The Law, Mexico’s Data Protection in the Private Sector

The Law, Mexico’s Data Protection in the Private Sector

Mexico’s Federal Law on the Protection of Personal Data held by Private Parties, also known as the Law for short, is a data protection law that was passed in Mexico in 2010. The Law was passed in accordance with the international trend of guaranteeing the data protection rights of citizens, as seen by laws such as the EU’s General Data Protection Regulation or GDPR and Australia’s Consumer Data Right or CDR. To this end, the Law outlines various obligations that Data controllers must abide by when collecting, processing, or disclosing the personal data of data subjects, as well as the rights that said data subjects are entitled to under the law.

What is the scope and application of the Law?

In terms of the personal scope of the law, “all individuals and legal entities in the private sector that are involved in the processing of personal data are governed by the Law”. In terms of the territorial scope of the law, the Law applies to all personal data that:

What are the requirements of data controllers and processors under the Law?

Under the Law, data controllers and processors are responsible for adhering to a bevy of obligations as it pertains to protecting the personal data of Mexican citizens. These obligations include:

In addition to these responsibilities, data controllers are also required to appoint a specific person or department for the purpose of overseeing the protection of data subject’s data, also known as a data protection officer. Moreover, data controllers are responsible for providing data subjects with data breach notification in the event that said data controllers experience a data breach. These data breach notifications must detail the nature of the incident that took place, the personal data that has been compromised, any recommendations concerning the measures or actions that affected data subjects can take in order to protect their interests, the remedial actions that the data controller took, and the means by which affected data subjects can find more information relating to the incident in question.

What are the rights of data controllers under the Law?

Compared to many other data privacy laws around the world, the Law does not offer as many rights to data subjects. To illustrate this, many international data privacy laws that have been passed recently provide data subjects with the right to data portability, as well as the right to not be subject to automatic decision making. While the Law does not offer these rights, data subjects are entitled to the following rights as it pertains to the collection, processing, and disclosure of their personal data:

In terms of penalties that can be imposed upon data controllers who are found to be in non-compliance, Mexico’s National Institute for Transparency Access to Information and Personal Data Protection, or the INAI for short is responsible for enforcing the Law. In accordance with the Law, data controllers who are found to be in violation are subject to imprisonment, a monetary fine of up to MXN 32 million ($1,499,738), as well as a doubling of any of these penalties for data controllers who continue to violate the Law.

Mexico’s Federal Law on the Protection of Personal Data held by Private Parties is the foremost data protection law within the country as it relates to data protection in the private sector. In conjunction with the General Law on Protection of Personal Data Held by Mandated Parties or the Public Sector Law for short, data subjects within Mexico can rest assured that their personal data and in turn privacy is protected at all times in both the private and public sectors. As such, Mexico joins the ranks of the many countries around the world that have passed updated privacy legislation in the last decade.

Related Reads