Data Protected - Mexico
Contributed by Ritch, Mueller y Nicolau, S.C.
Last updated February 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Federal Law for the Protection of Personal Data in the Possession of Private Parties (the “LFPDPPP”) supplemented by the Rules of the Federal Law for the Protection of Personal Data in the Possession of Private Parties (the “Regulation”).
These laws have been supplemented from time to time with the issuance of parameters and guidelines, including but not limited to the Data Privacy Self-Regulation (Parámetros de Autorregulación en materia de Protección de Datos Personales) (the “Self-Regulation Parameters”) published on May 29, 2014, which are designed to establish rules, standards and procedures for the improvement and implementation of mandatory self-regulation for the protection of personal data.
Entry into force
The LFPFPPP was published on 5 July 2010 and came into effect on 6 July 2010. The Regulation was published on 21 December 2011 and came into effect on 22 December 2011.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (the “INAI”).
Av. Insurgentes Sur # 3211
Col. Insurgentes Cuicuilco
Coyoacán
C.P. 04530
Delegación Coyoacán
Ciudad de México
México
Notification or registration scheme and timing
Not required.
Exemptions to notification
None.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Regulation applies to processing: (i) by an entity with an establishment in Mexico; (ii) outside of Mexico if conducted for controller in Mexico; (iii) where the Regulation is applicable by principles of international law; or (iv) where the controller is based outside of Mexico but uses equipment in Mexico (other than for the purposes of transit).
Is there a concept of a controller and a processor?
The Regulation contains the concept of controller and processor.
Are both manual and electronic records subject to data protection legislation?
Yes.
Are there any national derogations?
Data protection legislation is applicable to private parties (both individuals and legal entities), except for credit information companies and individuals who collect and store information for personal or domestic use for a non-commercial purpose or without the intent to disclose such information.
_____________________________________________________________________ Top
Personal Data
What is personal data?
“Personal data” is defined as any information relating to an identified or identifiable individual. However, the Regulation does not apply to information regarding: (i) legal entities; (ii) individuals acting as merchants or professionals; or (iii) basic work related contact details.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
In order to process personal data, the controller must obtain the consent of the data subject through a Privacy Notice. Consent is not required for the processing of personal data when: (i) it is permitted by law; (ii) the personal data has been obtained from public sources; (iii) personal data has been submitted to a disassociation process; (iv) the processing of personal data is made to comply with the obligations deriving from a contract between the controller and the data subject; (v) there is an emergency that might harm an individual or his property; (vi) the processing is for healthcare purposes; or (vii) it is provided by a resolution of the competent authority.
The law also has specific provisions governing domestic and international data transfers. Controllers may transfer personal data if notice of the transfers and their specific purposes are provided in the relevant privacy notice. Controllers must obtain the data subject’s consent by such privacy notice except when, inter alia: (i) permitted by domestic law or a treaty to which Mexico is a party; (ii) the transfer is made for healthcare purposes; (iii) the transfer is made within the same group of companies operating under the same internal processes and policies; (iv) it is necessary pursuant to a contract entered into, or to be entered into, for the benefit of the data subject, by the controller and a third party; or (v) it is necessary for the pursuit of justice or to safeguard the public interest.
Under the Regulation, the controller must also take steps to ensure that data is processed in an accountable manner by, amongst other things: (i) developing policies and programmes; (ii) training staff; (iii) auditing compliance; (iv) reviewing new products and services; and (v) implementing security policies.
The Self-Regulation Parameters provide for the establishment of self-regulatory schemes. These are a combination of self-adopted and mandatory standards, rules and procedures including: (i) procedures to be used for the protection of personal data; (ii) procedures to measure the effectiveness of mandatory self-regulation; (iii) monitoring and review systems, internal and external; (iv) training programmes for those who process personal data; and (v) effective remedies in case of default. The scheme must also establish appropriate sanctions for those who fail in the fulfilment of the mandatory self-regulation such as: warnings, financial penalties, temporary or permanent suspension of the self-regulation programme. The scheme supplements the provisions of the LFPDPPP and the Regulation and must be validated by the INAI. When a controller adopts a scheme, it becomes bound by the terms of that scheme.
Are there any formalities to obtain consent to process personal data?
Consent may be express or implied. Express consent may be given verbally, in writing, through an electronic medium, or by unequivocal signs. Implied consent results from non-objection to a privacy notice provided to the data subject.
In certain circumstances, express consent must be obtained, for example the processing of financial information or sensitive personal data (see below).
Are there any special rules when processing personal data about children?
Although there are no additional rules when processing personal data about children, the Regulation sets forth that in order for the rights to access and rights to be forgotten of children to be exercised, the rules of representation provided in the Federal Civil Code will apply, which would require the express consent of the parent or guardian of the individual who is under 18 years of age.
Are there any special rules when processing personal data about employees?
There are no specific rules when processing personal data about employees, however, please note that the Regulation will not apply to the data of individuals who render their services for any legal entity or for any individual with business activities. In particular, the Regulation will not apply to personal data such as an individual’s name and surname, the functions or positions performed, physical address, e-mail address, telephone and fax number; provided that this information is processed for the purpose of representation purposes of the employer or contractor.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
“Sensitive personal data” is personal data that affects the owner’s most intimate sphere, or whose improper use could give rise to discrimination or involves a serious risk to the owner; in particular, data is deemed to be sensitive if it could reveal aspects such as racial or ethnic origin, present or future state of health, genetic information, religious, philosophical or moral beliefs, union affiliation, political opinions or sexual orientation.
Are there additional rules for processing sensitive personal data?
For sensitive personal data, the privacy notice sent to the data subject must expressly indicate the subject matter of the information.
Are there additional rules for processing information about criminal offences?
There are no additional rules for processing information about criminal offences.
Are there any formalities to obtain consent to process sensitive personal data?
Consent must be both express and written, containing the written, electronic or otherwise authenticated signature of the data subject.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
Every controller must appoint a person or compliance department to aid compliance with the LFPDPPP.
What are the duties of a data protection officer?
The relevant person or compliance department must deal with the exercise of the data subject’s rights and promote compliance within the controller.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
There is no general accountability obligation.
Are privacy impact assessments mandatory?
No, privacy impact assessments are not mandatory.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
The controller must provide a privacy notice to the data subject containing: (i) the identity and domicile of the controller; (ii) the purposes of the processing of information; (iii) the options and mediums that the controller offers to limit the use of disclosure of the information; (iv) the transfer of information to be undertaken, if applicable; and (v) the procedure and medium the controller shall use to communicate modifications to the Privacy Notice.
Rights to access information
Owners of personal data have the right to have access to his/her personal information.
Rights to data portability
There is no express right to data portability.
Right to be forgotten
An individual also has the right to request the protection of his/her data, the right rectify his/her personal information, the right to have his/her personal information deleted and the right to oppose the use of his/her personal information.
Objection to direct marketing and profiling
The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing subscribers’ information to third parties.
Other rights
An individual may rectify incorrect or incomplete data and additionally may request the cancellation/withholding of its personal data.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
It is necessary to establish and maintain physical and technical administrative security measures designed to protect personal data. The Regulation contains detailed security requirements including obligations to carry out a security risk analysis.
Specific rules governing processing by third party agents (processors)
A controller must ensure that there is a written contract (or similar instrument) with any processor that obliges such party to: (i) process personal data only under the controller’s instructions; (ii) implement appropriate security measures and ensure personal data is kept confidential; (iii) delete personal data at the end of the relationship, unless required to keep a record of such information by law; and (iv) not disclose personal data unless instructed to do so, to a subcontractor or when required by law.
The Regulations also contain specific provisions applicable to outsourcing and cloud computing.
Notice of breach laws
It is necessary to inform the data subject of any security violations so that the data subject takes the appropriate measures to protect its personal data. The Regulations set out certain requirements for the content of such notifications.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
There are obligations applicable to both domestic and international transfers (see “What are the rules for processing personal data?”, above). However, for international transfers, the transferor must also enter into an agreement or legal instrument, or include a clause to establish the same obligations, to ensure that the use of the personal data continues to be subject to the same level of protection.
Notification and approval of national regulator (including notification of use of Model Contracts)
Not necessary.
Use of binding corporate rules
None.
_____________________________________________________________________ Top
Enforcement
Fines
Penalties vary from a warning notice to fines ranging from 100 to 320,000 days of the minimum daily wage in Mexico City to imprisonment. These penalties may double in the case of sensitive personal data.
The adoption of a self-regulatory scheme under the Self-Regulation Parameters can be used as evidence of compliance with the LFPDPPP and the Regulation and may help to reduce any sanctions should a breach occur.
Imprisonment
Penalties include imprisonment ranging from three months to five years. These penalties may double in the case of sensitive personal data.
Compensation
No right to compensation.
Other powers
None.
Practice
Fines: In the period from October 2019 to September 2020, economic sanctions totalled $60,678,292.64 pesos (equivalent to approximately $3,557,757 dollars). They were mostly imposed in the financial services, insurance, mass media and business support & waste management services sectors.
Other enforcement action: According to the 2022 Work Report of the INAI, from October 2021 to September 2022, 226 data protection claims were filed by data subjects before the INAI, out of which 267 data protection proceedings were initiated and concluded. In the same period of time, 655 investigations were initiated by the INAI, out of which 375 were concluded and 280 remain pending. Please note that 92 of the investigations that were concluded went into the verification stage, out of which 60 were resolved and sanctioned.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
None.
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
No.
Regulatory guidance on the use of cookies
No.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing their information to third parties.
Conditions for direct marketing by e-mail to corporate subscribers
None.
Exemptions and other issues
None.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing their information to third parties.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
None.
Exemptions and other issues
None.
_____________________________________________________________________ Top