Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU - Mexico: GDPR v. Federal Law and Regulations

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Federal Law on the Protection of Personal Data Held by Private Parties 2010 (the Federal Law) and the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011 (the Regulations).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the Federal Law and the Regulations with the  GDPR.

You can access the latest version of the report here.

What are the Federal Law and the Regulations?

The Federal and the Regulations establish the principles and minimum standards for processing personal data and form the basis of the regulatory framework for the protection of personal data in Mexico's private sector. There are also sector-specific laws in the financial services and health and pharmaceutical sectors. Notably, under the current legislative framework, there is no requirement to inform the National Institute for Access to Information and Protection of Personal Data (INAI) or any other state authority when a data breach occurs.

Key highlights

The Federal Law and the Regulations and the GDPR share some similarities, including:

  • providing definitions of personal data and data processing;
  • both provide that data subjects may request the cancelation or erasure of their data; and
  • both provide that data protection authorities can issue monetary penalties.

However, despite their similarities, the Federal Law and the Regulations and the GDPR also differ sometimes in their approach, such as:

  • unlike the GDPR, the Federal Law does not apply extraterritorially;
  • the Federal Law does not address anonymization and pseudonymization; and
  • unlike the GDPR, the Federal Law does not provide additional requirements for children's data.
Feedback