On April 13, 2021, the Chamber of Deputies approved the Reform on the Subcontracting of personnel, which is expected to be published on May 1st, 2021. Derived from such reform, companies will have many legal and compliances issues that will need to be reviewed from a labor and tax perspective. However, particularly with respect to the possible transfer of employees from a third party (outsourcing), there may be some privacy issues that should be reviewed before making the transfer.

The Reform provides that the transfer of employees must be carried out as an employer's substitution without transferring assets, if the transfers is carried out within a 90-day calendar period following to the effective term of the labor reform or after such period as a transfer o assets. In any case, in both transfers we identify two possible scenarios (i) a transfer derived from insourcing (from another company of the same group); and (ii) a transfer derived from outsourcing (from a third party). The possible privacy issues are probably simpler to navigate for the insourcing since the Federal Data Privacy Law (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) and its implementing Regulations (together "FDPL") provide certain exceptions and a more flexible framework for the transferring of personal data within entities that belong to the same corporate group. However, in the context of an outsourcing, where there may be a transfer of personal data from a third party to the beneficiary of the services, the transfer would be subject to more stringent rules and obligations for the parties. In such case, the transfer will at least trigger certain privacy obligations, such as, informing about the transfer, obtaining express consent from the employees and/or executing data transfer agreements.

I that regard, considering that complying with such privacy requirements may take some time, it would be advisable not to leave these issues for the end, particularly where compliance with privacy requirements may result in a company not being able to comply with the 90-days deadline described above.

Therefore, in parallel with the employment, tax and corporate review, it would be important that companies discuss with their Data Protection Officer or Privacy Responsible, at least: (i) whether there is an employee privacy notice in place. If there is, then confirm that the transfer is considered therein (informed). If the company does not have one, prepare one that should be delivered to the employees before the transfer; (ii) Whether obtaining consent from the employees is necessary before the transfer takes place. While the FDPL provides for exceptions to obtaining consent, to the extent that companies can obtain consent, it is always preferable to obtain consent before the transferring of the personal data; (iii) the type of legal document or clause that should be in place between the exporter and recipient (intragroup data transfer agreement or data transfer agreement with a third party); and (iv) whether a Data Privacy Impact Assessment is necessary before the transfer takes place. In addition, it is important that the recipient of the personal data has taken all the necessary measures to be able to comply with the FDPL, as a new data controller, before it receives the employee's data, such as having the necessary privacy infrastructure and data security. Particularly, since some companies may have financial, estate and sensitive personal data of its employees. This is important since receiving and processing such type of personal data may increase risks for the recipients.

There is no one size fits all and each case must be analyzed individually.