerning an identified or identifiable natural person.
vi) sensitive personal data: personal data affecting the most intimate sphere of the owner, or whose misuse may give rise to discrimination or carry a serious risk to it. in particular, those that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, trade union membership, political opinions, preference for genetic beliefs, are considered sensitive sexual.
vii) days: business days.
viii) dissociation: the procedure by which personal data cannot be associated with the holder or allow, by their structure, content or degree of disaggregation, the identification thereof.
ix) processor: the natural or legal person who alone or jointly with others processes personal data on behalf of the controller.
x) source of public access: those databases whose consultation can be carried out by any person, without any requirement other than, where appropriate, the payment of a consideration, in accordance with the regulations of this law.
xi) institute: federal institute for access to information and data protection, referred to in the federal law on transparency and access to government public information.
xii) law: federal law on the protection of personal data in possession of individuals.
xiii) regulations: the regulations of the federal law on the protection of personal data in possession of individuals.
xiv) responsible: a natural or moral person of a private nature who decides on the processing of personal data.
xv) secretariat: secretariat for the economy.
xvi) third: the natural or moral person, national or foreign, other than the owner or data controller.
xvii) owner: the natural person to whom the personal data corresponds.
xviii) processing: the collection, use, disclosure or storage of personal data, by any means. use covers any action of access, handling, leveraging, transferring or disposing of personal data.
xix) transfer: any communication of data made to person other than the controller or processor.
article 6.- principles. the principles set out below constitute the general parameters that will be respected by "h52 mexico", s.a. de c.v. in the processes of collection, use and processing of personal data.
a) principle of purpose: the processing of personal data collected by "h52 mexico", s.a. de c.v. must obey a legitimate purpose of which must be informed to the owner;
b) principle of freedom: the processing can only be carried out with the prior, express and informed consent of the holder. personal data may not be obtained or disclosed without the prior authorization of the owner, except legal or judicial mandate;
c) principle of truthfulness: information subject to processing must be truthful, complete, accurate, up-to-date, verifiable and understandable. the processing of partial, incomplete, fractional or misleading data is prohibited;
d) principle of transparency: the right of the holder to obtain from "h52 mexico", s.a. de c.v. at any time and without restriction, information on the existence of data concerning him/her should be guaranteed in the processing;
(e) principle of access and restricted circulation: personal data, except public information, may not be available on the internet or other means of mass disclosure or communication, unless access is technically controllable to provide a restricted knowledge only to authorized holders or third parties;
f) safety principle: information subject to processing by "h52 mexico", s.a. de c.v., should be protected by the use of the technical, human and administrative measures that are necessary to provide security to the registers by avoiding their adulteration, loss, consultation, unauthorized or fraudulent use or access;
g) principle of confidentiality: all persons involved in the processing of personal data are obliged to guarantee the reservation of the information, even after the end of their relationship with any of the tasks covered by the processing.
chapter ii - authorization
article 7.- authorization. the collection, storage, use, circulation or deletion of personal data by "h52 mexico", s.a. de c.v. requires the free, prior and informed and express consent of the owner thereof. "h52 mexico", s.a. de c.v. in its capacity as responsible/ person of the processing ofpersonal data, has provided the necessary mechanisms to obtain the authorization of the holders guaranteeing in any case that it is possible to verify the granting such authorization.
article 8.- form and mechanism to give authorization. the authorisation may be contained in a physical or electronic document or in any other format that allows to guarantee its subsequent consultation, or by means of an appropriate technical or technological mechanism by which it can be concluded unequivocally, which in the absence of conduct of the owner, the data have never been captured and stored by "h52 mexico", s.a. de c.v.
the authorization of the holder is a fundamental requirement for "h52 mexico", s.a. de c.v. to initiate any kind of commercial activity with the holder. therefore, prior to the use of personal data of the holders, "h52 mexico", s.a. de c.v. must have the respective authorizations thereof.
article 9.- content of the authorization. the authorization of the holder is a declaration that it authorizes to "h52 mexico", s.a. de c.v., the use of your personal or sensitive data and that must also contain:
(a) the object of the authorisation.
b) purpose of the processing of personal data.
c) users of the information.
(d) international transfer of information to third countries.
e) sensitive personal data.
(f) responsible and information-handlers.
paragraph: the procedures and formats to be used in the ordinary operations of "h52 mexico", s.a. de c.v. shall be known to the officials of the companies, through the intranet of the company.
article 10.- proof of authorization. "h52 mexico", s.a. de c.v. shall take the necessary measures to maintain proper records or technical mechanisms of when and how it obtained the authorization of the holder for the treatment of them.
article 11.- privacy notice. the privacy notice is the physical, electronic or other document that is made available to the owner for the processing of his/her personal data. through this document the owner is informed of the information regarding the existence of the information processing policies that will be applicable to him, the way to access them and the characteristics of the treatment that is intended to give to the personal data.
article 12. minimum content of the privacy notice. the privacy notice must, at a minimum, contain the following information:
a. the identity, address and contact details of the data controller;
b. the type of processing to which the data will be subjected and the purpose thereof;
c. the general mechanisms provided by the controller so that the holder is aware of the policy of processing of information and the substantial changes that occur in it.
d. in all cases, you must inform the owner how to access or consult the information processing policy.
article 13. notice of privacy and information treatment policies. "h52 mexico", s.a. de c.v. will retain the model of the privacy notice that was transmitted to the holders while the processing of personal data is carried out and the obligations arising from it endure.
chapter iii - rights and rights
article 14.- rights of information holders. in accordance with the provisions of article 22 of the federal law on the protection of personal data in possession of individuals has the following rights:
a) to access, rectify, cancellation and opposition of your personal data held by "h52 mexico", s.a. de c.v.
b) request proof of the authorization granted to "h52 mexico", s.a. de c.v. in its capacity as responsible/ processor.
c) to be informed by "h52 mexico", s.a. de c.v. about the uses or treatment granted to the personal data of the owner, after consulting it.
d) revoke the authorization and/or request the deletion of the data when the principles, rights and constitutional and legal guarantees are not respected in the treatment of the same.
e) access your personal data that has been processed free of charge.
article 15.- duties of "h52 mexico", s.a. de c.v. in connection with the treatment of personal data. "h52 mexico", s.a. de c.v. will keep in mind at all times, that the personal data are the property of the holders of the information and that only they can decide on them. in this sense, you will use them only for those purposes for which you are duly authorized, and respecting in any case the federal law on the protection of personal data in possession of individuals. "h52 mexico", s.a. de c.v. undertake to comply permanently with the following duties regarding the processing of personal data:
(a) guarantee to the holder, at all times, the full and effective exercise of the right to habeas data;
b) keep the information under the security conditions necessary to prevent its alteration, loss, consultation, use or unauthorized or fraudulent access;
c) to perform in a timely manner, this is in the terms provided for in article 32 of the federal law on the protection of personal data in possession of individuals, access, rectification, cancellation or opposition of the data;
d) refrain from circulating information that is being controversial by the holder and whose blockade has been ordered judicially;
(e) allow access to information only to persons who can access it;
chapter iv - procedures
article 16.- consultations. the power of disposition or decision that the owner has over the information concerning him does necessarily entail the right to access and know if his personal information is being processed by "h52 mexico", s.a. de c.v., as well as the scope , conditions and generalities of such treatment. in this way "h52 mexico", s.a. de c.v. must guarantee the holder the right of access through two free channels:
a. by written request in the form of a right of petition, which shall be addressed to the administration of "h52 mexico", s.a. de c.v. located in remanso de los lirios street number 136, of the bugambilias city, in the city of zapopan, jalisco, c.p. 45237.
b. by e-mail addressed to the email@example.com address.
c. by request through the website http://www.h52.mx/.
article 17.- application arco rights. in accordance with the provisions of article 28 of the federal law on the protection of personal data in possession of individuals, the owner or his successors who consider that the information contained in a database should be subject to access, rectification , cancellation or opposition, or when they notice the alleged breach of any of the duties established by the federal law on the protection of personal data in possession of individuals, they may file a request with "h52 mexico", s.a. de c.v. channels referred to in the previous article, which will be processed provided that the application meets the following requirements:
1. the claim may be filed by the holder informing the following:
(a) the name of the holder and address or other means of communicating the response to your request;
(b) documents proving the identity or, where appropriate, the legal representation of the holder;
c) the clear and accurate description of the personal data in respect of which it is sought to exercise any of the aforementioned rights, and
d) any other element or document that facilitates the location of personal data.
2. once "h52 mexico", s.a. de c.v. receives the application, it will require the interested party within five (5) following receipt to remedy the faults, in events where it does not meet the requirements set out in the literal above.
3. after two (2) months from the date of the request without the applicant submitting the required information, it shall be deemed to have withdrawn from the claim. if by any circumstance a claim is received that should not actually be directed against "h52 mexico", s.a. de c.v., it will transfer it, to the extent of its possibilities to whoever corresponds in a term maximum of three (3) business days and will inform the data subject of the situation.
4. the maximum term to deal with the claim shall be fifteen (15) working days from the day following the date of receipt. where it is not possible to meet it within that term, the interested party will be informed before the expiration of that period the reasons for the delay and the date on which his claim will be dealt with, which in no case may exceed eight (8) business days following the expiration of the first term.
article 18.- implementation of procedures to guarantee the right to submit applications. at any time and free of charge the holder, its proprietors or its representative (presenting power in original) may request from "h52 mexico", s.a. de c.v.access, rectification, cancellation or oppositionyour personal data, through the channels set out in article 16 of thismanual, informing the following:
1. the name and address of the holder or any other means to receive the response.
2. documents proving the identity or legal representation of the representative
3. the clear and accurate description of the personal data for which the holder
seeks to exercise any of its rights.
4. corrections to be made by "h52 mexico", s.a. de c.v. must be indicated.
article 19.- cancellation of data. the owner has the right at all times to request from "h52 mexico", s.a. de c.v., the cancellation (deletion) of his/her personal data when:
a. consider that they are not being treated in accordance with the principles, duties and obligations provided for in the federal law on the protection of personal data in possession of individuals.
b. they are no longer necessary or relevant to the purpose for which they were collected.
c. the period necessary for the fulfilment of the purposes for which they were collected has been exceeded.
article 20.- data cancellation process. "h52 mexico", s.a. de c.v. shall operationally cancel the data(s) in such a way that the deletion does not allow the retrieval of the information.
article 21.- revocation of the authorization. the holders of the personal data can revoke the consent to the processing of their personal data at any time as long as it is not prevented by a legal or contractual provision, through the channels established in the article 16 of this handbook.it should be noted that there are two modalities in which the revocation of theconsent may be given.
the first may be on all the purposes consented to, that is, that "h52 mexico", s.a. de c.v. must stop completely processing the data of the owner; commercial or educational issues.
therefore, it will be necessary for the holder at the time of raising the request for revocation to indicate in this request whether the revocation it intends to make is in whole or in part.
chapter v - information security
article 22. safety measures.- in development of the security principle established in the federal law on the protection of personal data in possession of individuals, "h52 mexico", s.a. de c.v. will adopt the technical, human and human measuresnecessary to provide security to records, avoiding theiralteration, loss, consultation, use or unauthorized or fraudulent access.
article 23. implementation of the security measures.- "h52 mexico", s.a.de c.v. will maintain mandatory security protocols for staffwith access to personal data and information systems. the procedure shall consider at least the following aspects:
(a) scope of application of the procedure with detailed specification of the protected data.
b) measures, rules, procedures, rules and standards aimed at ensuring the level of security required by the federal law on the protection of personal data in possession of individuals.
c) staff functions and obligations.
d) procedures for backing up and back-up data.
(e) periodic checks to be carried out to verify compliance with the security procedure.
chapter vi - final provisions
article 23. area of data protection.- "h52 mexico", s.a.de c.v. appoints the administration area to fulfill the function of protectingpersonal data.
article 24. area charged of applications, consultations, rectification, update and cancellation of data.- "h52 mexico", s.a. de c.v. designate the administration area to comply with the application process, access, rectification, cancellation or opposition of data by the holders.