Data protection Security Policies of
The Cocktail Mexico (THE COCKTAIL AMÉRICA, S.A DE C.V.)
1. Introduction and scope of application
This security policy addresses all specific aspects of the country of Mexico, by virtue of the local legislation of said State, which must be regulated and identified independently of the group’s global policies.
For the purposes of the company's security policies, these local security policies and global policies will apply in all those matters not specifically indicated as applicable only to the parent company in Spain.
2. Definitions
Authorised access: authorisations granted to a user for the use of various resources.
Affected or concerned party, data subject: the identified or identifiable natural person who owns the data that is the object of the treatment.
Authentication: the process of verifying a user’s identity.
Control authority: an independent public authority established by a State to guarantee compliance with data protection regulations.
Privacy Notice: A physical, electronic or any other format of document generated by the processing manager that is made available to the owner prior to the processing of their personal data.
Blocking: The identification and conservation of personal data once the purpose for which they were collected has ended until the legal or contractual expiry period of the same. Personal data may not be processed during said period and after this, they will be cancelled from the corresponding database.
Password: confidential information often consisting of a string of characters, which can be used to authenticate a user or access a resource.
Access control: a mechanism that allows access to data or resources once identification is authenticated.
Consent of the data subject: any expression of free, specific, informed and unequivocal will by which the data subject accepts the processing of personal data that concerns them, either through a declaration or a clear affirmative action.
Backup or security copy: a copy of the data of a file on a support that allows its later recovery.
Personal data: any information about an identified or identifiable natural person.
Sensitive personal data: those personal data that affect the most intimate sphere of their subject, or whose improper use may cause discrimination or entail a serious risk to the subject.
ARCO rights: right of access, rectification, cancellation or opposition to which the data subject is entitled with respect to the shared or provided personal data.
Recipient: the natural or legal person, public authority, service or other body to which personal data are communicated, whether or not a third party.
Data Controller: the natural or legal person, public authority, service or other body that processes personal data for the processing manager.
Data accuracy: the data has to be exact and, if necessary, it must be updated; all reasonable steps shall be taken to ensure that personal data that are inaccurate with respect to the purposes for which they are processed are deleted or rectified without delay.
Incident: any anomaly that affects or may affect data security.
Identification: user identity recognition procedure.
Legality, loyalty and transparency: the principle regarding data treatment that implies that they are treated in a lawful, loyal and transparent manner in relation to the data subject.
Limitation of purpose: the data must be collected for specific, explicit and legitimate purposes, and will not be further processed in a manner incompatible with such purposes.
Limitation of the conservation period: the data will be conserved in such a way that the data subjects cannot be identified for longer than is necessary for the purposes of the processing.
Data minimisation: the processed data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Identifiable natural person: any person whose identity can be determined directly or indirectly by means of an identifier, such as a name, an identification number, location data, an on-line identifier or one or more elements of physical, physiological, genetic, psychological, economic, cultural or social identity of said person.
Resources: any part or component of the system.
Processing Manager: the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment.
Data Protection Officer: the person or persons to whom the processing manager formally assigns the function of coordinating and controlling the applicable security measures. Said officer is the Data Protection Officer of The Cocktail Experience, assigned to the company Cohaerentis S.L., which is also responsible for data protection of the other companies of The Cocktail Group.
Third party: a natural or legal person, public authority, service or body other than the data subject, the processing manager, the data controller and the persons authorised to process personal data under the direct authority of the manager or controller.
Data processing: any operation or set of operations performed on personal data or sets of personal data, whether or not by automated procedures, such as collection, registry, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of authorisation of access, comparison or interconnection, limitation, deletion or destruction.
Information system: a set of files, treatments, programs, supports and, where appropriate, equipment used to process personal data.
Treatment system: the way in which an information system is organised or used. Depending on the treatment system, the information systems may be automated, non-automated or partially automated.
Support: a physical object that stores or contains data or documents or an object capable of being processed in an information system and on which data can be recorded and retrieved.
User: a subject or process authorised to access system data or resources. The processes that allow access to data or resources without identifying a physical user will be considered users.
Breach of personal data security: any security breach that results in the accidental or unlawful destruction, loss, or alteration of personal data transmitted, conserved or otherwise processed, or unauthorised disclosure of or access to such data.
3. Guiding principles of the organisation's security policies at the local level
Without prejudice to the guiding principles of security policies at a global level, this section includes those principles that are specific and local to policies in Mexico.
- Principle of legality, loyalty and transparency: the information provided to the data subjects in relation to the processing of their personal data must be given transparently, be easily accessible and easy to understand. Data subjects must know at all times who is responsible for the processing of their personal data to guarantee that a lawful, loyal and transparent treatment is given. Any information provided to the data subjects will be governed by these requirements and THE COCKTAIL will contractually ensure that its clients, when they are Processing Managers, have collected the data from the owners based on said principle. Personal data must not be obtained through deceitful or fraudulent means.
- Principle of consent: All processing of personal data will be subject to the consent of the data subject, except for the exceptions provided for either expressly or tacitly in this Law, when the privacy notice has been made available and opposition has not been expressed. The consent may be revoked at any time without being attributed retroactive effects, for which the manager must establish the mechanisms and procedures for this in the privacy notice. In the case of sensitive personal data, the processing manager must obtain the express written consent of the data subject for their treatment by signature, electronic signature, or any method of authentication established for that purpose. Databases containing sensitive personal data may not be created without justifying their creation for legitimate, specific purposes and in accordance with the activities or explicit purposes pursued by the regulated subject.
- Principle of limitation of purpose: the personal data collected from the data subject will be processed exclusively for specific, explicit and legitimate purposes, and may never be processed for a purpose other than that indicated to the data subject through the privacy notice. When the Group companies act as Data Controllers, said purposes will be those provided for in the data access contracts signed with the clients managing the processing, as per the requirements set forth in these policies.
- Principle of data minimisation: personal data will always be processed that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Principle of accuracy: data will always be kept accurate and updated. THE COCKTAIL must take all reasonable measures to ensure that personal data that is inaccurate with respect to the purposes for which it is processed is deleted or rectified as soon as possible. When the Group companies act as Data Controllers, the measures will be agreed with the client as Processing Manager. The manager will be obliged to inform the data subjects of the information that is collected from them and for what purposes, through the privacy notice.
- Principle of limitation of the conservation period: personal data will be kept only for the time necessary for the purposes of the treatment. THE COCKTAIL will always take into account the conservation periods and the application of the cancellation processes provided for in these policies when said periods expire, as well as the cancellation periods and processes agreed with the clients in the contracts.
- Principle of integrity and confidentiality: personal data will be processed in such a way as to guarantee adequate security, including protection against unauthorised or illegal processing and against its loss, destruction or accidental damage, by applying appropriate technical or organisational measures provided for in THE COCKTAIL's security policies.
- Principle of proactive responsibility: all Group companies will be responsible for compliance with these principles and for maintaining a privacy compliance system that makes it possible to demonstrate that they are met.
4. Data transfers inside and outside of Mexico
Transfer is the communication of personal data inside or outside the country, to a person other than the data subject, the processing manager or the data controller. In other words, the communication of data between the processing manager and the data controller within the framework of the legal relationship that was discussed in the previous section, is NOT considered a transfer. The LFPDPPP Regulations call this type of communication referrals.
Managers are not obliged to request the consent of the data subjects to make referrals, nor to inform them in the privacy notice, unlike the case of transfers.
In order for a processing manager to transfer personal data, inside or outside of Mexico, it is necessary that:
- the data subject be informed in the corresponding privacy notice of the following: that the transfer can be made, to whom the data will be transferred and for what purposes. Likewise, if required, the privacy notice must contain a clause for the data subject to consent or not consent to the transfer.
- The data subject has given their consent for the transfer to be made, except in the exceptional cases provided for in article 37 of the LFPDPPP.
- The object of the transfer must be limited to the purpose and conditions reported in the privacy notice, and which have been consented to by the data subject.
The consent of the data subjects will not be required for transfers in the following cases (article 37 of the LFPDPPP):
- When the transfer is provided for in a law or treaty to which Mexico is a party.
- When the transfer is necessary for prevention or medical diagnosis, the provision of healthcare, medical treatment or the management of healthcare services.
- When the transfer is made to holding companies, subsidiaries or affiliates under the common control of the manager, or to a parent company or any company in the same group as the manager operating under the same processes and internal policies.
- When the transfer is necessary by virtue of a contract entered into or to be entered into in the interest of the data subject, by the manager and a third party.
- When the transfer is necessary or legally required to safeguard a public interest, or for the procurement or administration of justice.
- When the transfer is necessary for the recognition, exercise or defence of a right in a judicial process.
- When the transfer is necessary for the maintenance or fulfilment of a legal relationship between the manager and the data subject.
4.1 Requirements for national data transfers
Specific condition
To meet the general conditions for transfers: be informed in the privacy notice; request the consent of the data subject when required and be limited to the consented and informed purposes.
Data receiver
Recipients of personal data will become controllers in terms of the LFPDPPP, with their respective obligations.
These data controllers must treat the data in accordance with the agreement in the privacy notice communicated by the transferring controller.
Formalisation
The transfer must be made through a mechanism that allows it to be demonstrated that the transferring controller informed the receiving controller of the conditions in which the data subject consented to the processing of their personal data.
4.2 Requirements for international data transfers
Specific condition
International transfers will be possible when the data receiver assumes the same obligations to which the manager transferring personal data is subject.
Likewise, for these to occur it will be necessary for the general conditions for transfers to be met:
- be informed in the privacy notice;
- request the consent of the data subject when required and be limited to the consented and informed purposes.
Data receiver
The personal data receiver may NOT be considered a manager in terms of the LFPDPPP, since not being established in the country, the Mexican standard does not apply.
However, through the private legal instrument in which the relationship with the manager transferring the personal data is established, they must assume the same obligations as them in relation to the processing of personal data.
If the third-party data receiver fails to accept these conditions, the manager to whom Mexican law does apply, will NOT be able to transfer the personal data, because otherwise, they will be failing in their legal obligations.
Formalisation
The transferring manager may resort to contractual clauses or other legal instruments that provide at least the same obligations for the third-party receiver, to which the manager transferring the personal data is subject, as well as the conditions in which the data subject consented to the processing of their personal data.
Compliance with obligations related to transfers
Obligation
Obtain the consent of the data subject for transfers, unless some of the exceptions provided for in article 37 of the Law are applied.
Report the transfers in the privacy notice and, where appropriate, include the corresponding clause.
Limit transfers to the purposes and conditions established in the privacy notice and which, where appropriate, have been consented to by the data subject.
Report the privacy notice to the third party data receivers with the purposes to which the data subject subjected their processing.
Demonstrate that the transfer was made in accordance with the regulations on the protection of personal data.
When the transfer is national, formalise it through a legal instrument that demonstrates that the transferring manager informed the receiving controller of the conditions under which the data subject consented to the processing of their personal data.
When the manager receives the personal data, they process it exclusively for the purposes and under the conditions reported in the privacy notice and, where appropriate, consented to by the data subject.
In the case of international transfers, transfer the data exclusively when the third party receiver assumes the same obligations to which the manager transferring the personal data is subject.
In the case of international transfers, complete the transfer through a legal instrument that provides at least the same obligations for the third-party receiver, to those to which the manager transferring the personal data is subject, as well as the conditions under which the data subject consented to the processing of their personal data.
Actions recommended for compliance
Identify the transfers that are made in the organisation of the processing manager.
Verify and identify for which of the transfers consent is required, based on the exceptions of article 37 of the Law.
Implement a mechanism to request the consent of the data subject, when required
Verify that all transfers made are reported in the privacy notice, and wherever required, the clause is included so that the data holder consents to them.
Consider that if consent is not required due any of the exceptions of article 37 of the Law, this does not exempt from the obligation to report the transfers in the privacy notice.
Verify the terms and conditions stated in the privacy notice and establish mechanisms so that the transfers made are only those provided for in the notice.
Establish mechanisms so that in all cases in which transfers occur, the corresponding privacy notice is communicated to the third party receiver.
Keep communications with third-party receivers on physical, electronic or any other format, in which it is stated that they were informed of the privacy notice.
Document the legal instruments through which transfers are completed.
The use of a written legal instrument is suggested.
Require the manager transferring the personal data to provide the corresponding privacy notice.
Implement the necessary mechanisms so that personal data are processed exclusively under the conditions established in the privacy notice.
If the receiver manager needs to process the personal data for new purposes, inform the owner through the privacy notice and, where appropriate, request their consent.
If the third party receiver does not accept this condition, do not make the transfer.
Include the obligation of the data receiver to assume the same obligations to which the manager transferring the personal data in the legal instrument in which the transfer is completed or the legal relationship between the manager and the third-party receiver is established.
Transfer check-list
If to any of the questions the answer was NO, the corresponding actions must be taken, otherwise the obligations regarding the transfers are likely not to be fully met.
QUESTION
When any of the causes of article 37 of the LFPDPPP is not updated, is the consent of the data subjects requested for the transfer?
Do you report that you make transfers, to whom and for what purposes in the privacy notice?
When required, does the privacy notice include the clause to request the consent of the data subject?
Do you make transfers exclusively for the purposes established in the privacy notice and to the third parties indicated therein?
Do you make sure to notify third-party recipients of the privacy notice and the conditions to which the data subject subjected the processing of their personal data?
Do you have evidence that the transfers were made in accordance with the provisions of the regulation?
When the transfer is national, do you formalise it through a legal instrument that demonstrates that the transferring manager informed the receiving controller of the conditions under which the data subject consented to the processing of their personal data.?
When you are the manager receiving personal data, do you use the data received exclusively for the purposes established in the privacy notice and to which, if applicable, the data subject consented? Or, if you want to process the data for new purposes, do you request consent and make the privacy notice available to the data subject?
In the case of international transfers, do you transfer the data exclusively when the third party receiver assumes the same obligations to which the manager transferring the personal data is subject?
In the case of international transfers, do you formalise them through a legal instrument that provides at least the same obligations for the third-party receiver, to those to which the manager transferring the personal data is subject, as well as the conditions under which the data subject consented to the processing of their personal data?
5. Protocol for the exercise of rights of the parties concerned
5.1. Rights of data subjects
THE COCKTAIL will at all times allow the exercise of the rights established in the current regulations on data protection, including ARCO rights, without limitation.
These rights are the following:
Right to transparency
This allows the data subject to receive all information when obtaining their personal data, as well as any communication related to the processing of their personal data, in a concise, transparent, intelligible and easily accessible manner, in clear and simple language. They will also have the right to have the information provided to them in writing or by other means, if applicable, even electronic.
Right to information and access
This allows citizens to know and freely obtain information about their personal data submitted to treatment.
The affected party has the right to request information about their personal data in the hands of the organisation, confirmation of whether or not these data are being processed, and the following information:
- Purposes of treatment
- Categories of personal data concerned
- Receivers or categories of receivers to whom their personal data is or will be communicated
- Period of conservation of personal data or criteria for its determination
- Existence of the right to exercise the rest of the rights of the data subject
- Right to file a claim with the control authority
- Source of personal data
- Existence of automated decisions, if applicable
- The identity and address of the manager collecting them
Right of rectification
This guarantees the data subject the right to obtain, without undue delay, the rectification of inaccurate personal data that concern them from the Processing Manager. Thus this right is characterised because it allows them to correct errors, change data that prove to be inaccurate or incomplete and guarantee the truth of the information that is the object of treatment.
Right of cancellation
This guarantees the data subject the right to obtain, without undue delay, the deletion or cancellation personal data that concern them from the Processing Manager.
The exercise of the right to deletion or cancellation will lead to the deletion of the personal data concerned, without prejudice to the duty of blocking, in the following circumstances:
- When the personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- When the data subject has withdrawn their consent, if this was the basis legitimising the treatment.
- When the data subject has exercised their right of opposition.
- When personal data have been illegally processed.
- When personal data must be deleted to meet a legal obligation.
- When the personal data have been obtained in relation to the offer of information society services based on the consent of the data subjects.
Right to oppose treatment
This is the right of the affected person not to carry out the processing of personal data that concern them, when these data are subject to processing related to profiling, the satisfaction of legitimate interests, or the fulfilment of a mission carried out in the public interest.
The right of opposition is the right of the data subject not to carry out or to cease in the processing of their personal data if the processing could lead to damage for them, or that they are being used for purposes other than those indicated in the privacy notice, except in the following cases:
- Due to their particular situation, when their data have to be processed for the fulfilment of a mission carried out in the public interest or in the exercise of public powers conferred on the Processing Manager.
- Due to their particular situation, when the processing of their data is necessary for the satisfaction of legitimate interests pursued by the Processing Manager or by a third party.
- When the treatment is given in the context of the use of information society services by automated means that apply technical specifications.
- When the data is processed for scientific or historical research purposes or statistical purposes.
The data protection regulations include the right of affected natural persons to be provided simply and freely with transparency, access, rectification and deletion, portability of personal data that are in our databases, and limitation of treatment (without prejudice to the imposition of reasonable fees based on administrative costs). Despite being very personal rights, those affected may also choose to exercise their rights through a representative, who must identify themselves and prove the representation they hold.
The rights of the holders are independent rights, that is to say, the exercise of another is a not prerequisite for the exercise of any of them.
The request made by the affected party must always be answered, even if the established procedure has not been used or there are no data on the data subject.
The exercise of rights must be requested by communication addressed to THE COCKTAIL as processing manager, by email to the address provided for this lopd@the-cocktail.com or by regular mail. The communication must include the requirements demanded by the regulatory body at all times.
A record must be kept of the people who have exercised their rights.
5.2. Protocol for the exercise of rights
5.2.1. Regarding to right to access
The request must be answered within a maximum of 20 days from receipt. If the requester's personal data are not available, this must also be notified within the same period. In the response, the affected party must be informed and justified if their request for access is accepted or denied.
If the request is accepted, the information must be provided in a legible and intelligible form to the affected party in the manner indicated by them: On screen display; letter, copy or photocopy sent by ordinary mail or email.
Access to personal data may be denied when the right has already been exercised in the twelve months prior to the request, unless a legitimate interest to that effect is proven. In any case, the affected party must be informed of their right to seek the protection of the qualified body in Mexico (National Institute of Transparency, Access to Information and Protection of Personal Data).
5.2.2. Regarding to right to rectify
To satisfy the right of rectification of the data subjects, the following protocol will be followed:
THE COCKTAIL as processing manager must respond to the request within a maximum of 20 days from receipt of the request, communicating whether the right is accepted or rejected. If the personal data of the affected party are not available, they must also be notified within the same period.
If the right to rectification is denied, the affected party must be informed of their right to seek the protection of the qualified body in Mexico (National Institute of Transparency, Access to Information and Protection of Personal Data).
THE COCKTAIL has a maximum of one month from receipt of request to make the rectification requested by the affected party, if applicable, so ideally the rectification is made and the same response communicating acceptance should also report that it has been made.
IMPORTANT: If the rectified data had been previously communicated to third parties or had been previously transmitted to a third party, the rectification made must be communicated to the assignee (receiver of said data), so that they can also proceed to rectify the data. Said communication, in order not to exceed the period of one legal month, must be made within a maximum period of ten days from receipt.
5.2.3. Regarding to right to cancel
THE COCKTAIL as processing manager must respond to the request within a maximum of 20 days from receipt of the request, communicating whether the right is accepted or rejected. If the personal data of the affected party are not available, they must also be notified within the same period.
If the right to deletion is denied, the affected party must be informed of their right to seek the protection of the qualified body in Mexico (National Institute of Transparency, Access to Information and Protection of Personal Data).
The deletion will not apply when the personal data must be kept for the periods established in the applicable provisions or, where appropriate, in the contractual relations between the person or entity responsible for the processing and the data subject that justified the treatment of the data.
THE COCKTAIL has a maximum of one month from receipt of request to make the deletion requested by the affected party, so ideally the cancellation is made and the same response communicating acceptance should also report that it has been made.
The deletion will imply the blocking of the data, consisting of their identification and reservation to prevent their treatment, apart from making them available to the Public Administrations, Judges and Courts, to attend to the possible responsibilities arising from the treatment and only during the limitation period of said responsibilities. After this time, the data must be deleted.
IMPORTANT: If the deleted data had been previously communicated to third parties or had been previously transmitted to a third party, the deletion made must be communicated to the assignee (receiver of said data), so that they can also proceed to delete the data. Said communication, in order not to exceed the period of one legal month, must be made within a maximum period of ten days from receipt.
5.2.4 Regarding to right to oppose
The request must be answered within a maximum of 20 days from receipt. If the requester's personal data are not available, this must also be notified within the same period. In the response, the affected party must be informed and justified if their request for opposition is accepted or denied.
The data related to the affected party who exercises their right to oppose or deny the request of the data subject within the same period of one month that is available to respond must be excluded from the treatment.
5.2.65 Control of the people who have exercised their rights or have revoked their consent in data processing
THE COCKTAIL must keep track of the people who have exercised any of their rights before the group. Said control will be recorded in a register, which for the purposes of this document is referred to as the Registry of data subjects who have exercised rights.
Likewise, those people who have revoked their consent to receive commercial communications must be included in an exclusion list which, for the purposes of this document, is the Registry of data subjects who have revoked consent for commercial communications.