Data Protection in Mexico

Enforcement in Mexico

Data subjects can enforce their ARCO Rights, when no response is obtained from the data controller via INAI and ultimately the court system.

If any breach of the Law or its Regulations is alleged, INAI may perform an on-site inspection at the data controller’s facilities to verify compliance with the Law.

Violations of the Law may result in monetary penalties or imprisonment, including the following:

INAI may impose monetary sanctions in the range of 100 to 320,000 times the Mexico City minimum wage (currently, MX $88.36, updated every year). Sanctions may be increased up to double the above amounts for violations involving sensitive personal data.

Three months to three years of imprisonment may be imposed on any person authorized to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties will be doubled if sensitive personal data is involved.

Six months to five years of imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorized to process such data. Penalties will be doubled if sensitive personal data is involved.

In determining the appropriate sanctions, the INAI will consider:

  • The nature of the data
  • The notorious inadmissibility of the refusal of the Data Controller, to carry out the acts requested by the data subject, in terms of this Law
  • The intentional or unintentional nature of the action or omission constituting the offense
  • The economic capacity of the data controller, and
  • Recidivism

The sanctions imposed by the INAI are without prejudice to any further civil or criminal liability.

Continue reading

  • no results

Previous topic
Back to top