Data Protection Regulations in Mexico: an Overview
When explored in its entirety, data protection extends much further than the GDPR. Follow along as our compliance specialist, Tiana Dermedjieva explores the complicated regulatory framework in Mexico.
Federal Data Protection Law Mexico
The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“the Law”) entered into force on July 6, 2010.
The laws apply to:
◦ Data controllers in Mexico
◦ Data processors acting on behalf of Mexican controllers
◦ Foreign controllers subject to Mexican law via agreements or conventions
◦ Data processing in Mexico for non-Mexican controllers, excluding transit-only activities
The law doesn’t apply to:
◦ Government entities
◦ Credit reporting companies under specific laws
◦ Personal data for personal, non-commercial use
◦ Business-to-business data under specific conditions
INAI Guidelines
The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) has issued additional guidelines, such as:
◦ Privacy Notice Guidelines
◦ Data Security Recommendations
◦ Self-Regulation Parameters
◦ Guidelines for Data Protection Officers
◦ Guidelines for Secure Data Deletion
◦ Cloud computing and Biometric Data Processing criteria
National Data Protection Authority & Registration
The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) and the Ministry of Economy (Secretaría de Economía) serve as Mexico’s data protection authorities.
Mexican law does not require registration with a data protection authority or other regulator in relation to the use of personal data.
Data Protection Officers
All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.
Privacy Notice Requirements
Types of Privacy Notices:
◦ Comprehensive: Required when data is collected in person.
◦ Simplified: For direct online or phone interactions.
◦ Short Form: When space is limited, e.g., ATMs or SMS.
Comprehensive Privacy Notice Must Include:
Data controller identity and address | Data types being processed |
Purpose of data processing | Options for limiting data use |
Method to revoke consent | ARCO rights procedure |
Data transfer types, if applicable | Notification process for changes |
Simplified Privacy Notice Must Include:
Data controller identity and address | Purpose of data processing |
Options for limiting data use | Access to comprehensive notice |
Short Form Privacy Notice Must Include:
Data controller identity and address |
Purpose of data processing |
Options for limiting data use |
Additional Requirements | Exceptions |
Language must be clear and comprehensible. (Spanish) | Not required if data is for historical, statistical, or scientific purposes. |
Data controllers must prove that notices were provided before data processing. | Not required for data not covered by Mexican Privacy Laws. |
The privacy notice serves as the legal basis for processing personal data and must be tailored to different data subject categories like employees and customers.
Consent Types for Data Processing
Implicit Consent:
Default for most data unless otherwise specified. Obtained when the data subject is informed via a privacy notice and does not object.
Express Consent:
Required for financial or asset data. Can be verbal, written, or through unmistakable indication.
Express Written Consent:
Required for sensitive personal data. Can be via written or electronic signature.
When Consent is Not Required (Consent isn’t required, but a privacy notice must still be available) in the following cases: |
Legally mandated by Mexican law |
Data is public |
Data is anonymized |
Legal obligations between data subject and controller |
Emergency situations |
Essential for medical reasons |
Authorised by competent authority |
Data Transfer Guidelines
When it comes to data, it’s essential to distinguish between transfers and transmissions. A transfer involves sending data to a third party, one that isn’t a processor. On the other hand, a transmission specifically refers to sending data to a processor. So, in essence, transfers involve a broader spectrum of recipients, while transmissions are more focused on interactions with processors.
When engaging in data transfers, a set of crucial rules must be adhered to ensure transparency and privacy compliance:
◦ Must share privacy notice and data limitations with third parties.
◦ Must inform data subjects about: who receives the data, purpose of the transfer, how to refuse consent if required
Third parties assume the same obligations as the original data controller.
When Consent is Not Required for Transfers |
Required by law or treaty |
Medical necessity |
Sent within affiliated companies |
Contractual requirement |
Public interest or justice |
Legal proceedings |
Existing legal relationship |
Data processors play a pivotal role in ensuring the responsible handling of information, and adherence to specific rules is paramount in this regard. Foremost, processors must diligently follow the instructions provided by the data controller, the utilization of data should strictly adhere to the purposes outlined in these instructions, implementing robust security measures is a non-negotiable aspect, safeguarding the integrity and confidentiality of the entrusted information. Upholding confidentiality extends beyond security measures, encompassing a commitment to maintaining the privacy of the data. Timely deletion of data, in accordance with prescribed timelines, is another vital responsibility. Importantly, data processors should refrain from transferring data unless expressly instructed to do so, ensuring a controlled and purposeful flow of information.
Data Security Guidelines
Controllers must implement physical, technical, and administrative measures to safeguard data from unauthorized access, loss, or damage. These measures should be at least as strong as those applied to their own information, forming a comprehensive defense against potential threats.
Factors for Security Measures
◦ Consider risk level, consequences for data subjects, data sensitivity, and technological advancements.
Personnel Training
◦ Train staff on proper data handling per Mexican Privacy Laws.
Key Procedures & Documentation:
Keep an updated inventory of personal data and processing systems | Define duties for those processing data |
Conduct risk analyses to identify and estimate threats | Implement and verify security measures |
Continually assess and improve security | Create a plan for addressing security breaches |
Perform regular security audits | Maintain records of data storage means |
Breach Notification Guidelines
A breach, in this context, encompasses unauthorized incidents such as loss, theft, copying, use, access, damage, or alteration of personal data.
In the event of a data breach, timely and transparent communication is crucial. Controllers should promptly notify data subjects if the breach materially impacts their property or moral rights.
Following a breach, it should be done a thorough analysis of the causes behind the breach and the subsequent implementation of corrective and preventive actions to mitigate the impact and prevent recurrence.
The notification to affected data subjects must include essential information to ensure transparency and guide them through the aftermath. Controllers should communicate the nature of the breach, specifying the unauthorized incident and detailing the compromised data. Equally important is outlining protective measures for data subjects, empowering them with information on how to safeguard their interests. Additionally, the notification should articulate the immediate corrective actions undertaken by the controller to address the breach. Timeliness is of the essence, as controllers are obligated to inform affected data subjects promptly upon confirming the occurrence of a breach.
Enforcement Guidelines
How to Enforce Rights
Data subjects can enforce ARCO Rights through INAI and the courts if the controller doesn’t respond. Regarding this, INAI can inspect facilities to check law compliance and take appropriate actions in the event of non-compliance.
Penalties
◦ Monetary fines range from 100 to 320,000 times the Mexico City minimum wage; doubled for sensitive data violations.
◦ 3 months to 3 years imprisonment for security breaches; doubled for sensitive data.
◦ 6 months to 5 years imprisonment for deceitful data processing; doubled for sensitive data.
Some factors for sanctions may be: the nature of the data, intentionality of the action, economic capacity of controller, recidivism.
Mexico’s Data Protection Law vs. EU GDPR
Similarities: |
Accountability: Both Mexico and the EU emphasize the data controller’s responsibility to demonstrate compliance. |
Data Protection Impact Assessment: While not explicitly called DPIAs in Mexico, similar risk assessment procedures are required. |
Security Measures: Both require technical and organizational measures to protect personal data. |
Differences |
Self-Regulation and Certification: Both have mechanisms, but GDPR places a greater emphasis on codes of conduct. |
Legitimate Interest: GDPR includes this as a condition for data processing; Mexican law does not. |
Something additional to all this may be that:
◦ Mexican companies dealing with EU data subjects must also comply with GDPR.
◦ Tacit consent is valid in Mexico for non-sensitive data.
Staying informed and continually updating our understanding of data protection is crucial. While GDPR represents a significant aspect, it’s essential not to overlook the myriad of data protection laws worldwide.
For more information, please contact us at [email protected].
Contact Us
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.
Recent blogs
Appointment of a DPO in Singapore: What You Need to Know Before 30th September
If your business handles personal data in Singapore, it’s important to be aware of a key deadline
Enterprise Data Protection: Securing Large-Scale Information Assets
Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa
Continuous Data Protection: Ensuring Real-Time Information Security
Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai