17 min read

Writen by Tiana Dermendjieva

Posted on: November 7, 2023

Data Protection Regulations in Mexico: an Overview

When explored in its entirety, data protection extends much further than the GDPR. Follow along as our compliance specialist, Tiana Dermedjieva explores the complicated regulatory framework in Mexico.

Federal Data Protection Law Mexico

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“the Law”) entered into force on July 6, 2010.

The laws apply to:

◦ Data controllers in Mexico

◦ Data processors acting on behalf of Mexican controllers

◦ Foreign controllers subject to Mexican law via agreements or conventions

◦ Data processing in Mexico for non-Mexican controllers, excluding transit-only activities

The law doesn’t apply to:

◦ Government entities

◦ Credit reporting companies under specific laws

◦ Personal data for personal, non-commercial use

◦ Business-to-business data under specific conditions

INAI Guidelines

The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) has issued additional guidelines, such as:
◦ Privacy Notice Guidelines
◦ Data Security Recommendations
◦ Self-Regulation Parameters
◦ Guidelines for Data Protection Officers
◦ Guidelines for Secure Data Deletion
◦ Cloud computing and Biometric Data Processing criteria

National Data Protection Authority & Registration

The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) and the Ministry of Economy (Secretaría de Economía) serve as Mexico’s data protection authorities.

Mexican law does not require registration with a data protection authority or other regulator in relation to the use of personal data.

Data Protection Officers

All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.

Privacy Notice Requirements

Types of Privacy Notices:
Comprehensive: Required when data is collected in person.
Simplified: For direct online or phone interactions.
Short Form: When space is limited, e.g., ATMs or SMS.

Comprehensive Privacy Notice Must Include:
Data controller identity and addressData types being processed
Purpose of data processingOptions for limiting data use
Method to revoke consentARCO rights procedure
Data transfer types, if applicableNotification process for changes
Simplified Privacy Notice Must Include:
Data controller identity and addressPurpose of data processing
Options for limiting data useAccess to comprehensive notice
Short Form Privacy Notice Must Include:
Data controller identity and address
Purpose of data processing
Options for limiting data use
Additional RequirementsExceptions
Language must be clear and comprehensible. (Spanish)Not required if data is for historical, statistical, or scientific purposes.
Data controllers must prove that notices were provided before data processing.Not required for data not covered by Mexican Privacy Laws.
The privacy notice serves as the legal basis for processing personal data and must be tailored to different data subject categories like employees and customers.

Consent Types for Data Processing
Implicit Consent:

Default for most data unless otherwise specified. Obtained when the data subject is informed via a privacy notice and does not object.

Express Consent:

Required for financial or asset data. Can be verbal, written, or through unmistakable indication.

Express Written Consent:

Required for sensitive personal data. Can be via written or electronic signature.

When Consent is Not Required  
(Consent isn’t required, but a privacy notice must still be available) in the following cases:
Legally mandated by Mexican law
Data is public
Data is anonymized
Legal obligations between data subject and controller
Emergency situations
Essential for medical reasons
Authorised by competent authority
Data Transfer Guidelines

When it comes to data, it’s essential to distinguish between transfers and transmissions. A transfer involves sending data to a third party, one that isn’t a processor. On the other hand, a transmission specifically refers to sending data to a processor. So, in essence, transfers involve a broader spectrum of recipients, while transmissions are more focused on interactions with processors.

When engaging in data transfers, a set of crucial rules must be adhered to ensure transparency and privacy compliance:
Must share privacy notice and data limitations with third parties.
Must inform data subjects about: who receives the data, purpose of the transfer, how to refuse consent if required

Third parties assume the same obligations as the original data controller.

When Consent is Not Required for Transfers
Required by law or treaty
Medical necessity
Sent within affiliated companies
Contractual requirement
Public interest or justice
Legal proceedings
Existing legal relationship

Data processors play a pivotal role in ensuring the responsible handling of information, and adherence to specific rules is paramount in this regard. Foremost, processors must diligently follow the instructions provided by the data controller, the utilization of data should strictly adhere to the purposes outlined in these instructions, implementing robust security measures is a non-negotiable aspect, safeguarding the integrity and confidentiality of the entrusted information. Upholding confidentiality extends beyond security measures, encompassing a commitment to maintaining the privacy of the data. Timely deletion of data, in accordance with prescribed timelines, is another vital responsibility. Importantly, data processors should refrain from transferring data unless expressly instructed to do so, ensuring a controlled and purposeful flow of information.

Data Security Guidelines

Controllers must implement physical, technical, and administrative measures to safeguard data from unauthorized access, loss, or damage. These measures should be at least as strong as those applied to their own information, forming a comprehensive defense against potential threats.

Factors for Security Measures

Consider risk level, consequences for data subjects, data sensitivity, and technological advancements.

Personnel Training

Train staff on proper data handling per Mexican Privacy Laws.

Key Procedures & Documentation:
Keep an updated inventory of personal data and processing systemsDefine duties for those processing data
Conduct risk analyses to identify and estimate threatsImplement and verify security measures
Continually assess and improve securityCreate a plan for addressing security breaches
Perform regular security auditsMaintain records of data storage means
Breach Notification Guidelines

A breach, in this context, encompasses unauthorized incidents such as loss, theft, copying, use, access, damage, or alteration of personal data.

In the event of a data breach, timely and transparent communication is crucial. Controllers should promptly notify data subjects if the breach materially impacts their property or moral rights.

Following a breach, it should be done a thorough analysis of the causes behind the breach and the subsequent implementation of corrective and preventive actions to mitigate the impact and prevent recurrence.

The notification to affected data subjects must include essential information to ensure transparency and guide them through the aftermath. Controllers should communicate the nature of the breach, specifying the unauthorized incident and detailing the compromised data. Equally important is outlining protective measures for data subjects, empowering them with information on how to safeguard their interests. Additionally, the notification should articulate the immediate corrective actions undertaken by the controller to address the breach. Timeliness is of the essence, as controllers are obligated to inform affected data subjects promptly upon confirming the occurrence of a breach.

Enforcement Guidelines
How to Enforce Rights

Data subjects can enforce ARCO Rights through INAI and the courts if the controller doesn’t respond. Regarding this, INAI can inspect facilities to check law compliance and take appropriate actions in the event of non-compliance.


Monetary fines range from 100 to 320,000 times the Mexico City minimum wage; doubled for sensitive data violations.

3 months to 3 years imprisonment for security breaches; doubled for sensitive data.

6 months to 5 years imprisonment for deceitful data processing; doubled for sensitive data.

Some factors for sanctions may be: the nature of the data, intentionality of the action, economic capacity of controller, recidivism.

Mexico’s Data Protection Law vs. EU GDPR
Accountability: Both Mexico and the EU emphasize the data controller’s responsibility to demonstrate compliance.
Data Protection Impact Assessment: While not explicitly called DPIAs in Mexico, similar risk assessment procedures are required.
Security Measures: Both require technical and organizational measures to protect personal data.
Self-Regulation and Certification: Both have mechanisms, but GDPR places a greater emphasis on codes of conduct.
Legitimate Interest: GDPR includes this as a condition for data processing; Mexican law does not.

Something additional to all this may be that:

Mexican companies dealing with EU data subjects must also comply with GDPR.

Tacit consent is valid in Mexico for non-sensitive data.

Staying informed and continually updating our understanding of data protection is crucial. While GDPR represents a significant aspect, it’s essential not to overlook the myriad of data protection laws worldwide.
For more information, please contact us at [email protected].

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy