The Global COVID-19 pandemic brought an unforeseen digital revolution to the workplace. The Mexican legal system, including courts and regulators, have faced an unprecedented need (and now apparent preference) for digital solutions. As a result, questions have arisen in new situations—like virtual terminations and e-signatures on union contracts-such that all facets of employment law are confronting a steady readaptation to this new digital era. This article focuses on workplace vaccination requirements in this new age, with an eye towards compliance with Mexican data privacy law.

Background on Mexican Data Privacy
The foundations of Mexican data privacy are laid out in the Federal Law for the Protection of Personal Data in Possession of Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares) and its supplementary regulations. These laws divide personal data into three main categories: general, financial and sensitive. Each information collector-defined as any natural or legal persona that processes personal data—owes a certain level of protection to the data owner. The required level of protection depends on its category, as do fines for violation of these requirements. For example, when collecting general data (e.g., name, contact information, CV, etc.), the collector must provide a privacy notice to the data owner, with information on how the data is going to be used and disposed. The data owner does not need to expressly accept these terms. By contrast, subject to certain exceptions (like in medical emergencies), to collect and use financial or sensitive data1 , the collector must obtain the data owner’s express prior consent to the privacy notice.

Mexican data privacy regulations also make clear that data collection cannot take place unless there is a specific purpose for doing so (i.e., marketing, furthering a business relationship, analyzing financial capabilities, accessing medical care, among may others).

Vaccination Status as Personal Data and Challenges to Employers
Mexican law does not explicitly provide for whether employer collection of COVID19 vaccination status is a valid purpose. Some assert that this information is necessary to make workplaces as safe as possible. However, even if validly collected, vaccine status likely falls into the sensitive data category (as it is comparable to a medical record).

Mexico has not issued any laws that require vaccination against COVID19. Therefore, because every individual is free to decide whether to receive the vaccine, employers may not discriminate against unvaccinated employees– whether in relation to labor conditions, growth opportunities, hirings or firings. Employers may, however, use vaccination status to organize working schedules, determine home-office schemes, and otherwise foster safe working spaces. Any other disparate treatment that affects an employee’s salary, benefits, or professional growth could be considered discrimination, and therefore a violation of Mexican labor regulations.

Tips for Companies with Employees in Mexico
Even in the face of these legal risks, there is an undeniable need for companies to prevent the spread of COVID19, which resultingly requires them to understand the vaccination status of their workforce. Therefore, companies should consider the following in their collection and treatment of sensitive vaccination status data:

1. Treatment: Treatment of all personal data must comply with the following key principles, among others:

• Data must be used in accordance with the terms of the privacy notice (as mentioned above and discussed in more detail below);
• Data must be kept confidential, in the context of both external and internal disclosures(2)
• Data must not be transferred, unless to companies within the same corporate group or if indicated in the privacy notice; and
• Data may be accessed, eliminated, cancelled, or its use challenged, at the data owner’s request, and must be disposed when no longer in use.

2. Privacy Notice.

• The collection of sensitive data (like vaccination status) must be accompanied by a privacy notice. Privacy notices must indicate, in general terms, the following: what information is being collected, why the information is being collected, how the information is being processed, when the information will be eliminated, where the information will be stored, and who will have access to the information. Unlike privacy noticed for general data, before collecting sensitive data, the data owner must provide express consent to the privacy notice.

• Of course, because there is no law requiring the vaccine, individuals may refuse to disclose their vaccination status to their employers. Employers may not discriminate against or impose distinct treatment on those who refuse to provide this information.

3. Other Workplace Measures

• If a vaccine information is obtained, companies in Mexico must take precise and strategic actions to avoid labor shortages and health emergencies. In addition to rules imposed by the government (i.e. maximum workers per square meter and the required use of a facemask), companies may require temperature controls, periodic COVID19 testing (if covered by the company), the placement of hand sanitizers throughout the workplace, special employee insurance policies, and in some cases reorganizing work schedules to reduce risk exposure.

• However, importantly, all actions that company takes must apply equally to all employees—and never targeted specifically against unvaccinated employees. Conclusion Although the landscape may seem unclear for now, COVID19 has accelerated many legal processes and procedures in Mexico— including analysis of vaccination status under domestic data protection laws.