Data Protection in Mexico

Transfer in Mexico

Mexican privacy laws distinguish between 'transfers' of personal data (to third parties) and transmissions of personal data (to processors). Under Mexican Privacy Laws, a 'transfer' is any communication or transmission of personal data by or on behalf of the Controller to a third party (not including a processor). Where the data controller intends to transfer personal data to domestic or foreign third parties other than a data processor, it must provide the third parties with the privacy notice provided to the data subject and the purposes to which the data subject has limited the data processing. In addition, the controller must notify data subjects in the privacy notice of the transfer, including:

  • that the transfer may be made, as well as to whom and for what purposes the personal data may be transferred.
  • where consent to the transfer is required, that the data subject consents and how the data subject can refuse to consent to the relevant transfer(s).

The purpose of the transfer must be limited to the purpose and conditions informed in the privacy notice and consented to by the data subject (as applicable).

The third-party recipient must assume the same obligations as the data controller who has transferred the data.

Domestic and international transfers of personal data may be carried out without the consent of the data subject where the transfer is:

  • Pursuant to a law or treaty to which Mexico is party
  • Necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management
  • Made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies as the data controller (provided they will comply with principles of Mexican Privacy Laws, the privacy notice provided to data subjects and the other applicable internal policies regarding data protection)
  • Necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject
  • Necessary or legally required to safeguard public interest or for the administration of justice
  • Necessary for the recognition, exercise or defense of a right in a judicial proceeding, or
  • Necessary to maintain or comply with an obligation resulting from a legal relationship between the data controller and the data subject

The Regulations establish that communications or transmissions of personal data to processors do not need to be notified or consented to by the data subject. However, the data processor must do all of the following:

  • Process personal data only according to the instructions of the data controller
  • Not process personal data for a purpose other than as instructed by the data controller
  • Implement the security measures required by the Law, the Regulations and other applicable laws and regulations
  • Maintain the confidentiality of the personal data subject to processing
  • Delete personal data that were processed after the legal relationship with the data controller ends or when instructed by the data controller, unless there is a legal requirement for the preservation of the personal data
  • Not transfer personal data unless instructed by the data controller, the communication arises from subcontracting, or if so required by a competent authority

Continue reading

  • no results

Previous topic
Back to top