Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Mexico: An overview of Vendor Privacy Contracts

Xanya69 / Essentials collection / istockphoto.com

1. Governing Texts

1.1. Legislation

1.2. Regulatory authority guidance

The National Institute for Transparency, Access to Information and Personal Data Protection ('INAI') has issued the following guidances:

  • Suggested Minimum Criteria for Contracting Cloud Computing Services that Involve the Processing of Personal Data (only available in Spanish here);
  • Recommendations for the designation of the person or department responsible for data protection (August 2016) (only available in Spanish here) ('the Recommendations');
  • Guide to comply with the principles and duties of the Federal Law on Protection of Personal Data Held by Private Parties (only available in Spanish here); and
  • Guide to guide the proper processing of personal data in extrajudicial collection activity (only available in Spanish here).

1.3. Regulatory authority templates

The INAI has not issued any vendor templates.

2. Definitions

Data controller: The individual or private legal entity that decides on the processing of personal data (Article 3(XIV) of the Law).

Data processor: The individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller (Article 3(IX) of the Law). The data processor is the individual or corporate body, public or private, not a part of the organisation of the data controller, that alone or together with others, processes personal data on behalf of a data controller as a result of a legal relationship linking the same and setting out the scope of service to be provided (Article 49 of the Regulation).

Data transmission: Any communication of personal data between a data controller and a data processor, within or outside Mexican territory (Article 2(IX) of the Regulation).

3. Contractual Requirements

3.1. Are there requirements for a contract to be in place between a controller and processor?

Article 51 of the Regulation stipulates that the relationship between the data controller and data processor must be established by contract or other legal instrument decided upon by the data controller that permits its existence, scope, and contents to be proven.

Furthermore, the data processor is under an obligation to process personal data only in accordance with to the instructions of the data controller and to only process personal data for the purpose to which it has been instructed by the data controller (Article 50(I ) and (II) of the Regulation).

In addition, there are specific requirements in relation to contracts involving cloud computing services. Article 52 of the Regulation stipulates that, for the processing of personal data in services, application, and infrastructure in cloud computing in which the data controller adheres to the same by general contractual conditions or clauses, such services may only be used when the provider:

  • complies at least with the following:
    • has and uses policies to protect personal data similar to the applicable principles and duties set out in the Law and the Regulation;
    • makes transparent subcontracting that involves information about the service which is provided;
    • abstains from including conditions in providing the service that authorise or permits it to assume the ownership of the information about which the service is provided;
    • maintains confidentiality with respect to the personal data for which it provides the service; and
  • has mechanisms at least for:
    • disclosing changes in its privacy policies or conditions of the service it provides;
    • permitting the data controller to limit the type of processing of personal data for which it provides the service;
    • establishing and maintaining adequate security measures to protect the personal data for which it provides the service;
    • ensuring the suppression of personal data once the service has been provided to the data controller and that the latter may recover it; and
    • impeding access to personal data by those who do not have proper access or in the event of a request duly made by a competent authority, so inform the data controller.

Article 52 of the Regulation further clarifies that, for purposes of the Regulation, cloud computing means the model for the external provision of computer services on demand that involves the supply of infrastructure, platform, or software distributed in a flexible manner using virtual procedures on resources dynamically shared. Regulatory agencies, within the scope of their authority, and assisting the INAI, shall issue guidelines for the proper processing of personal data in what is called 'cloud computing'.

3.2. What content should be included?

Article 50 of the Regulation provides that the agreements between the data controller and data processor related to the processing of personal data must be in accordance with the corresponding privacy notice.

The privacy notice must be provided to data subjects in printed, digital, visual or audio formats, or any other technology (Article 17 of the Law). According to Article 16 of the Law, the privacy notice must contain:

  • the identity and domicile of the data controller collecting the data;
  • the purposes of the data processing;
  • the options and means offered by the data controller to data subjects to limit the use or disclosure of their data;
  • the means for exercising rights of access, rectification, cancellation or objection in accordance with the provisions of the Law;
  • where appropriate, the types of data transfers to be made;
  • the procedure and means by which the data controller will notify the data subjects of changes to the privacy notice; and
  • identification of any sensitive personal data that will be processed.

4. Data Subject Rights Handling & Assistance

4.1. Are processors required to assist controllers with handling of data subject requests?

It is the data controller's obligation to handle data subject requests. In more general terms, Article 50(IV) of the Regulation establishes that data processors must maintain confidentiality regarding the personal data subject to processing.

For further information see Mexico – Data Subject Rights.

5. Processor Recordkeeping

5.1. Are processors required to keep records of their processing activities?

Article 50(III) of the Regulation states that data processors have an obligation with respect to the processing carried out on behalf of the data controller to implement the security measures required by the Law, the Regulation, and other applicable laws and regulations. Under Article 61 of the Regulation, the security measures required to be undertaken by data controllers include:

  • prepare an inventory of personal data and processing systems;
  • determine the duties and obligations of those who process personal data;
  • have a risk analysis of personal data consisting of identifying dangers and estimating the risks to the personal data;
  • establish the security measures applicable to personal data and identify those implemented effectively;
  • analyse the gap between existing security measures and those missing that are necessary for the protection of personal data;
  • prepare a work plan for the implementation of the missing security measures arising from the gap analysis;
  • carry out reviews and audits;
  • train personnel who process personal data, and
  • keep a record of personal data storage media.

Furthermore, Article 61 of the Regulation states that the data controller shall prepare a document that sets out security measures arising from the previous paragraphs. According to Article 62 of the Regulation, this document must also be updated under certain circumstances.

6. Security Measures​​​​​​​

6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?

Article 21 of the Law states that a data controller or third parties involved in any stage of personal data processing must maintain confidentiality with respect to such data, and this obligation continues after the relationship with the data owner or, as the case may be, with the data controller comes to an end.

Also, Article 57 of the Regulation states that the data controller, and where applicable, the data processor, must establish and maintain administrative, physical, and if applicable technical, security measures for the protection of personal data pursuant to the Law, regardless of the processing system.

Moreover, Article 50(III) of the Regulation requires that, where a  data processor carries out processing activities on behalf of the data controller, the data processor must implement the security measures required by the Law, the Regulation, and other applicable laws and regulations (see the section on Processor Recordkeeping above).

Furthermore, Article 4 of the Regulation stipulates that, when a data controller is not located in Mexico, but the data processor is, the latter shall be subject to the provisions related to the security measures contained in Chapter III of the Regulation.

For cloud computing contracts, Article 52(II)(c) and (e) of the Regulation stipulates that for the processing of personal data in services, applications, and infrastructure in which the data controller adheres to the same by general contractual conditions or clauses, such services may only be used when the service provider has mechanisms for:

  • establishing and maintaining adequate security measures to protect the personal data about which it provides the service; and
  • impeding access to personal data by those who do not have proper access or in the event of a request duly made by a competent authority, so inform the data controller.

Furthermore, Article 52 of the Regulation specifies that, in any case, the data controller may not use services that do not ensure the proper protection of personal data.

7. Breach Notification

7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?

There is no explicit reference to a notification requirement for processors in the event of a data breach. However, as part of the processor's obligation under Article 50(IV), processors are obligated to maintain confidentiality regarding the personal data subject to processing. This obligation may be extended to a breach notification where necessary and in the performance of the data processing contract.

In addition, Article 4 of the Regulation provides that when the data controller is not located in Mexico, but the data processor is, the latter shall be subject to the provisions related to the security measures contained in Chapter III of the Regulation. Chapter III of the Regulation includes data breach related requirements, such as data breach notifications to data subjects.

For further information see Mexico – Data Breach.

8. Subprocessor

8.1. Are subprocessors regulated? If so, what obligations are imposed?

Article 54 of the regulation provides that any subcontracting of services by the data processor that imply the processing of personal data must be authorised by the data controller and shall be made in the name and on behalf of the data controller. After obtaining authorisation, the data processor must formalise the relationship with the subcontractor by contract or other instrument that permits its existence, scope, and contents to be proven. The subcontracted individual or corporate body will assume the same obligations that are established for the data processor under the Law, the Regulation, and other applicable laws and regulations. The data processor shall have the obligation of proving that the subcontracting was done with the authorisation of the data controller.

When the contract or legal instruments that have formalised the relationship between the data controller and the data processor contemplates that the latter may subcontract services, the authorisation referred to in Article 54 will be understood as given through the stipulations in those contract or legal instruments.

Moreover, Article 55 of the Regulation states that if subcontracting is not contemplated in the contract or legal instruments to which the previous sentence refers, the data processor must obtain authorisation from the data controller prior to subcontracting. In both cases, the provisions of Article 54 of the Regulation must be observed.

9. Cross-Border Transfers

9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?

Article 50(IV) of the Regulation states that processors are prohibited from transferring personal data unless the data controller so determines, the communication arises from subcontracting or, if so required, by a competent authority.

In addition, Article 53 of the Regulation provides that national and international transmissions of personal data between a data controller and a data processor need not be informed to the data subject or their consent obtained. The data processor shall be considered as a data controller, together with its own obligations, when it:

  • uses the personal data for a purpose different from that authorized by the data controller; or
  • makes a transfer without complying with the instructions of the data controller.

The data processor will not be held responsible when, at the express indication of the data controller, it transmits the personal data to another data processor designated by the data controller, to which it had entrusted the performance of a service, or transfers the personal data to another data controller pursuant to the Regulation.

For further information see Mexico – Data Transfers.

10. Regulatory Assistance

10.1. Are processors required to assist controllers with regulatory investigations?

Processors are not under any explicitly established obligation to assist controllers with regulatory investigations. However, as noted in the section on Cross-border Transfers above, under Article 50(IV) of the Regulation, a competent authority may require a data processor to transfer personal data.

11. Processor DPO / Representative

11.1. Are processors required to appoint a DPO / representative?

Although processors are not under a legal obligation to appoint a data protection officer ('DPO') or representative, the INAI recommends the appointment of a DPO where appropriate depending on the following factors  highloighted on page 9 of the Recommendations:

  • the type and amount of personal data that it processes;
  • the nature and intensity of the treatment;
  • the potential number of requests from personal data holders that the organisation may receive; and
  • the value of the personal data for the organisation.

For further information see Mexico – Data Protection Officer Appointment.

12. Supervision & Monitoring

12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?

Article 6 of the Law states that data controllers must adhere to the principles of legality, consent, notice, quality, purpose, fidelity, proportionality, and accountability under the Law.

Furthermore, Article 14 of the Law provides that the data controller shall ensure compliance with the personal data protection principles established and shall adopt all necessary measures for their application. The foregoing will apply even when this data has been processed by a third party at the request of the data controller. The data controller must take all necessary and sufficient action to ensure that the privacy notice given to the data owner is respected at all times by it or by any other parties with which it has any legal relationship.

Article 47 of the Regulation states that following the above requirements, data controllers have the obligation to protect and be responsible for the processing of personal data found in its custody or in its possession or for those it has communicated to a data processor, whether the data is located in Mexico or not.

In addition, Article 48 of the Regulation provides that in exercising the principle of accountability, data controllers are required to adopt measures to guarantee the proper processing of personal data, giving priority to the interests of the data subject and the reasonable expectation of privacy. The measures that may be adopted by the data controller include, among others, the following:

  • establish an internal supervision and monitoring system, as well as external inspections or audits to verify compliance with privacy policies;
  • periodically review the security policies and programs to determine required modifications;
  • establish measures to protect personal data, in other words, a group of technical and administrative actions that will allow the data controller to ensure compliance with the principles and obligations established by the Law and the Regulation; or
  • establish measures to trace personal data, in other words, actions, measures, and technical procedures that will allow the tracing of personal data while being processed.


Authored by OneTrust DataGuidance

DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.

Feedback