I.            OBJECTIVE

The objective of this document is to establish a standard or guide for compliance with the Federal Law on Personal Data Held by Private Parties (hereinafter the Law) , the Regulation of the Federal Law on Personal Data Held by Private Parties. (hereinafter the Regulation) and in matters of information security, as well as establishing requirements regarding the processing of Personal Data. Treatment should be understood as the obtaining, use, disclosure or storage of personal data, by any means. The use covers any action of access, handling, use, transfer or disposition of personal data.

II.            SCOPE

The scope of this policy is for the treatment of all Personal Data that is collected by the Company acting as data controller, as well as the data received and the role of Commissioner within the Company of Personal Data is taken. (hereinafter the Commissioner).


Of the General Directorate

● Dictate the contents that must be included in the data privacy notice regarding the purposes, data to be collected, data transfer and execution of ARCO rights.      

● Monitor that the ARCO rights enforcement mechanism is in force.      

● Give training to the areas that handle Personal Data.      

● Establish what other norms or legislation take precedence over the Law.      


● Respond to requests through the ARCO rights enforcement mechanism.      

● Ensure that the data collected is only used for the purposes for which it was requested.      

● Include personal data in Security processes .      

IV.            DESCRIPTION.
1.1 Purpose of processing personal data.

The Company may process personal data and other data that are reasonably adequate and relevant for the following purposes:

a) For personnel and human resources management processes that may include recruitment, planning of office hours, performance management and training, compensation and other benefits, distribution of payroll receipts, exit interviews, social security, etc. For these purposes, the Company acts as the data controller.    

b) For the execution of business processes and management processes that may include any activity or services performed by the company, such as, but not limited to: meeting the request to provide the services and products that customers have requested; notify about new services or products that are related to those already contracted or acquired; communicate about changes in them; develop studies and programs that are necessary to determine consumption habits; carry out periodic evaluations of our products and services in order to improve their quality; evaluate the quality of the service we provide, and in general, to comply with the obligations we have contracted with the client . For these purposes, the Company acts as the data controller.    

c) To maintain control of personnel access, customers, suppliers, etc., to the offices of the Company . For these purposes, the Company acts as the data controller.      

d) For processes with suppliers that may include any activity or service performed by the Company including, but not limited to: provision of services that are provided, quotes, payments and billing. For these purposes , the Company acts as the data controller.    

1.2 Rules to follow when processing personal data

Both the Company and any third party that acts as the person in charge of the data collected by the Company must follow the following principles:

a) Personal data must be processed appropriately and in accordance with the law.    

b) Personal data must be collected for one or more purposes that allow the provision of services and must not be processed in any way that is not compatible with those purposes.    

c) The collection of personal data must be adequate, relevant and must not be excessive in relation to the purposes for which it is processed.      

d) Personal data must be accurate and must be kept up to date.    

e) The personal data will not need to keep it over long enough.    

f) In no way may they violate the confidentiality of Personal Data. In the event that confidentiality is violated, the Director General must be informed immediately .      

g) Information or databases with Personal Data should not be marketed.    

1.3 Additional rules that the Company must follow, as the person responsible for personal data

C omo responsible for personal data must meet the following requirements:

a) Before collecting, processing or storing personal data, you must have the consent of the owner (The owner in these cases may be customers, candidates, employees, suppliers or any other person from whom the Company must collect their personal data) in order to process your information. Each owner must be informed of the purposes for which personal data are collected, stored or processed.    

b) The Human Resources area is responsible for making the privacy notice available to candidates and employees before collecting the data; Y    

c) In the case of suppliers, the purchasing area is responsible for the aforementioned actions.      

When a business activity is outsourced and a third party is in charge of the data, the identity of the Data Controller or his representative must be provided, and it must be verified whether the Company must abide by the third party's Privacy Notice.


The Company must have a Privacy Notice (hereinafter referred to as the Notice), by means of which the owner of the data must be informed, the information collected from them and the purpose.

The Notice must contain at least the following information:

a) The identity and address of the person in charge.    

b) The purposes of data processing.    

c) The options and means that the person in charge offers to the holders to limit the use or disclosure of the data.      

d) The means to exercise the rights of access, rectification, cancellation or opposition, in accordance with the provisions of this Law.    

e) Where appropriate, the data transfers that are made.      

f) The procedure and means by which the person in charge will notify the holders of changes to the privacy notice.      

In the case of sensitive personal data, the Privacy Notice must expressly state that it is this type of data.

The Privacy Notice must be made available to the holders through printed, digital, visual, sound formats or any other technology as follows:

a) When the personal data have been obtained personally from the owner, the privacy notice must be provided at the time the data is collected clearly and reliably, through the formats by which they are collected, unless it had been provided the notice in advance.    

b) When personal data are obtained directly from the owner by any electronic, sound, visual means or through any other technology, the person in charge must immediately provide the owner with at least the information referred to in the first two paragraphs of II of the second paragraph of this point , as well as providing the mechanisms for the owner to know the full text of the Privacy Notice.    

c) It shall include one disclaimer Data Privacy as a template in all emails, below the signature.      

d) A clause in accordance with the format attached to this policy must be included in all Contracts with Suppliers, in which it is agreed that the Company will remain Responsible for the Personal Data that is collected and the Supplier will be in charge of said Personal Data to which you have access. Additionally, it must be specified that the Supplier, in its capacity as Manager, must follow all internal regulations and prerogatives that the Company determines for the protection of Personal Data.    

e) Human Resources must obtain the signature of the Privacy Notices of all the people who apply for a job, in the first contact.    

f) When calls are made to clients and said call has the effect of collecting personal data, mention should be made of the short Privacy Notice, as well as the website where the Comprehensive Privacy Notice can be consulted.      


The Company may transfer personal data in compliance with the law, any legal requirement or in compliance with the provisions of article 37 of the Law, any affiliated company or third party for the fulfillment of the corporate purpose of the Company .

The Company takes the necessary measures so that the natural or legal persons who have access to their personal data comply with the principles of personal data protection established in the Law and the practices implemented voluntarily by the Company itself.

To carry out a data transfer, whether in national territory or abroad, the Company can do so without the consent of the owner only in the following scenarios:

a) When the transfer is provided for in a legal order or Treaty to which Mexico is a party.    

b) When the transfer is necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the management of health services.    

c) When the transfer is made to holding companies, subsidiaries or affiliates under the common control of the person in charge, or to a parent company or to any company of the same group of the person in charge that operates under the same internal processes and policies.      

d) When the transfer is necessary by virtue of a contract entered into or to be entered into in the interest of the owner, the person responsible and a third party.    

e) When the transfer is necessary or legally required for the safeguarding of a public interest, or for the administration or administration of justice.    

f) When the transfer is necessary for the recognition, exercise or defense of a right in a judicial process.      

g) When the transfer is necessary for the maintenance or fulfillment of a legal relationship between the controller and the owner.    

4.1 Storage of personal data

The storage of personal data must be carried out under the following rules:

a) The reasonable time to keep personal data must be periodically reviewed. These activities are defined in the document Annexed to this, which is part of this Policy.  

b) The information must fulfill the purpose for which it was collected and cannot be retained once the purpose has been fulfilled.

c) All personal information must be safely eliminated in order to guarantee the protection of data against erroneous or illegal access.

d) The personal information that is retained must be correct, filed and updated and must be deleted once its retention period has expired. It is the responsibility of the holder (natural person whose data fuer on collected) the to inform the company of any discrepancy or update their data personal. However, the Company strives to keep its databases as accurate as possible.

5.1    Data Protection

a) The Company is to ensure that only authorized personnel can access, modify, move or delete personal data and that these individuals can only act within the scope of their authority.

b)   Controls must be implemented to protect personal data and these include physical and environmental controls such as facilities, workstations, integrity of access controllers; IT security as security and encryption devices; Safety awareness training for new hires and annual training for all employees. A risk analysis must be carried out and this must be where the organizational requirements, documentation requirements , as well as information security policies and procedures originate .


The Company , as well as its employees, are subject to cooperate diligently with any request or question from the authorities in charge of the protection of personal data (INAI). Either a request for an audit or questioning of processes directly from INAI or to comply with the recommendations regarding the Protection of Personal Data on any related incident or lack of compliance with the Federal Law on Protection of Personal Data Held by Private Parties.


Any employee who attempts or has attempted to create a security breach with respect to this Policy, whether due to negligence or intentional misconduct, is subject to sanctions according to the laws that apply to data privacy.


Both Clients, employees, data candidates and / or suppliers of the Company , that is, the owners of the data, can request the company at any time access, rectification, cancellation or opposition, regarding the personal data that concerns them, either through themselves or their respective legal representative. To do this, they must request it from the Commissioner in the following ways:

● In writing: At the address of the Company.      

● By email: To the address [ include email ]      

The following procedure must be followed:

  1. Submit an application accompanied by the following information:

a) Name of the owner, address and an email so that the Company can communicate the response to the request.    

b) Original, official, current documents and issued by the competent authority that prove the identity of the holder (voting credential issued by the National Electoral Institute, validity to drive, passport, or professional identity card) or, where appropriate, legal representation of the holder ( Power of attorney before two witnesses or power of attorney granted before a notary public, as well as an official original document issued by a competent authority).    

c) Place and date of the request.      

d) It must be addressed to the Company .    

e) Clear and precise description of the personal data with respect to which one seeks to exercise any of the aforementioned rights.    

f) Any other element or document that facilitates the location of personal data.      

  1. In the case of rectifications of personal data, the owner must indicate, in addition to the information indicated in the previous section, the modifications to be made and provide the documentation that supports his request.

  1. In the case of the right of access, you must indicate the data you want to know.

  1. In the case of the right of cancellation, it proceeds when the owner does not have a legal relationship - a nexus that unites the Company with the Owner by virtue of a contract - with the Company . When canceling your data they must be blocked. The cancellation of personal data gives rise to a blocking period after which the data is deleted. The person in charge can keep them exclusively for the purposes of the responsibilities arising from the treatment. The blocking period must be equivalent to the period with which the Company has to exercise its rights derived from the legal relationship - nexus that unites the Company with the Holder by virtue of a contract- , which is the basis for the treatment of the data in the terms of the applicable Law on the matter. After blocking, the data will be deleted. Once the data has been canceled, notice must be given to its Holder.

The Company is not obliged to cancel personal data when:

a) Refers to the parties to a private, social or administrative contract and is necessary for its development and fulfillment.    

b) Must be treated by legal provision.    

c) It obstructs judicial or administrative actions related to tax obligations, the investigation and prosecution of crimes or the updating of administrative sanctions.      

d) Are necessary to protect the legally protected interests of the owner.    

e) Are necessary to carry out an action based on the public interest.    

f) Are necessary to comply with an obligation legally acquired by the owner.      

g) Are subject to treatment for prevention or for medical diagnosis or management of health services, provided that said treatment is carried out by a health professional subject to a duty of secrecy.    

The owner has the right at all times and for legitimate reasons to oppose the processing of their data. If it is appropriate, the person in charge will not be able to process the data related to the owner.

  1. For the right of opposition, the data for which the opposition is presented must be manifested so that treatment is not carried out for the specific purposes.
  2. In the case of limiting or revoking the consent of the personal data, they must stop being used, since the owner has to give his consent for the use of the same, except in the cases provided for in the Law .
  3. At any time, the owner may revoke his consent for the processing of his personal data, stating his revocation by means of a written request that must be submitted either at the address of the Company or via email to the address [include email ] within the first 20 (twenty) days from the moment your data was collected , within which the Holder will indicate an email address for the purposes of this procedure . The Company must attend and answer said request in writing, within 15 (fifteen) days after receiving it , which will be sent to the Holder at the same email address indicated by the Holder in his request.


The commissioner is the one who processes the requests of the holders, for the exercise of the rights referred to in the Law. Likewise, he promotes the protection of personal data within the organization. This position falls to the Company's Information Security Manager . Applications must be received in person at the Company's address or via email to the address [include email ] .


The commissioner must notify the Holder within a maximum period of 20-20 business days, counted from the date on which the request for access, rectification, cancellation or opposition was received, the determination adopted, so that, if appropriate, make it effective within 15-15 business days following the date on which the response is communicated. In the case of requests for access to personal data, the delivery of prior accreditation of the identity of the applicant or legal representative, as appropriate.

The aforementioned terms can be extended only once for an equal period, as long as the circumstances of the case justify it.


The obligation to access the information is deemed fulfilled when the personal data is made available to the owner; or, by issuing electronic documents sent through the email by which the owner made his request or the one he has designated in the event that the request was made personally.


The Company may deny access to personal data, or to rectify or cancel or grant opposition to their treatment, in the following cases:

a) When the applicant is not the owner of the personal data, or the legal representative is not duly accredited for it.    

b) When the applicant's personal data is not found in its database.    

c) When the rights of a third party are injured.      

d) When there is a legal impediment, or the resolution of a competent authority, that restricts access to personal data, or does not allow their rectification, cancellation or opposition.    

e) When the rectification, cancellation or opposition has been previously made.    

In all the above cases, the Company must inform the reason for its decision and communicate it to the Holder, or where appropriate, to the legal representative, within the deadlines established for that purpose, by the same means by which the request was made. , accompanying, where appropriate, the relevant evidence.

The delivery of personal data is free, the holder having to cover only justified shipping costs or the cost of reproduction in copies or other formats


The Commissioner is responsible for training the personnel involved in the treatment and safeguarding of personal data.


To know the specific meaning of some words used in this document, they are defined below:

Personal data:  Information of a natural person, identified or identifiable. Data on their ethnic or racial origin, on their physical, moral or emotional characteristics, related to their affective and family life, their address, telephone number, heritage, ideology and political opinions, religious or philosophical beliefs or convictions, physical health states or mental, your sexual preferences, or other similar that affect your privacy.

Sensitive personal data:  Sensitive data such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions, sexual preference; that affect the most intimate sphere of the person, or whose misuse may be a cause of discrimination or cause a serious risk.

Database: Organized set of personal data in digital or non-digital format, whatever the form or modality of its creation, registration, storage, organization and access.

Tacit consent: it is considered that the "owner" person accepts the processing of their personal data, when the company that owns their information, has informed them through its privacy notice and said person does not oppose it.

Express consent: The manifestation of your free, unequivocal, specific and informed will through which "the owner" is aware of the processing of their personal data either verbally, in writing, by electronic, optical or any other technology, or by unequivocal signs;

ARCO Rights: These are the rights of Access, Rectification, Cancellation and Opposition;

Person in charge: The natural or legal person that alone or jointly with other persons processes personal data by indication or request of the Responsible;

Institute: Federal Institute for Access to Information and Data Protection (IFAI).

Law: Federal Law on Protection of Personal Data in Possession of Private Parties.

Regulations: Federal Regulations for the Protection of Personal Data Held by Private Parties.

Responsible: Private individual or legal entity who decides on the processing of personal data.

Holder: the natural person to whom the personal data correspond.

Transfer: any communication of data made to a person other than the person in charge or in charge of the treatment.

Treatment: the obtaining, use, disclosure or storage of personal data by any automated means or not. The use covers any action of access, handling, use, transfer or disposition of personal data.

Learn more


“Bioana team, you guys are simply amazing. Thanks so much for all your team’s hard work on this. We remain impressed beyond measure.”

Mark Lee

CEO, Ocumetics

"Our experience with Bioana had been outstanding. Their commitment, eye for detail, punctuality, proactivity and understanding manufacturing principles, workflow, quality and resourcefulness has been beyond our expectations."

Frank Harder

CRO , Bolb Inc.

Schedule a call today

Got any questions?

Schedule a Call