Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mexico: Health and Pharma Overview

MF3d / Signature collection /

1. Governing Texts

Mexico's legal approach to the protection of personal data is not sector-specific. Instead, Mexico has a general data protection law that covers the processing of all personal data by private entities (public entities are subject to different laws). Therefore, private companies within the health and pharmaceuticals industry, are subject to the provisions of the Federal Law on Protection of Personal Data Held by Private Entities 2010 ('the Law'), which is a comprehensive regulation similar in content, structure, and rationale to other privacy laws around the world.

The Law is applicable to any individual or entity legally domiciled, or having a local office/branch, or where the managed databases are located in Mexico. However, the Law may also be applicable to data controllers not based in the Mexican territory if they use, for the processing of personal data, means located within the Mexican territory. In such a case, the implementing regulations on the Law (see the section on Legislation below) provide that the data controller, even if located abroad, must have in place the necessary mechanisms to comply with the Law.

In the processing of personal data, it should always be assumed that data subjects are entitled to a reasonable expectation of privacy. Data subjects' interests must always be prioritised, and it must be guaranteed that personal data is not collected or treated by misleading or fraudulent means.

1.1. Legislation

Key acts, regulations, and directives governing the health and pharmaceutical sector, and that are relevant to privacy and data protection are:

1.2. Supervisory authorities

The National Institute for Access to Information and Protection of Personal Data ('INAI') is the data protection authority in Mexico.

1.3. Guidelines

Guidelines, recommendations, best practices, or documents which facilitate the regulation of the health and pharmaceutical sector include:

  • relevant guidelines issued by INAI;
  • relevant decisions/case law issued by INAI;
  • privacy notice guidelines (only available in Spanish here) issued by INAI ('the Privacy Notice Guidelines');
  • suggested minimum criteria for hiring cloud computing services involving the processing of personal data;
  • recommendations for handling personal data security incidents;
  • the Guide on Biometric Data Processing issued by INAI (only available in Spanish here); and
  • NOM-004-SSA3-2012.

1.4. Definitions

Privacy notice: A document in physical, electronic, or any other format, generated by the data controller, which is made available to the data subject prior to the processing of their personal data.

Database: An ordered set of personal data concerning an identified or identifiable individual.

Consent: An expression of the will of the data subject by which data processing is authorised.

Personal data: Any information concerning an identified or identifiable individual.

Sensitive personal data: Personal data that touches upon the most private areas of a data subject's life or the misuse of which might lead to discrimination or give rise to a serious risk to the data subject. In particular, sensitive data concerns information that may reveal what may be a person's racial or ethnic origin, present, and future health status, genetic information, religious, philosophical, and moral beliefs, union membership, political views, or sexuality.

Biometric data: Physical, physiological, behavioral, or personality-related characteristics, attributable to a single person and which are measurable.

Dissociation: Process through which personal data cannot be associated with the data subject nor allow, by way of its structure, content or degree of disaggregation, identification of the data subject.

Data processor: An individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller.

Publicly available source: Databases on which any person, without any requirement except, where appropriate, payment of a fee, can make queries.

Data controller: An individual or private legal entity that decides on the processing of personal data.

Data subject: An individual to whom personal data relates.

Processing: Retrieval, use, disclosure, or storage of personal data by any means. Use covers any action of access, management, exploitation, transfer, or disposal of personal data.

Transfer: Any data communication made to a person other than the data controller or data processor.

Identifiable individual: Any individual whose identity can be determined, directly or indirectly, by any information. An individual will not be deemed identifiable where a disproportionate amount of effort or time is required for their identification.

Transmission: Communication of personal data between a data controller and a data processor, within or outside Mexico.

2. Clinical Research and Clinical Trials

Previously, the regulation of clinical trials in Mexico was regulated by independent regulations of each of the institutions or establishments where research on human subjects was conducted but taking into consideration international practices on the subject. However, on 14 December 2011, the Ministry of Health issued the Decree for the Operation of Ethics Committees (only available in Spanish here) ('the Decree') that established the regulatory framework, requirements for operation, and structure of the research ethics committee ('the Ethics Committee').

The Federal Commission for the Protection against Sanitary Risk ('COFEPRIS') is the authority in charge of regulating and overseeing clinical research and clinical trials in Mexico, along with the National Bioethics Commission ('CONBIOETICA'). Likewise, the regulation of clinical trials has also taken into consideration international guidelines and recommendations for clinical trials, including the Guidelines for Good Clinical Practice ('GCPs') issued by the International Conference on Harmonisation ('ICH'). Please note that COFEPRIS has started to perform inspections at institutions' sites in order to start implementing a certification system in accordance with the GCPs.

Every institution where a clinical investigation is carried out should have an Ethics Committee. Also, the Ethics Committees should have the prior authorisation of COFEPRIS and of CONBIOETICA.

Moreover, clinical trials are mainly governed under the following statutes and regulations:

  • General Health Law (only available in Spanish here) ('GHL');
  • Regulations of the GHL regarding Clinical Research (only available in Spanish here);
  • Official Mexican Standard NOM-012-SSA3-2012 establishing the Criteria for the Execution of Research Projects for Human Health (only available in Spanish here);
  • Guidelines for Good Clinical Practice published by COFEPRIS (only available in Spanish here) ('the Guidelines'); and
  • the Decree.

On a general basis, regulations provide that clinical trials shall be:

  • preceded and supported by pre-clinical data;
  • conducted in accordance with scientific and ethical principles;
  • performed with the informed consent of the participants;
  • executed under a research protocol;
  • overseen by a principal investigator;
  • performed in licenced health institutions; and
  • further to the relevant approvals of the corresponding health institution, the relevant Ethics Committee, and COFEPRIS.

Please note that Contract Research Organisations ('CROs') do not have a comprehensive regulation for their operation. The operation of CROs is based on the Guidelines, however, some initiatives are in the pipeline to address the lack of regulation.

The authorisation of a clinical trial of a drug or a medical device involves three main steps that should be strictly adhered to in the following order:

  1. The approval of the research protocol by the Ethics Committee of the corresponding health institution where the clinical study is carried out must first be secured. In accordance with the Decree, the favourable opinion of the research protocol must be issued by the Ethics Committee within a period not exceeding 30 days from the date of the request for review.
  2. The research protocol must be authorised by the director of the health institution where the clinical study is carried out. The authorisation will be carried out in accordance with the rules of each institution.
  3. The approval of the research protocol by COFEPRIS must be issued within a period not exceeding three months from the date of the request.

In connection with periodical reporting requirements, there are no specific binding provisions to disclose or publish clinical trial results, however, the recently amended Code of Integrity, Ethics and Transparency of the Pharmaceutical Industry 2021 (only available in Spanish here) issued by the Council for Ethics and Transparency of the Pharmaceutical Industry ('CETIFARMA'), contains an obligation for sponsors to report results of trials, especially when adverse events arise.

Notwithstanding the above, after the research protocols have been authorised by COFEPRIS, most trials are recorded in the National Registry of Clinical Trials ('RNEC') by the collection of data by COFEPRIS and with the collaboration of entities responsible in conducting clinical trials (e.g. the sponsor, CRO, or health institution). Information contained in the RNEC is disclosed on a general basis and confidential information, such as health and sensitive information about patients, is not included.

2.1. Data collection and retention

Different types of data are collected through clinical research and clinical trials. The data that is collected may be broken down into two categories:

  • personal data; and/or
  • dissociated or aggregated data.

While personal data is any information concerning an identified or identifiable individual, dissociated and aggregated data is data, whether originally personal data or not, that cannot be associated with an identified or identifiable individual. Therefore, dissociated and aggregated data may include both numerical and non-numerical information, as long as it cannot be tracked back to a single individual, such as the summarisation of participant data for analysis or the compilation of patient data to determine trends.

Likewise, the personal data that is collected because of clinical research and clinical trials, is likely to fall within two different categories:

  • personal data in general; and
  • sensitive personal data.

Sensitive data includes not only standard categories of sensitive information (e.g. racial or ethnic origin, religious beliefs, sexual preference, health or genetic information, etc.) but other data which may involve deeply intimate information, which, if wrongly used, may place the data subject in a dangerous situation or in a position of being subject to discrimination. Due to its nature, sensitive personal data is subject to stricter rules and higher fines when the breach relates to such data.

The nature of the data determines the applicable law. While the Law regulates the processing of personal data, the processing of dissociated and aggregated data is not regulated under one single law, but through different laws, including the GHL, Industrial Property Law, and the Commercial Code (only available in Spanish here), etc.

Within the concept of processing, the Law includes the collection, use (i.e. access, handling, profiting, transferring, and disposal), disclosure, and storage of personal data, and generally, the data subjects' prior consent is required for the processing. Instead, prior consent is not necessary for the processing of dissociated or aggregated data. However, its use may be subject to other types of restrictions such as its owner's permission (authorisation or licence) or subject to general contractual prohibitions, including non-disclosure agreements or other commercial terms like trade or industrial secrets.

Where personal data is to be collected, the data controller is required to provide data subjects with clear and precise information about the processing of their personal information. This information must be provided prior to the processing of the personal data and is usually delivered to the data subject through a privacy notice.

The nature of the data also determines the applicable retention rules. In general, data may be retained, as long as there is an obligation to maintain such data, whether the obligation is legal or contractual. Unlike the situation in some other jurisdictions, there is no mandatory obligation to register databases before the Mexican authorities, whether they contain personal data or not.

All the requirements established by the Law for the processing of personal data apply to personal data held both in hard copy and electronically, and to both the manual and automated collection of the data.

2.2. Consent

Consent from the data subject is generally required before any processing of personal data takes place. However, the Law considers certain exceptions to the general rule, such as when:

  • the data is contained in publicly available sources;
  • the personal data is subject to a prior dissociation procedure; or
  • it has the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller.

Consent can be express or implied, but the appropriate form of consent will depend on the circumstances, expectations of the data subject, and sensitivity of the personal data. When the data subject gives consent, it is understood to only cover the identified purpose. Further consent is necessary for purposes that have not been previously identified and consented to. In addition, consent by the data subject must always be voluntary, informed, explicit, and unambiguous. Where sensitive personal data is processed, express written consent is required prior to the processing of this type of data.

The Law does not consider any particular rules for obtaining consent from a minor (under 18 years old). However, the general rule, under civil law, is that minors are incapable of consent. Therefore, their parents or legal guardians need to provide consent on their behalf.

With regard to notice requirements, before the collection of personal data takes place, the data controller is required to deliver a privacy notice to the data subject. The Law, the Regulations, and the Privacy Notice Guidelines require that the privacy notice includes certain minimum mandatory informational elements which include, among others:

  • the data controllers' identity;
  • the personal data being collected;
  • the processing purposes;
  • the third parties to which the organisation will disclose the personal data;
  • the rights of the data subject;
  • where the personal data is to be transferred;
  • how to contact the privacy officer or another person who is accountable for the organisations' policies and practices;
  • how to make an inquiry or file a complaint; and
  • how to access and/or correct personal data.

2.3. Data obtained from third parties

In general, there is no restriction to obtain data from a third party. However, if the transferred data is personal data, the transferring entity must have obtained the consent of the data subject prior to the transferring of the personal data. As an exception to the general rule, which requires the transferor of personal data to obtain consent, the Law considers an exception when the personal data is obtained from publicly available sources. On the other hand, the transfer of dissociated and aggregated data is not subject to legal restrictions, however, it may be subject to contractual restrictions on the transfer or use of such data. The most common contractual obligation on the use of third-party data will come from licence agreements which may contain confidentiality, incomplete, temporary, or territorial restrictions on the use of data.

3. Pharmacovigilance

Pursuant to Official Mexican Standard NOM-220-SSA1-2016 on the Establishment and Operation of Pharmacovigilance (only available in Spanish here), marketing authorisation holders, healthcare professionals (whether public or private), institutions or establishments where investigation is being conducted, distributors and suppliers, must inform the National Center of Pharmacovigilance ('CNFV') of any adverse event or reaction using the current international systems for pharmacovigilance and in compliance with the applicable provisions of transparency and data protection. Regarding clinical trials, the obligation to report any adverse event burdens the sponsor or principal researcher. Likewise, patients can also report any adverse event directly to the CNFV.

To ensure proper transmission of notifications, each member of the pharmacovigilance system that receives a notification of an adverse event shall implement and maintain security procedures and measures in order to protect the confidential information of patients contained in the notifications, in accordance with the applicable provisions regarding transparency, access to information and protection of personal data. The CNFV shall keep a record of adverse events notifications for six years.

4. Biobanking

Biobanking is not properly regulated in Mexico. The existing provisions are scarce, dispersed, and inconsistent. The main provisions are found in the GHL and the Regulation on the GHL on the Sanitary Control of Human Organs, Tissue, and Bodies (only available in Spanish here) ('the Regulation on Human Tissue'), which were overhauled in 2014 and 2015.

Under the Regulation on Human Tissue, the following aspects are the most relevant for biobanks:

  • biobanks shall always work in coordination with a health services institution, be it public or private;
  • biobanks shall provide periodic reports to the sanitary authority;
  • the owner and the sanitary authority responsible for a biobank shall be jointly liable, with both civil and administrative liability, of the activities conducted therein; and
  • licences shall be valid for a period of two years, which may be renewed.

The collection of the biological sample is subject to prior informed consent, and its processing and storage require establishing standard operating procedures.

Unfortunately, health regulation does not develop properly the dual aspect of the biological sample and the information derived from that sample. Consequently, the resulting information is essentially regulated and protected only as health information, which is considered personal data.

5. Data Management

The data controller, as the entity responsible for the processing of personal data, has certain general obligations, including:

  • delivering a privacy notice compliant with the Law;
  • obtaining consent from the data subject when necessary;
  • maintaining administrative, technical, and physical measures in its organisation in order to protect personal data;
  • creating within their organisation a data protection function, either by appointing a chief privacy officer or by creating a data protection department; and
  • executing the necessary services agreements with specific mandatory clauses, data transfer agreements, data processing agreements, or internal intra-group privacy policies.

The data controller must limit its use of the personal data to only those activities, which are necessary to fulfil the processing purposes described in the privacy notice.

While the Law does not consider any obligations in respect of disclosure of records to other medical professionals (e.g. an individual's GP) or to family members/representatives, a data controller may transfer personal data to such third parties, so long as it has obtained the data subject's prior consent. Where the transfer of data is essential for medical attention, prevention, diagnosis, the provision of healthcare, medical treatment, or health services management, or where the data owner is unable to give consent and the processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation, data subject consent is not necessary.

While the data controller may maintain databases which include personal data, for as long as it is necessary for its relationship with the data subject or to comply with its own legal obligations, it is prohibited to create databases that contain sensitive personal data if such databases are not required for legitimate and concrete purposes, consistent with the activities and/or processing purposes set out in the privacy notice.

6. Outsourcing

Companies in the health and pharmaceuticals industry that disclose personal data to a third party as a processor are required to use contractual or other means in order to define the scope of the processing and protect personal data. Whatever means is decided by the data controller and data processor, it needs to evidence the existence of the relationship, its scope, and the content. Nonetheless, such transfer to a third-party processor does not require to be informed, neither does it require prior consent from the data subject.

Processors may subcontract processing services with the authorisation of the data controller. The relationship between the processor and sub-processor must be formalised through the execution of a contract or other instrument describing the existence of the relationship, its scope, and the content. The subcontracted entity will need to assume the same obligations that are established for the data processor under the Law.

7. Data Transfers

The national and international transfer of personal data is allowed, so long as, the privacy notice reveals that such transfer will occur, and its purpose. The rules that must be observed for transfers may vary depending upon if the transfers are made to:

  • data processors;
  • affiliates under the same corporate group; or
  • independent third parties.

Such rules would determine which type of evidence should be in place (e.g. services agreements with specific mandatory clauses, data transfer agreements, evidence of internal intra-group privacy policies, etc.).

The transfer of personal data does not require consent from the data subject in the following two scenarios:

  • if data is transferred to a data processor, contracted by the data controller; or
  • if data is transferred among entities that belong to the same corporate group, provided that such companies:  
    • operate under the same internal privacy policies and practices;
    • such policies are binding and enforceable; and
    • such policies and procedures comply with the Law and its implementing Regulations.

8. Breach Notification

The definition of a data breach in Mexico may be broader than that in other countries. In Mexico a data breach may occur in the following scenarios:

  • loss or unauthorised destruction;
  • theft, loss, or unauthorised copying;
  • use or unauthorised access; or
  • damage, alteration, or unauthorised modification of any information concerning an identified or identifiable individual that materially affects their property or other rights.

In the event of a data breach where personal data from Mexican individuals is compromised, the data controller is required to comply with certain mandatory data breach notification requirements. The data controller must immediately inform the data subject of breaches that significantly prejudice the property or moral rights of the data subjects, upon confirming the breach and having taken action to trigger an exhaustive review of the magnitude of the breach so that the prejudiced data subjects may respond appropriately. Therefore, the obligation to notify a breach may depend on the nature and scope of the rights affected. In any case, it is important that the data controller:

  • assess the potential risk of harm to data subjects;
  • take steps to mitigate the harm to impacted data subjects;
  • take steps to contain the breach and to prevent future similar breaches; and
  • comply with data authority orders and court orders.

The minimum information that the data controller needs to provide about the breach is as follows:

  • information about the nature of the breach;
  • the personal data that was compromised;
  • recommendations that the data subject can adopt to protect their interests;
  • an explanation on the corrective actions that have been implemented; and
  • the channels available for the data subject to obtain more information.

An organisation that is involved in a data breach may be subject to an administrative fine, penalty, sanction, or civil actions and/or class actions.

9. Data Subject Rights

In accordance with the Constitution and the Law, all individuals are entitled to the following data protection-related rights:

  • access;
  • correction;
  • cancelation; and
  • opposition to further processing (collectively, 'the ARCO rights').

While not included within the ARCO rights, there is a further right of the data subject to revoke the consent previously granted. These rights are not merely commercial rights, but constitutional rights, and hence subject to strong legal protection.

In connection to these rights and in connection to the information requirement, the privacy notice that needs to be delivered to the data subject must describe the procedures or mechanisms available for the exercise of the ARCO rights. Such information needs to at least notify the data subject of the following:

  • the requirements or mechanisms for accreditation of the identity of the data subject or their legal representative;
  • the information or documentation that must be attached to the application;
  • a description of the corresponding deadlines;
  • the means through which the data controller will respond; and
  • the reference to any forms, systems, or other methods enabled by the data controller to facilitate the exercise of those rights.

It is important to be aware that the data controller has 20 days to inform the data subject of the intended resolution of an ARCO rights request. After that, the data controller will have a 15-day period to make effective such a resolution (e.g. to effectively delete or rectify the data). If the data controller determines that the request for deletion or rectification shall not proceed, such resolution should be notified to the data subject on the same timeframes.

10. Penalties

Lack of compliance with the requirements of the Law may trigger monetary penalties for up to USD 1.5 million (approx. €1,325,770) these penalties may double where sensitive data is involved.

Besides monetary penalties, the Law also considers criminal liability for the act of compromising the security measures of a database containing personal data with the intention to profit, which can be punished with up to three years of imprisonment and up to six years when the database contains sensitive personal data. Likewise, the act of collecting, using, disclosing, or storing personal data through deceit and with the intention to profit, is also considered a criminal offence punishable with up to five years of imprisonment, and up to ten years when sensitive personal data is involved.

INAI is entitled to carry out verification procedures on its own motion or further to a party's request. Before the issuance of an inspection order, INAI must adopt a resolution where the initiation of an inspection is approved. Such a resolution must include the scope and purpose of the investigation. The order must describe the purpose and scope of the investigation as well as the reference to penalties for obstruction.

11. Other Areas of Interest

NOM-004-SSA3-2012 expressly states that the patient has ownership rights with respect to the information provided, even when the document containing such information is the property of the institution or the medical service provider.

If the processing takes place in a cloud-based platform, there are certain additional requirements that would be applicable, since Mexican data controllers are prevented from contracting cloud service providers that fail to offer minimum warranties and conditions. Hence, health and pharmaceuticals entities shall ensure that their cloud service providers are considering these minimum terms to be included in the agreements, for their benefit and safety.

In addition, an organisation that plans to engage in direct marketing activities with a data subject is required to obtain the latter's prior consent, which cannot be inferred from a data subjects' failure to respond. Opt-out consent is permissible.

Dr. Christian Lopez-Silva Partner
[email protected]
Carlos Alberto Vela-Treviño Partner
[email protected]
David Campos Senior Associate
[email protected]
Daniel Villanueva Plasencia Associate
[email protected]
Baker McKenzie LLP, Mexico City