Data Protection in Mexico

Collection and processing in Mexico

Principles and obligations 

In processing personal data, data controllers must observe the principles of legality, information, consent, notice, quality, purpose, loyalty, proportionality and accountability.

Pursuant to these principles:

  • Personal data must be collected and processed fairly (and not through deceptive or fraudulent means) and lawfully
  • Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes.
  • Consent must be obtained, unless an exception applies.
  • Processing of personal data must be adequate, relevant and not excessive in relation to the purposes for which it is collected. or further processed
  • Personal data must be accurate and, if necessary, updated; every reasonable step must be taken to ensure that data that is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified., and
  • Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.
  • Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data. In addition, personal data must be processed as agreed upon by the parties (in a privacy notice or otherwise) and in compliance with the Law.
  • A privacy notice (Aviso de Privacidad) must be made available to data subjects prior to the processing of their personal data.

Required information for privacy notices

To legally process personal data, data controllers must provide a privacy notice (Aviso de Privacidad), which must be made available to a data subject prior to the processing of his or her personal data. The privacy notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.

Controllers are required to notify data subjects of the main characteristics of the processing to which their personal data will be subject. This obligation is complied with through the privacy notice. Therefore, any data controller is required to prepare and make available to data subjects the relevant privacy notice(s) corresponding to their personal data. Controllers will have to make available distinct privacy notices for different categories of data subjects, such as personnel and customers.

The Guidelines permit the following three forms of privacy notice, depending on whether the personal data is obtained directly or indirectly from the data subject, and the context and space in which the personal data is collected:

  • Comprehensive privacy notice: required to be provided when the personal data is obtained in-person from the data subject, for example, in a face-to-face interview.
  • Simplified privacy notice: required to be provided when the data is obtained directly from the data subject, for example, when registering for an account on website or during a customer service call.
  • Short form privacy notice: may be provided when the space for the privacy notice is limited and the Personal Data collected is minimum, for example, at an ATM, in a SMS, on a raffle ticket

Each of these forms must meet specific disclosure requirements, as described below, and the simplified and short-form notices must link to, or provide information about how to obtain, the comprehensive notice.

A comprehensive privacy notice must at least contain:

  • The identity and address of the data controller
  • A description of the personal data that will be processed
  • Identification of any sensitive personal data that will be processed, and an affirmative statement that such data will be processed (if applicable)
  • The purposes of the data processing, including the primary and any secondary purposes
  • The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes
  • The means by which data subjects can revoke their consent
  • The means for exercising rights of access, rectification, cancellation or objection (ARCO rights)
  • Where appropriate, the types of data transfers to be made, including the purposes of such transfers and the identification of any third parties (not including processors) to whom personal data is transferred
  • The procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice, and Identification of any sensitive personal data that will be processed

A simplified privacy notice must include, at least, the following information:

  • The identity and address of the Controller
  • The purposes of the data processing, including the primary and any secondary purposes
  • The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes
  • How to access or obtain the comprehensive privacy notice

The short form privacy notice must include, at least, the following information:

  • The identity and address of the Controller
  • The purposes of the data processing, without distinguishing any secondary purposes
  • The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their data for any secondary purposes

In addition to the required information, a privacy notice must be clear and in a comprehensible language, and with an easy structure and design, which means it should among other things, the privacy notice should not use inappropriate, ambiguous, or vague sentences, or refer to texts and documents that are not available for the data subject to review.

The data controller has the burden of proof to show that the privacy notice was provided to the data subjects prior to the processing of their personal data (unless an exception applies). However, controllers are not required to provide a privacy notice where:

  • personal data is obtained indirectly and it is intended for historical, statistical, or scientific purposes
  • where the personal data collected is not subject to Mexican Privacy Laws (eg, certain business-to-business data as described previously)

Consent to processing

Except as otherwise provided by the Law, some form of consent is required for all processing of personal data; depending upon the circumstances consent may be implicit, express, or express and written:

Implicit (or tacit) consent applies to the processing of personal data generally, except where the Law requires express or express written consent (or where consent is not required):

  • Implicit consent is obtained where the data subject has been informed of the privacy notice and has not objected to or refused the processing of personal data as described in the privacy notice.
  • Express consent (notice and opt-in) is required for o the processing of financial or asset data.
  • Express consent may be obtained verbally, in writing, or via any technology or other unmistakable indication. Express and written consent is required for the processing of sensitive personal data. Express written consent may be obtained through the data subject’s written signature, electronic signature, or any other authentication mechanism.

In addition to the above, express or express written consent must be obtained where otherwise specifically required pursuant to an applicable law.

On the other hand, consent from the data subject is not required (but a privacy notice must still be made available) for the processing of personal data where any of the following apply:

  • The processing is required pursuant to an applicable Mexican law
  • The data is contained in publicly available sources
  • The identity of the data subject has been disassociated from the data (ie, the data subject is no longer identifiable)
  • Where the processing is for the purpose of fulfilling obligations pursuant to a legal relationship between the data subject and the data controller
  • There is an emergency situation that could potentially harm an individual with regard to his or her person or property
  • Processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation, or
  • Pursuant to a resolution issued by a competent authority

Continue reading

  • no results

Previous topic
Back to top