Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mexico - Data Protection Overview
Back

Mexico - Data Protection Overview

Novemeber 2021

1. Governing Texts

Mexico has followed, along with other Latin American countries, the international trend of ensuring the protection of personal data. In this sense, the protection of personal data is a fundamental right recognised by the Constitution of Mexico ('the Constitution') since 2009. Following this recognition, the Federal Law on Protection of Personal Data Held by Private Parties ('the Law') was published in 2010. The following year, the Regulations to the Federal Law on Protection of Personal Data Held by Private Parties ('the Regulations') were enacted. In 2013, the National Institute for Access to Information and Protection of Personal Data ('INAI'), issued the Guidelines on Privacy Notices (only available in Spanish here) ('the Guidelines'). These three norms are the main legal framework for the private sector.

In January 2017, the long-awaited data protection law for the public sector was published: the General Law on Protection of Personal Data Held by Mandated Parties (only available in Spanish here) ('the Public Sector Law'). The purpose of the Public Sector Law is to establish the bases, principles, and procedures for guaranteeing the right to the protection of the personal data that is in possession of the mandated subjects. The mandated subjects to which the Public Sector Law applies at the federal, state, and municipal levels are any authority, entity, body, and agency of the executive, legislative, and judicial branches, autonomous bodies, political parties, trusts, and public funds. Trade unions and any individual or legal person who receives and exercises public resources or that carry out acts of authority at the federal, state, and municipal levels will be accountable for the processing of personal data in accordance with the laws and regulations applicable to the processing of personal data by private parties, mentioned above. In any other situation not mentioned previously, the laws applicable to the processing by private parties shall also apply.

1.1. Key acts, regulations, directives, bills

  • the Constitution;
  • the Law;
  • the Regulations;
  • the Guideline; and
  • the Public Sector Law.

1.2. Guidelines

The INAI, which is the Mexican data protection authority, has issued several guides and recommendations on topics including, security measures, identity theft, data breaches, secure deletion of personal data, and how to draft a privacy notice.

1.3. Case law

Since the Law is quite recent when compared to other subject matters in the country, the INAI has mainly been acting on data subject complaints. Although many resolutions of the INAI are in appeal, the INAI has imposed several large fines to data controllers, and the main reasons have been for, among other things, not providing a privacy notice to data subjects, providing an incomplete or unclear privacy notice, and transferring personal data without consent. There have also been cases related to data breaches; for example, employees in a company used and transferred personal data of employer's clients for their own (unauthorised) purposes.

One of the most relevant cases took place in 2015, where the INAI imposed a fine of MXN 32 million (approx. €1.4 million) to a financial institution for processing sensitive personal data (i.e. health data) without the explicit written consent of the data subject. A Federal Court confirmed the resolution of the INAI, considering that the fine imposed was duly justified, proportional, and legal.

2. Scope of Application

2.1. Personal scope

All individuals and legal entities in the private sector that are involved in the processing of personal data are governed by the Law, the Regulations, and the Guidelines. However, credit reporting companies and individuals who collect and process personal data exclusively for personal use are exempt from these rules.

However, the Regulation does not apply to the following instances (though the Law does):

  • the processing of information of legal entities (such as corporations); and 
  • the data of individuals in their professional or business capacity.

2.2. Territorial scope

The Regulation establishes the territorial scope of application, by stating that the Regulation applies to all processing of personal data that:

  • is carried out in a data controller's establishment located in Mexico;
  • is carried out by a data processor, regardless of location, on behalf of a data controller established in Mexico;
  • is carried out when the data controller is not established in Mexico, but is subject to Mexican laws under a contractual agreement or due to international law; and
  • is carried out by a data controller that is not established in Mexico but uses means located in Mexico, unless such means are used only for transit purposes.

2.3. Material scope

The Law and its Regulations apply to the processing of personal data found on physical or electronic media that make possible access to personal data according to specific criteria, regardless of the form or method of its creation, type of media, processing, storage, or organisation.

However, the Regulation does not apply to the following instances (though the Law does):

  • the data of individuals acting in a representative capacity, when such information consists only of their names, positions, or activities within a company and other employment information (such as address, email, telephone, or fax numbers, if this information is being processed only for the purposes of representing the employer or a contractor).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The authority in charge of enforcing the Law, the Regulations, and the Guidelines in Mexico is the INAI.

3.2. Main powers, duties and responsibilities

The INAI is an autonomous body responsible for promoting the rights to access public information and data protection within governmental agencies and private parties. The INAI is committed to working with other federal, state, and municipal authorities to promote data protection in different industries and sectors, such as the financial, educational, and health sectors.

The INAI oversees and verifies compliance with the Law, the Regulations, and the Guidelines and also has powers to, among other things, interpret the law, provide technical support to data controllers for the fulfilment of their obligations, issue opinions and recommendations, disseminate international best practices, hear complaints, issue decisions, impose penalties, and to cooperate with other domestic, international bodies, and supervisory authorities.

4. Key Definitions

Data controller: The 'responsible party' is defined as the natural or legal private person that decides on the processing of personal data. (Article 3, XIV, of the Law).

Data processor: The 'person in charge' is the individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller (Article. 3, IX, of the Law).

Personal data: Information concerning an identified or identifiable natural person (Article 3, V, of the Law).

Sensitive data: Personal data that affects the most intimate areas of a data subject's life, or information that could lead to discrimination, or entail a serious risk for a data subject if misused. In particular, data that may reveal personal aspects such as racial or ethnic origin, current or future state of health, genetic information, religious, philosophical or moral beliefs, labour union membership, political opinions, and/or sexual orientation. (Article 3, VI, of the Law).

Health data: Health data is not defined under Mexico legislation, please see definition of sensitive data above.

Biometric data: Physical, physiological, behavioural, or personality-related characteristics, attributable to a single person and which are measurable (the Guidelines).

Pseudonymisation: Pseudonymisation is not defined under Mexico legislation, however 'dissociation' is defined as the process through which personal data cannot be associated with the data subject nor allow, by way of its structure, content, or degree of disaggregation, identification of the data subject (Article 3, VIII, of the Law).

5. Legal Bases

5.1. Consent

As a general rule, data controllers must obtain consent from data subjects in order to process their personal data. Consent must be explicit when processing financial or economic data (verbal and written communication is sufficient to constitute explicit consent, as are communications by electronic or optical means or via any other technology or by unmistakeable indications); explicit and written for the processing of sensitive personal data, and implicit for all other categories of personal data (this may be obtained through the data subject's signature, electronic signature, or any authentication mechanism established for such purpose). The data controller will always be responsible for producing evidence showing that the required consent was obtained.

This means that any processing of personal data requires the data subject's consent, unless such processing falls under one of the exceptions specifically established in the Law. Thus, the consent of the data subject will not be required, for example:

  • when the data processing is provided for in a Law;
  • where the personal data is contained in publicly available sources;
  • where the personal data is anonymised (that is, subject to a procedure by means of which personal data may not be associated with the data subject or allow the data subject's identification, due to the way of the data structure, content or level of desegregation);
  • where the personal data is processed for the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller (e.g. employee legal relationship);
  • where the data processing is required in any emergency that could potentially result in personal injury or property damage;
  • where data processing is essential for medical attention, prevention, diagnosis, healthcare delivery, medical treatment, or health services management, where the data subject is unable to give consent in the terms established by the General Health Law (only available in Spanish here) and other applicable laws, and said processing of data is carried out by a person subject to a duty of professional secrecy or an equivalent obligation; and
  • where the personal data must be disclosed pursuant to a court order or the resolution of a competent authority.

5.2. Contract with the data subject

Please see section on consent above.

5.3. Legal obligations

Please see section on consent above.

5.4. Interests of the data subject

Please see section on consent above.

5.5. Public interest

Please see section on consent above.

In addition, the data controller will not be obligated to cancel personal data when it is necessary to carry out an action in the public interest.

5.6. Legitimate interests of the data controller

Not applicable.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The processing of personal data must be carried out in accordance with the general data protection principles of:

  • legality;
  • consent;
  • information;
  • data quality;
  • purpose specification;
  • loyalty;
  • proportionality; and
  • accountability.

7. Controller and Processor Obligations

Data controller 

The data controller must adopt and maintain physical, technical, and administrative security measures that have been designed to protect personal data from damage, loss, alteration, destruction, or unauthorised use, access, or processing. Data controllers must adopt security measures that are at least equivalent to those adopted in the handling of their own information. In adopting such security measures, the data controller must take into account the risks involved, any potential consequences to the data subjects if there is a security breach, the nature of the data, and technological developments.

Data processor

A data processor in Mexico has the following obligations:

  • to process personal data in accordance with the data controller's instructions;
  • to refrain from processing personal data for purposes other than those permitted by the data controller;
  • to implement appropriate security measures to protect personal data;
  • to keep confidentiality in respect of the personal data processed;
  • to delete personal data upon the request of the data controller or when the relationship with the data controllers is terminated; and
  • to refrain from transferring personal data unless the data controller has determined otherwise, the communication arises from a subcontract, or due to a requirement from a competent authority.

A data processor will be considered to be a data controller, when:

  • it processes personal data for purposes other than those requested or authorised by the data controller; or
  • it transfers personal data in violation of the instructions of the data controller.

7.1. Data processing notification

There are no requirements to notify or register with INAI.

7.2. Data transfers

According to the Law, the Regulations, and the Guidelines, where the data controller intends to transfer personal data to domestic or foreign third parties, other than to the data processor, it must provide them with its privacy notice and the processing purposes the data subject consented to.

To legally transfer personal data, data transfer agreements must be signed. In addition, all data transfers to third parties, not processors, need to be informed through the privacy notice and consented to by data subjects (unless one of the exceptions to the obligation to obtain consent for the transfer applies).

Domestic or international transfers of data may be carried out without the consent of the data subject where the transfer is necessary or legally required to safeguard public interest or for the administration of justice.

There is no distinction made between countries that provide an adequate level of data protection and those that do not provide such a level of protection, meaning that personal data may be transferred internationally regardless of the country where the transferee is located.

For transferring personal data to data processors, consent from data subjects is not required and it is not necessary to provide information about these transfers in the privacy notice. A data processing agreement should be executed (or data protection clauses included in an agreement with the data processor).

7.3. Data processing records

In the private sector there is no obligation to maintain data processing records.

7.4. Data protection impact assessment

In the private sector there is no obligation to conduct Data Protection Impact Assessments.

7.5. Data protection officer appointment

It is compulsory for a controller to appoint a specific person or department for data protection.

This person or department will be in charge of, among other obligations, promoting the protection of personal data within the organisation, verifying compliance with the Law, the Regulations, and the Guidelines, and responding to data subjects' requests when they exercise their rights. There is no specific appointment criterion for the position. In Mexico, it is common for the head of the HR department to oversee data protection.

7.6. Data breach notification

Data controllers must immediately inform data subjects about security breaches occurring at any stage of the processing that can materially affect their moral or property rights, so data subjects can take the appropriate actions to protect their rights. Data controllers must also implement corrective actions and make an exhaustive review of the scale of the breach, without delay.

The minimum information that must be provided to the data subject is the following:

  • the nature of the incident;
  • the personal data being compromised;
  • recommendations about the measures that he/she can take in order to protect their interests;
  • the remedial actions taken immediately; and
  • the means where he/she can find more information.

7.7. Data retention

Personal data may be processed for as long as necessary to fulfil the purposes of the processing as specified in the privacy notice and for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, the data processing.

7.8. Children's data

Not applicable.

7.9. Special categories of personal data

Sensitive personal data is subject to the following special requirements:

  • the processing of sensitive personal data is subject to the explicit written consent of the data subject (unless exceptions established in the Law applies);
  • databases containing sensitive data may only be created for purposes that are legitimate, concrete, and consistent with the explicit objectives or activities pursued by controllers; and
  • the processing period should be limited to the minimum required.

7.10. Controller and processor contracts

The Law states that any data transfer, including transfers between data controllers and processors, shall be supported by a written document or agreement. According to the Law, the Regulations, and the Guidelines, the agreement executed between the controller and the processor must include the scope of the processing, meaning that, for example, the purpose of the processing and personal data to be processed, should be included. Additionally, it must be clear if sub-contracting is allowed or not.

It is also common to include provisions regarding the security measures that the processor shall establish and maintain, as well as provisions regarding audits that may be carried out by the controller to make sure the processor is processing the data in accordance with its instructions.

According to the Law, the data controller will be responsible for the processing of personal data carried out by the data processor, unless the data processor fails to follow the data controller's instructions. For transferring personal data to data processors, consent from data subjects is not required and it is not necessary to provide information about these transfers in the privacy notice.

Sub-contracting 

Sub-contracting is allowed, as long as the data controller approves it. It is common for provisions in this regard to be included in the data transfer agreement executed between the controller and the processor.

The data processing to be carried out by the sub-contracted party should be as instructed by the data controller or data processor. The Law states that any sub-contracting agreement shall appear in writing, defining its scope and content.

The sub-contracted party shall observe the same obligations stated in the Law, the Regulations, and the Guidelines for the data processor.

8. Data Subject Rights

Data controllers need to establish easily accessible means for data subjects to exercise their rights of access, rectification, cancellation, and objection ('ARCO rights'), as well as to limit the use and disclosure of personal data and to ensure data subjects' right to revoke consent.

In addition, the principles and rights under the Law are limited in their observance and exercise when the protection of national security, public order, health and safety, or the rights of third parties are at stake.

Responding to requests 

Data controllers, having received a request from data subjects, must notify the data subject of any decision reached regarding their request. This notification must occur within a maximum of 20 business days following the receipt of the request. The data controller then has 15 additional business days to comply with the accepted request.

Where the data subject has not received a response from the data controller, or where a response is received but is unclear or incomplete, or even where the data subject is not satisfied with the information provided by the data controller they may file a complaint before the INAI.

8.1. Right to be informed

Data controllers must inform data subjects, prior to collecting their personal data, of the characteristics of the processing. The document must include, at a minimum, the following information:

  • the identity and address of the data controller;
  • the purposes of the processing; the options and means offered by the data controller to the data subject to limit the use or disclosure of his/her data;
  • the means for exercising ARCO rights;
  • the means for exercising the right to revoke consent to the processing;
  • the transfers of data that the data controller intends to make, if any; and
  • the procedure and means by which the data controller will notify the data subject of any changes to the privacy notice.

8.2. Right to access

Data subjects have the right to request access to their personal data from data controllers.

8.3. Right to rectification

Data subjects have the right to request that their personal data be rectified where it is either out of date or inaccurate.

8.4. Right to erasure

Data subjects have the right to request the deletion of personal data where the purposes of the processing have been fulfilled.

8.5. Right to object/opt-out

Data subjects have the right to object, on legitimate grounds, to the processing of their personal data.

8.6. Right to data portability

Not applicable.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Data subjects have the following rights:

  • to limit the use and disclosure of their personal data; and
  • to revoke their consent.

9. Penalties

Violations are punishable by the INAI as follows:

  • a warning instructing the data controller to take the actions requested by the data subject;
  • a fine ranging from 100 to 320,000 units called UMA (currently one UMA is equivalent to MXN 89.62 (approx. €3.83)); and
  • if infringements were committed while processing sensitive personal data and in case of recidivism, penalties may double.

In addition, a prison sentence may be imposed on anyone who unlawfully breaches security measures or facilitates a data breach in a database under their custody or who unlawfully profits from processing personal data by deceitfully taking advantage of any error of the data subject.

9.1 Enforcement decisions

The INAI imposed a fine of MXN 32 million (approx. €1.4 million) for not complying, among others, with the principles of information and consent during the processing of sensitive data. This is one of the most relevant precedents due to the high amount of the fine.