DLA Piper Intelligence

Data Protection
Laws of the World

Law

Mexico
Mexico

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the ‘Law’) was enacted on July 5, 2010 and entered into force on July 6, 2010.

The Executive Branch has also issued:

  • the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) on December 21, 2011 (the ‘Regulations’), same which entered into force on December 22, 2011
  • the Privacy Notice Guidelines on January 17, 2013 (the ‘Guidelines’) which entered into force on April 18, 2013
  • the Parameters for Self Regulation regarding personal data on May 29, 2014 (the ‘Parameters’), which entered into force on May 30, 2014

The Regulations apply to all personal data processing when:

  • processed in a facility of the data controller located in Mexican territory
  • processed by a data processor, regardless of its location, if the processing is performed on behalf of a Mexican data controller
  • where the Mexican legislation is applicable as a consequence of Mexico’s adherence to an international convention or the execution of a contract (even where the data controller is not located in Mexico), or
  • where the data controller is not located in Mexican territory but uses means located in Mexico to process personal data, unless such means are used only for transit purposes.

The Law only applies to private individuals or legal entities which process personal data, and not to the government, credit reporting companies governed by the Law Regulating Credit Reporting Companies, or persons carrying out the collection and storage of personal data exclusively for personal use and without the purposes of disclosure or commercial use.

Last modified 24 Jan 2017
Law
Mexico

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the ‘Law’) was enacted on July 5, 2010 and entered into force on July 6, 2010.

The Executive Branch has also issued:

  • the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) on December 21, 2011 (the ‘Regulations’), same which entered into force on December 22, 2011
  • the Privacy Notice Guidelines on January 17, 2013 (the ‘Guidelines’) which entered into force on April 18, 2013
  • the Parameters for Self Regulation regarding personal data on May 29, 2014 (the ‘Parameters’), which entered into force on May 30, 2014

The Regulations apply to all personal data processing when:

  • processed in a facility of the data controller located in Mexican territory
  • processed by a data processor, regardless of its location, if the processing is performed on behalf of a Mexican data controller
  • where the Mexican legislation is applicable as a consequence of Mexico’s adherence to an international convention or the execution of a contract (even where the data controller is not located in Mexico), or
  • where the data controller is not located in Mexican territory but uses means located in Mexico to process personal data, unless such means are used only for transit purposes.

The Law only applies to private individuals or legal entities which process personal data, and not to the government, credit reporting companies governed by the Law Regulating Credit Reporting Companies, or persons carrying out the collection and storage of personal data exclusively for personal use and without the purposes of disclosure or commercial use.

Last modified 24 Jan 2017
Definitions

Definition of personal data

‘Personal Data’ is any information concerning an identified or identifiable individual.

Definition of sensitive personal data

‘Sensitive Personal Data’ is all personal data touching on the most intimate areas of the data subject’s life, which misuse may lead to discrimination or serious risk to the data subject. In particular, the definition includes data that may reveal:

  • racial or ethnic origin
  • present or future health conditions
  • genetic information
  • religious, philosophical or moral beliefs
  • union affiliation
  • political views, and
  • sexual orientation.
Last modified 24 Jan 2017
Authority

The Federal Institute for Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos) (IFAI) and the Ministry of Economy (Secretaría de Economía).

Last modified 24 Jan 2017
Registration

Not required.

Last modified 24 Jan 2017
Data Protection Officers

All data controllers are required by Law to designate a personal data officer or department (jointly hereinafter referred to as the ‘Data Protection Officer’) to handle requests from data subjects exercising their rights under the Law. Data Protection Officers are also responsible for enhancing the protection of personal data within their organizations.

Last modified 24 Jan 2017
Collection & Processing

The term ‘processing’ is broadly defined to include the collection, use, communication, or storage of personal data by any means. Use includes all access, management, procurement, transfer and disposal of personal data.

In processing personal data, data controllers must observe the principles of legality, consent, notice, quality, purpose, loyalty, proportionality and accountability.

Personal data must be:

  • collected and processed fairly and lawfully
  • collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes
  • adequate, relevant and not excessive in relation to the purposes for which it is collected and/ or further processed
  • accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or rectified
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is further processed.

Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data, – ie, reliance on the assumption that the personal data will be processed as agreed upon by the parties (in the privacy notice or otherwise) and in compliance with the Law.

To legally process personal data, data controllers must provide a privacy notice (Aviso de Privacidad) (the ‘Privacy Notice’), which must be made available to a data subject prior to the processing of his or her personal data. The Privacy Notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.

A comprehensive Privacy Notice must at least contain:

  • the identity and domicile of the data controller collecting the data
  • the purposes of the data processing
  • the options and means offered by the data controller to data subjects to limit the use or disclosure of their data
  • the means for exercising rights of access, correction, cancellation or objection (ARCO rights) in accordance with the provisions of the Law
  • where appropriate, the types of data transfers to be made
  • the procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice, and
  • when processing sensitive personal data, the Privacy Notice must clearly state that sensitive personal data will be processed.

The Guidelines consider three forms of privacy notice: comprehensive, simplified and short form, depending on whether the data is personally obtained from the data subject, the data is obtained directly or indirectly from the data subject, or the space to obtain data is minimal or limited (where the space allotted for the gathering of personal data or the Privacy Notice is also minimal or limited), respectively. Each of these forms must meet specific disclosure requirements.

The data controller has the burden of proof to show that the Privacy Notice was provided to the data subject prior to the processing of his data.

Consent is required for all processing of personal data, except as otherwise provided by the Law. Implicit consent (notice and opt out) applies to the processing of personal data; express consent (notice and opt in) applies to the processing of financial or asset data; and express and written consent applies to the processing of sensitive personal data. Consent may be communicated verbally, in writing, by electronic or optical means, via any other technology, or by any other unmistakable indications. Express written consent may be obtained through the data subject’s written signature, electronic signature, or any other authentication mechanism set up for such purpose.

Consent from the data subject will not be required for the processing of personal data when:

  • any law so provides
  • the data is contained in publicly available sources
  • the identity of the data subject has been disassociated from the data
  • processing has the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller
  • there is an emergency situation that could potentially harm an individual with regard to his person or property
  • processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation, or
  • pursuant to a resolution issued by a competent authority.
Last modified 24 Jan 2017
Transfer

Where the data controller intends to transfer personal data to domestic or foreign third parties other than the data processor, it must provide the third parties with the Privacy Notice and the purposes to which the data subject has limited the data processing.

Data processing will be in accordance with what was agreed in the Privacy Notice, which shall contain a clause indicating whether or not the data subject agrees to the transfer of his data; moreover, the third party recipient will assume the same obligations as the data controller who has transferred the data.

Domestic or international transfers of personal data may be carried out without the consent of the data subject where:

  • the transfer is pursuant to a law or treaty to which Mexico is party

  • the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management

  • the transfer is made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies

  • the transfer is necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject

  • where the transfer is necessary or legally required to safeguard public interest or for the administration of justice

  • where the transfer is necessary for the recognition, exercise or defence of a right in a judicial proceeding, or

  • where the transfer is necessary to maintain or comply with an obligation resulting from a legal relationship between the data controller and the data subject.

The Regulations establish that communications or transmissions of personal data to data processors need not to be informed nor consented to by the data subject. However, the data processor must:

  • process personal data only according to the instructions of the data controller
  • not process personal data for a purpose other than as instructed by the data controller
  • implement the security measures required by the Law, the Regulations, and other applicable laws and regulations
  • maintain confidentiality regarding the personal data subject to processing
  • eliminate personal data that were processed after the legal relationship with the data controller is concluded or upon instructions of the data controller, provided there is no legal requirement for the preservation of the personal data, and
  • not transfer personal data unless the data controller so determines, the communication arises from subcontracting, or if so required by a competent authority.

The agreement between the data controller and data processor related to the processing of personal data must be in accordance with the corresponding Privacy Notice provided to the data subject.

Last modified 24 Jan 2017
Security

All data controllers must establish and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. They may not adopt security measures that are inferior to those they have in place to manage their own information.

The risk involved, potential consequences for the data subjects, sensitivity of the data, and technological development must be taken into account when establish security measures. 

Last modified 24 Jan 2017
Breach Notification

Security breaches occurring at any stage of the processing which materially affect the property or moral rights of the data subject must be promptly reported by the data controller to the data subject, so that he can take appropriate action to defend his rights.

The Regulations provide that breach notification must include at least the following information

  • the nature of the breach
  • the personal data compromised
  • recommendations to the data subject concerning measures that the latter can adopt to protect his interests
  • corrective actions implemented immediately, and
  • the means by which the data subject may obtain more information in regard to the data breach.
Last modified 24 Jan 2017
Enforcement

The Law is of public order and of general observance throughout the Mexican Republic. It has the purpose of protecting personal data held by private parties, in order to require legitimate, controlled and informed processing, and ensure privacy and the right to informational self-determination of individuals.

Data subjects can enforce their ARCO Rights, when no response is obtained from the data controller via IFAI and ultimately the court system.

IFAI may act ex officio or in response to complaints regarding violations of the Law. If any breach of the Law or its Regulations is alleged, IFAI may perform on site inspection at the data controller’s facilities to verify compliance with the Law.

Violations of the Law may result in monetary penalties or imprisonment. 

  • IFAI may impose monetary sanctions that go from 100 to 320,000 times the Mexico City minimum wage (currently $70.10 Mexican pesos; however, please note that the minimum wage is updated every year). With regard to violations committed concerning the processing of sensitive personal data, sanctions may be increased up to double the above amounts.
     
  • Three months to three years imprisonment may be imposed on any person authorised to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties will be doubled if the sensitive personal data is involved.
     
  • Six months to five years imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorised to process such data. Penalties will be doubled if sensitive personal data is involved.
Last modified 24 Jan 2017
Electronic Marketing

Email marketing constitutes the processing of persona data and is subject to the provisions of the Law, among them, the obligation to provide a Privacy Notice and request consent when needed.

Last modified 24 Jan 2017
Online Privacy

The Regulations and Guidelines which address the use of cookies, web beacons and other analogous technologies, require that when a data controller uses online tracking mechanisms that permit the automatic collection of personal data, they provide prominent notice of: the use of such technologies; the fact that personal data is being collected; and the options to disable such technologies. The notice must also specify the type of personal data being gathered and the purpose of its collection.

An IP address alone may be considered personal data, however, there has not been a resolution or decision issued by the competent authority on this point.

Last modified 24 Jan 2017
Contacts
Cecilia Azar
Cecilia Azar
Partner
T +52 55.5261.1803
Paola Aldrete
Paola Aldrete
Associate
T +52 55 5261 1888
Last modified 24 Jan 2017