Socials
Indigenous Consultation
Environment
Financing
Socio-Environmental
Assessment
Training and
Research
Contact
News
Our Clients
Who We Are
Notice of Privacy
close
menu
+52 (55) 5592 4675

PRIVACY NOTICE

Centro de Investigaciones Interculturales Jurídicas y Ambientales, S.C. (CIIJA)

Calle Gral. Juan Cano 87 - 100, San Miguel Chapultepec II Secc, Miguel Hidalgo, 11850, Mexico City, Mexico. Tel. +52 (55) 5592 4675

I. Identity and address of the Data Controller

Centro de Investigaciones Interculturales Jurídicas y Ambientales, S.C. (the "Data Controller" or "CIIJA"), in compliance with the Mexican Federal Law on the Protection of Personal Data Held by Private Parties, its Regulations and the Privacy Notice Guidelines (jointly, the "Law"), and in accordance with the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality and accountability, hereby makes this privacy notice (the "Privacy Notice") available to you in order to inform you of the terms and conditions under which the Data Controller collects, uses, stores, remits and, where applicable, transfers personal data.

For purposes of this Privacy Notice, the Data Controller's address is Calle Gral. Juan Cano 87 - 100, San Miguel Chapultepec II Secc, Miguel Hidalgo, 11850, Mexico City, Mexico, and the following contact channels are made available to the data subject:
Email: ciija@ciija.com
Website: www.ciija.com

II. Personal Data

For the purposes described in this Privacy Notice, the Data Controller may request and process the following personal data (hereinafter, the "Personal Data"):

  • Identification and contact data: full name, date and place of birth, nationality, gender, signature, home and/or tax address, telephone, email, CURP (unique population registry code), RFC (tax ID), official identification and, where applicable, foreign tax identification number.
  • Representation data: position, role, powers and documentation evidencing the capacity in which the individual acts, in the case of individuals acting on behalf of legal entities, communities, ejidos, associations or other entities.
  • Academic and professional data: academic background, professional license, work experience and professional trajectory.
  • Patrimonial and financial data: banking information for invoicing, payment of fees or other consideration (subject to express consent), proof of tax status, information regarding assets, rights or interests that are the subject of the legal services.
  • Know-Your-Client (KYC) data: answers and information contained in the client knowledge questionnaire, and documentation provided to evidence the source of funds, corporate structure and beneficial owner, where applicable.
  • Employment data (candidates, personnel and suppliers): curriculum vitae, employment and personal references, salary expectations and, where applicable, tax and social security data.
Sensitive Personal Data

Pursuant to article 3, subsection VI of the Law, the Data Controller may process the following sensitive personal data only when strictly necessary for the contracted services:
  • Ethnic or racial origin, membership or affiliation with indigenous peoples or communities, mother tongue and traditional roles held within community authorities, in particular in matters relating to the rights of indigenous peoples and communities, free, prior and informed consultation, and the defence of cultural rights.
  • Biometric data and image: image captured when providing official identification or when being video-recorded or photographed at meetings, events or conferences (whether online or in person), and through the closed-circuit video surveillance systems at the Data Controller's premises.
  • Health data, only when strictly necessary to evidence impacts in social impact assessment, environmental impact assessment or human rights proceedings.
Express consent for sensitive data. In accordance with article 9 of the Law, the processing of sensitive personal data requires the express consent of the data subject, which shall be deemed granted on the terms set out in Section X of this Privacy Notice.

Sources of collection

The Data Controller may collect Personal Data directly (when the data subject provides them by any means, whether oral or written, physical or electronic), or indirectly (through video recording at events, meetings or conferences, closed-circuit video surveillance, publicly accessible sources, judicial or administrative authorities, and authorised third parties). Collection may also be required by legal or judicial mandate.

Data of third parties

When the data subject provides the Data Controller with Personal Data of third parties — for example, representatives, employees, family members, counterparties, witnesses or other individuals related to the matter — it shall be the responsibility of the data subject to: (i) have provided such third parties with this Privacy Notice, in order to inform them of the scope and characteristics of the processing for the purposes described herein; and (ii) where the Law so requires, have obtained the corresponding consent and deliver to the Data Controller the documentary evidence supporting such consent.

III. Purposes of processing

A. Primary purposes (do not require the data subject's consent)

Personal Data shall be processed for the following purposes, which give rise to and are necessary for the legal relationship with the Data Controller:
  • Provide the legal services, consulting, representation, advisory and litigation services contracted, in legal, environmental, corporate, human rights and indigenous and Afro-Mexican peoples' and communities' rights matters.
  • Identify the client, its representatives and, where applicable, the communities, traditional authorities, ejidos or legal entities represented, and verify the authenticity of the information provided.
  • Formalise the contractual relationship through the execution of service agreements, service proposals or engagement letters.
  • Compile physical and electronic files, and prepare submissions, briefs, opinions, legal assessments, legal audits, reports, due diligence and other documentation related to the professional engagement.
  • Carry out invoicing, collection of fees, expenses and other consideration, and comply with the tax, accounting and regulatory obligations of the Data Controller.
  • Verify the identity of the client, perform screening against national and international sanctions lists (background checks), and conduct compliance and due diligence activities.
  • Prevent and investigate conflicts of interest and comply with anti-money laundering obligations and other applicable provisions.
  • Respond to requirements, requests for information, notifications and resolutions from judicial, administrative or other competent authorities.
  • Maintain communication with the client, its personnel, counterparties, experts, notaries, public brokers, translators, corresponding counsel and other third parties related to the matter.
  • Respond to enquiries, requests, comments and requirements received through the website www.ciija.com or the email address ciija@ciija.com.
  • Create, upload and keep updated the Data Controller's client database; generate internal statistics; prepare reports; and carry out other activities inherent to the internal operations of the Data Controller as a service provider.
  • In the case of candidates to work with the Data Controller, conduct recruitment, evaluation and, where applicable, hiring processes.
  • Control access to the Data Controller's premises through closed-circuit video surveillance and entry records.
B. Secondary purposes

Additionally, provided that the data subject does not object, the Data Controller may process Personal Data for the following purposes, which are not necessary for the legal relationship but enable the provision of better services:
  • Sending newsletters, regulatory updates, publications, articles and technical opinions prepared by the Data Controller.
  • Invitations to seminars, forums, conferences, courses, diploma programmes and academic or professional events organised or co-organised by the Data Controller.
  • Conducting surveys to measure satisfaction and service quality.
  • Actions to promote and position the brand and services of the Data Controller, including those carried out through social media.
  • Preparation of internal statistics and studies, preferably in dissociated or anonymised formats, for academic purposes and the dissemination of legal knowledge.
Statement of objection. If the data subject does not wish their Personal Data to be processed for any of the secondary purposes, they may so state by sending an email to ciija@ciija.com with the subject line "Objection to secondary purposes", indicating their full name and, where applicable, the specific purposes to which they object. Objection to processing for such purposes shall not be grounds for denying services or terminating the legal relationship with the Data Controller.

Once the Personal Data are no longer necessary for the fulfilment of the purposes described, or for those provided in applicable legal provisions, they shall be deleted following prior blocking, in accordance with the Law.

IV. Transfers and remittances of Personal Data

The Data Controller does not sell Personal Data. Nevertheless, for the fulfilment of the purposes described, Personal Data may be transferred, within and outside national territory, in the following cases:
  • Competent judicial and administrative authorities (federal, state or municipal), courts, prosecutor's offices, autonomous bodies and regulatory authorities, when the transfer is necessary for the attention of the matter, the exercise of actions or defences, or compliance with legal requirements (article 37, subsections II, IV, V and VI of the Law).
  • Traditional and representative authorities of indigenous peoples and communities, when the subject matter so requires and in accordance with their internal normative systems.
  • Counterparties and their counsel, experts, notaries, public brokers and translators, to the extent necessary for the development of the proceeding or the corresponding negotiation.
  • Law firms, external counsel and correspondent firms, whether national or foreign, with which the Data Controller collaborates in attending to the matter.
  • Auditors and accounting, tax and compliance advisors of the Data Controller, for the fulfilment of tax, accounting and regulatory obligations.
  • Insurance companies of the Data Controller, for purposes of the professional liability policy.
  • Acquiring or successor companies of all or part of the Data Controller's business, in the event of merger, spin-off, acquisition, consolidation or any similar corporate transaction, in order to complete the same.
  • Other situations provided for in article 37 of the Law and other applicable legal provisions.
Remittances. In addition, the Data Controller may remit Personal Data to third-party processors that provide services necessary for the fulfilment of its legal, accounting, regulatory or contractual obligations, including, by way of example and without limitation, providers of information technology, cloud storage, messaging, administration, maintenance and installation; translators; printers and document digitisation companies. Such processors act on behalf of the Data Controller and are contractually bound to observe the principles and duties set out in the Law.

Transfers that require the express consent of the data subject shall be specifically notified in advance. By accepting this Privacy Notice, the data subject acknowledges the transfers described and, where legally required, grants consent for them to be carried out.

V. Security measures

The Data Controller has adopted the reasonable and necessary administrative, physical and technical security measures to protect Personal Data against damage, loss, alteration, destruction or unauthorised use, access or processing, in accordance with articles 19 of the Law and 57 to 65 of its Regulations.

The measures are at least equivalent to those employed by the Data Controller for the protection of its own information, and take into account that information containing Personal Data is additionally protected by professional secrecy. In the event of a security breach that significantly affects the patrimonial or moral rights of the data subject, the Data Controller shall inform the data subject so that appropriate measures may be taken.

VI. ARCO rights

In the event of any doubt or concern regarding the processing of Personal Data, or should the data subject wish to access, rectify, cancel or object to such processing (ARCO rights), the data subject or their legal representative may submit the request to the email address ciija@ciija.com.

The request shall contain, at a minimum:
  • Full name of the data subject, address and email address or other means to receive notifications.
  • Document evidencing the identity of the data subject or, where applicable, the identity and capacity of the legal representative (for example, copy of valid official identification and public instrument, letter of attorney signed before two witnesses, or personal appearance declaration of the data subject).
  • Clear and precise description of the right to be exercised, and the Personal Data in respect of which the right is sought to be exercised (except in the case of the right of access).
  • Any other element or document that facilitates the location of the Personal Data.
  • In the case of rectification, the modifications to be made and the documentation supporting them.
Documents shall be digitised and attached to the email.

Timelines. The Data Controller shall acknowledge receipt of the request and communicate its response to the data subject within 20 business days following receipt of the request. If the response is favourable, it shall be implemented within 15 business days following notification of the response. These timelines may be extended once, for an equal period, when the circumstances of the case so justify, and such extension shall be communicated to the data subject.

No cost. The exercise of ARCO rights is free of charge; only justified shipping or reproduction costs in copies or other formats may be charged.

Disagreement. In the event the data subject disagrees with the Data Controller's response, they shall have a period of 20 business days to communicate this to the Data Controller and seek a resolution, without prejudice to their right to approach the competent Mexican data protection authority.

Limitations. The exercise of ARCO rights may be limited in the cases provided for in articles 26 and 34 of the Law, in particular when Personal Data are necessary for the fulfilment of a legal obligation of the Data Controller, for compliance with the service agreement, for the continuation of an ongoing judicial or administrative dispute, or when the information is protected by professional secrecy. Denial may be partial, in which case the Data Controller shall effect the access, rectification, cancellation or objection to the extent applicable.

VII. Revocation of consent

To revoke the consent granted for the processing of Personal Data, the data subject may send an email to ciija@ciija.com meeting the requirements set out in Section VI. However, in some cases it may not be possible to address the request immediately, due to the existence of a legal or contractual obligation requiring the Data Controller to continue processing. Revocation of consent may result in the impossibility of continuing to provide the services.

VIII. Means to limit the use or disclosure of Personal Data

The data subject may limit the use or disclosure of their Personal Data by sending an email to ciija@ciija.com with the subject line "Limitation of use or disclosure", in order to be registered in the exclusion list maintained by the Data Controller. The data subject may also request registration in the Public Registry to Prevent Advertising (Registro Público para Evitar Publicidad) administered by the Federal Consumer Protection Agency (PROFECO).

IX. Use of cookies and similar technologies

The website www.ciija.com may use cookies, web beacons or other tracking technologies for the following purposes: (i) to recognise the recurring user; (ii) to measure usage and navigation parameters of the website; (iii) to improve the user experience; and (iv) to obtain anonymous usage statistics. The data subject may disable the use of cookies directly from their browser settings; doing so may affect certain functionalities of the website.

X. Consent

Implied consent. If the data subject does not agree with this Privacy Notice, they shall refrain from providing their Personal Data, from using or requesting the Data Controller's services, and from entering, browsing or using the functions and services of the website www.ciija.com. Consent to the processing of Personal Data on the terms set out herein shall be deemed implicitly granted when, having had this Privacy Notice made available, the data subject does not object. The delivery of information to the Data Controller, as well as access to and use of the website, platforms and services, and participation in the Data Controller's forums or events, shall be deemed an expression of implied consent.

Express consent. Exceptionally, and whenever the Law so requires with respect to certain types of Personal Data — notably, sensitive and financial data — the Data Controller shall take positive and affirmative measures to obtain the data subject's consent. In such cases, consent shall be deemed expressly granted when any of the following occurs: (i) the data subject signs a copy of this Privacy Notice at its foot; (ii) the data subject signs any contract, service proposal or engagement letter that incorporates or references this Notice; (iii) the data subject expressly states their agreement by ticking a verification box enabled for such purpose on platforms or websites of the Data Controller; or (iv) any other mechanism or procedure permitted by the Law. By accepting this Privacy Notice, whether implicitly or expressly as applicable, the data subject also consents to the transfers of Personal Data described in Section IV, on the terms and with the scope provided therein.

XI. Data protection authority

If the data subject considers that their right to the protection of personal data has been infringed by any conduct or omission of the Data Controller, or presumes any violation of the Law, they may file a complaint with the Secretaría Anticorrupción y Buen Gobierno (Mexican Anti-Corruption and Good Governance Ministry). For further information, please visit https://www.gob.mx/buengobierno.

XII. Changes to the Privacy Notice

This Privacy Notice may be modified, updated or extended at any time, whether to implement improvements, additional security measures, legal requirements, updates to the purposes of processing or matters inherent to the Data Controller's operations. Any modification shall be made available to the public on the website www.ciija.com, indicating the date of the last update, and shall take effect seven (7) business days after its publication. Data subjects are recommended to review this Notice periodically.

[April 2026]
Mexico City, Mexico.

CENTRO DE INVESTIGACIONES INTERCULTURALES
JURÍDICAS Y AMBIENTALES