The Law, Mexico’s Data Protection in the Private Sector

Mexico’s Federal Law on the Protection of Personal Data held by Private Parties, also known as the Law for short, is a data protection law that was passed in Mexico in 2010. The Law was passed in accordance with the international trend of guaranteeing the data protection rights of citizens, as seen by laws such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR. To this end, the Law outlines various obligations that Data controllers must abide by when collecting, processing, or disclosing the personal data of data subjects, as well as the rights that said data subjects are entitled to under the law.

What is the scope and application of the Law?

In terms of the personal scope of the law, “all individuals and legal entities in the private sector that are involved in the processing of personal data are governed by the Law”. In terms of the territorial scope of the law, the Law applies to all personal data that:

• Is carried out within a data controllers establishment in Mexico.
• Is carried out by a data processor, regardless of the physical location, on behalf of a data controller established in Mexico.
• Is carried out when a data controller is not established in Mexico, but is still subject to Mexican law by way of a contractual agreement or other international laws.
• Is carried out by a data controller that is not established in Mexico but uses means physically located within Mexico, unless these means are used strictly for transit purposes.

What are the requirements of data controllers and processors under the Law?

Under the Law, data controllers and processors are responsible for adhering to a bevy of obligations as it pertains to protecting the personal data of Mexican citizens. These obligations include:

• Data controllers- Under the Law, data controllers must both adopt and maintain administrative, technical, and physical security measures for the purposes of protecting personal data from loss, damage, destruction, and alteration, as well as unauthorized access, use, or processing. Data controllers are also responsible for ensuring that the security measures they adopt in relation to personal data is at least equivalent to measures that said data controllers use for protecting their own personal data. When adopting these security measures, data controllers must also account for any potential risks that may arise, as well as the nature of the data they collect, any applicable technological developments, and any potential consequences that data subjects may experience as a result of a data breach.
• Data processors- Under the Law, data processors are obliged to process personal data in accordance with the instructions that are given to them by data controllers, to refrain from processing personal data for any purpose other than those outlined by data controllers, to develop and implement security measures to safeguard personal data, to keep the confidentiality of all personal data that is processed, to delete personal data upon the request of a data controller, or when a relationship with a data controller has been terminated, and to refrain from transferring personal data to any third parties unless the applicable data controller has determined otherwise, communication is made based on a sub-contract, or is due to another requirement from a competent authority.

In addition to these responsibilities, data controllers are also required to appoint a specific person or department for the purpose of overseeing the protection of data subject’s data, also known as a data protection officer. Moreover, data controllers are responsible for providing data subjects with data breach notification in the event that said data controllers experience a data breach. These data breach notifications must detail the nature of the incident that took place, the personal data that has been compromised, any recommendations concerning the measures or actions that affected data subjects can take in order to protect their interests, the remedial actions that the data controller took, and the means by which affected data subjects can find more information relating to the incident in question.

What are the rights of data controllers under the Law?

Compared to many other data privacy laws around the world, the Law does not offer as many rights to data subjects. To illustrate this, many international data privacy laws that have been passed recently provide data subjects with the right to data portability, as well as the right to not be subject to automatic decision making. While the Law does not offer these rights, data subjects are entitled to the following rights as it pertains to the collection, processing, and disclosure of their personal data:

• The right to be informed– Data controllers must provide data subjects with written privacy notice prior to collecting their personal data. This written notice must detail the identity and address of the applicable data controller, the purposes for data processing, as well as the options and means offered by a given data controller as it relates to a data subject’s ability to limit the disclosure of their personal data, the means by which data subjects can exercise their right to access, rectification, cancellation, and objection, the means by which data subjects can exercise their right to revoke their consent to data processing, any transfers of personal data that a data controller intends to make, and the procedure and means by which a data controller will notify data subjects of any changes to their privacy notice.
• The right to access– Data subjects have the right to request access to their personal data from data controllers.
• The right to rectification– Data subjects have the right to request that their personal data be rectified if said personal data is found to be inaccurate or out of date.
• The right to erasure– Data subjects have the right to request that a data controller delete their personal data after the purposes for the processing of this data have been fulfilled.
• The right to object or opt-out– Data subjects have the right to object or opt-out of the processing of their personal data, permitted this request is made on legitimate grounds.

In terms of penalties that can be imposed upon data controllers who are found to be in non-compliance, Mexico’s National Institute for Transparency Access to Information and Personal Data Protection, or the INAI for short is responsible for enforcing the Law. In accordance with the Law, data controllers who are found to be in violation are subject to imprisonment, a monetary fine of up to MXN 32 million (,499,738), as well as a doubling of any of these penalties for data controllers who continue to violate the Law.

Mexico’s Federal Law on the Protection of Personal Data held by Private Parties is the foremost data protection law within the country as it relates to data protection in the private sector. In conjunction with the General Law on Protection of Personal Data Held by Mandated Parties or the Public Sector Law for short, data subjects within Mexico can rest assured that their personal data and in turn privacy is protected at all times in both the private and public sectors. As such, Mexico joins the ranks of the many countries around the world that have passed updated privacy legislation in the last decade.