Data Protection Regulations in Mexico: an Overview

Table of Contents

When explored in its entirety, data protection extends much further than the GDPR. Follow along as our compliance specialist, Tiana Dermedjieva explores the complicated regulatory framework in Mexico.

Federal Data Protection Law Mexico

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (“the Law”) entered into force on July 6, 2010.

The laws apply to:

◦ Data controllers in Mexico

◦ Data processors acting on behalf of Mexican controllers

◦ Foreign controllers subject to Mexican law via agreements or conventions

◦ Data processing in Mexico for non-Mexican controllers, excluding transit-only activities

The law doesn’t apply to:

◦ Government entities

◦ Credit reporting companies under specific laws

◦ Personal data for personal, non-commercial use

◦ Business-to-business data under specific conditions

INAI Guidelines

The National Institute for Transparency, Access to Information and Personal Data Protection (INAI) has issued additional guidelines, such as:
◦ Privacy Notice Guidelines
◦ Data Security Recommendations
◦ Self-Regulation Parameters
◦ Guidelines for Data Protection Officers
◦ Guidelines for Secure Data Deletion
◦ Cloud computing and Biometric Data Processing criteria

National Data Protection Authority & Registration

The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) and the Ministry of Economy (Secretaría de Economía) serve as Mexico’s data protection authorities.

Mexican law does not require registration with a data protection authority or other regulator in relation to the use of personal data.

Data Protection Officers

All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.

Privacy Notice Requirements

Types of Privacy Notices:
◦ Comprehensive: Required when data is collected in person.
◦ Simplified: For direct online or phone interactions.
◦ Short Form: When space is limited, e.g., ATMs or SMS.

Comprehensive Privacy Notice Must Include:

Data controller identity and address	Data types being processed
Purpose of data processing	Options for limiting data use
Method to revoke consent	ARCO rights procedure
Data transfer types, if applicable	Notification process for changes

Simplified Privacy Notice Must Include:

Data controller identity and address	Purpose of data processing
Options for limiting data use	Access to comprehensive notice

Short Form Privacy Notice Must Include:

Data controller identity and address

Purpose of data processing

Options for limiting data use

Additional Requirements	Exceptions
Language must be clear and comprehensible. (Spanish)	Not required if data is for historical, statistical, or scientific purposes.
Data controllers must prove that notices were provided before data processing.	Not required for data not covered by Mexican Privacy Laws.

The privacy notice serves as the legal basis for processing personal data and must be tailored to different data subject categories like employees and customers.

Consent Types for Data Processing

Implicit Consent:

Default for most data unless otherwise specified. Obtained when the data subject is informed via a privacy notice and does not object.

Express Consent:

Required for financial or asset data. Can be verbal, written, or through unmistakable indication.

Express Written Consent:

Required for sensitive personal data. Can be via written or electronic signature.

When Consent is Not Required
(Consent isn’t required, but a privacy notice must still be available) in the following cases:

Legally mandated by Mexican law

Data is public

Data is anonymized

Legal obligations between data subject and controller

Emergency situations

Essential for medical reasons

Authorised by competent authority

Data Transfer Guidelines

When it comes to data, it’s essential to distinguish between transfers and transmissions. A transfer involves sending data to a third party, one that isn’t a processor. On the other hand, a transmission specifically refers to sending data to a processor. So, in essence, transfers involve a broader spectrum of recipients, while transmissions are more focused on interactions with processors.

When engaging in data transfers, a set of crucial rules must be adhered to ensure transparency and privacy compliance:
◦ Must share privacy notice and data limitations with third parties.
◦ Must inform data subjects about: who receives the data, purpose of the transfer, how to refuse consent if required

Third parties assume the same obligations as the original data controller.

When Consent is Not Required for Transfers

Required by law or treaty

Medical necessity

Sent within affiliated companies

Contractual requirement

Public interest or justice

Legal proceedings

Existing legal relationship

Data processors play a pivotal role in ensuring the responsible handling of information, and adherence to specific rules is paramount in this regard. Foremost, processors must diligently follow the instructions provided by the data controller, the utilization of data should strictly adhere to the purposes outlined in these instructions, implementing robust security measures is a non-negotiable aspect, safeguarding the integrity and confidentiality of the entrusted information. Upholding confidentiality extends beyond security measures, encompassing a commitment to maintaining the privacy of the data. Timely deletion of data, in accordance with prescribed timelines, is another vital responsibility. Importantly, data processors should refrain from transferring data unless expressly instructed to do so, ensuring a controlled and purposeful flow of information.

Data Security Guidelines

Controllers must implement physical, technical, and administrative measures to safeguard data from unauthorized access, loss, or damage. These measures should be at least as strong as those applied to their own information, forming a comprehensive defense against potential threats.

Factors for Security Measures

◦ Consider risk level, consequences for data subjects, data sensitivity, and technological advancements.

Personnel Training

◦ Train staff on proper data handling per Mexican Privacy Laws.

Key Procedures & Documentation:

Keep an updated inventory of personal data and processing systems	Define duties for those processing data
Conduct risk analyses to identify and estimate threats	Implement and verify security measures
Continually assess and improve security	Create a plan for addressing security breaches
Perform regular security audits	Maintain records of data storage means

Breach Notification Guidelines

A breach, in this context, encompasses unauthorized incidents such as loss, theft, copying, use, access, damage, or alteration of personal data.

In the event of a data breach, timely and transparent communication is crucial. Controllers should promptly notify data subjects if the breach materially impacts their property or moral rights.

Following a breach, it should be done a thorough analysis of the causes behind the breach and the subsequent implementation of corrective and preventive actions to mitigate the impact and prevent recurrence.

The notification to affected data subjects must include essential information to ensure transparency and guide them through the aftermath. Controllers should communicate the nature of the breach, specifying the unauthorized incident and detailing the compromised data. Equally important is outlining protective measures for data subjects, empowering them with information on how to safeguard their interests. Additionally, the notification should articulate the immediate corrective actions undertaken by the controller to address the breach. Timeliness is of the essence, as controllers are obligated to inform affected data subjects promptly upon confirming the occurrence of a breach.

Enforcement Guidelines

How to Enforce Rights

Data subjects can enforce ARCO Rights through INAI and the courts if the controller doesn’t respond. Regarding this, INAI can inspect facilities to check law compliance and take appropriate actions in the event of non-compliance.

Penalties

◦ Monetary fines range from 100 to 320,000 times the Mexico City minimum wage; doubled for sensitive data violations.

◦ 3 months to 3 years imprisonment for security breaches; doubled for sensitive data.

◦ 6 months to 5 years imprisonment for deceitful data processing; doubled for sensitive data.

Some factors for sanctions may be: the nature of the data, intentionality of the action, economic capacity of controller, recidivism.

Mexico’s Data Protection Law vs. EU GDPR

Similarities:

Accountability: Both Mexico and the EU emphasize the data controller’s responsibility to demonstrate compliance.

Data Protection Impact Assessment: While not explicitly called DPIAs in Mexico, similar risk assessment procedures are required.

Security Measures: Both require technical and organizational measures to protect personal data.

Differences

Self-Regulation and Certification: Both have mechanisms, but GDPR places a greater emphasis on codes of conduct.

Legitimate Interest: GDPR includes this as a condition for data processing; Mexican law does not.

Something additional to all this may be that:

◦ Mexican companies dealing with EU data subjects must also comply with GDPR.

◦ Tacit consent is valid in Mexico for non-sensitive data.

Staying informed and continually updating our understanding of data protection is crucial. While GDPR represents a significant aspect, it’s essential not to overlook the myriad of data protection laws worldwide.
For more information, please contact us at [email protected].