In the private sector, the law that governs the protection of personal data in Mexico is the Federal Law on Protection of Personal Data Held by Individuals (Ley Federal de Protección de Datos de Personales en Posesión de los Particulares) (the "LFPDPPP"). Secondary legislation supplements the LFPDPPP. This includes the Regulations to the LFPDPPP (Reglamento de laLey Federal de Protección de Datos de Personales en Posesión de los Particulares) (the "RLFPDPPP") and the Guidelines of the Privacy Notice (Lineamientos del Aviso de Privacidad) (the "Guidelines").

In the public sector, the law that governs the protection of personal data in Mexico is the General Law on Protection of Personal Data held by Obliged Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) (the "Public Sector Law"), as well as local laws addressing the subject within each state of the Mexican Republic.

To our knowledge, currently the new data protection authority has not yet issued any decision.

Personal Data: Any information concerning an identified or identifiable person. A person is considered identifiable when their identity can be determined directly or indirectly through any information (Art. 2, V of the LFPDPPP)

Sensitive personal data: Those personal data that affect the most intimate sphere of the data subject, or whose improper use may give rise to discrimination or entail a serious risk for the data subject. By way of example, but not limited to, personal data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical and moral beliefs, political opinions and sexual preference are considered sensitive (Art. 2, VI of the LFPDPPP)

LFPDPPP states that personal data processing must be according to the following principles and obligations:

• Consent (articles 7, 8 and 9)
• Legality (article 6)
• Loyalty (article 6)
• Information (articles 14, 15, 16, 17)
• Purpose limitation (article 11)
• Proportionality (article 12) 
• Quality (article 10)
• Obligation to adopt and maintain security measures (article 18)
• Confidentiality (article 20)
• Accountability (article 13)
• The requirement of data protection by design and default is not expressly included in the LFPDPPP; however, where the intensive data processing is considered with a high impact on privacy, a DPIA could be deemed as a best practice.

Some specific measures must be taken when processing sensitive personal data: 

• Databases containing sensitive personal data must not be created without justification of their creation for purposes that are legitimate, concrete and consistent with the explicit objectives or activities pursued by the regulated party.
• Privacy notice must expressly state that it is dealing with this type of data.
• To transfer the data to a third party without the data subject’s consent, the data controller must dissociate them. The possibility of dissociation must be referred to in the relevant privacy notice, or unless such transfer is within the Law assumptions.
• It is necessary to process under a confidential basis and adopt technical, physical, and administrative security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or treatment. In adopting such security measures, the controller must consider the risks involved, any potential consequences to the data subjects if there is a security breach, the nature of the data, and technological development.
• Access restriction only for personnel who are authorized and trained for sensitive data processing.

Processing of personal data will be done as necessary, appropriate and relevant with relation to the purposes set out in the privacy notice. For sensitive personal data, the data controller must make reasonable efforts to limit the processing period thereof to the minimum required. To do so, the data controller will verify what the period for sensitive personal data retention is, and once it has elapsed, delete the data, after blocking.

The Data Protection Law applies to all individuals and private legal entities. The General Law applies to all obligated subjects.

The parties regulated under the Data Protection Law are private parties, individuals or legal entities that process personal data, except for (i) credit bureaus; and (ii) individuals that carry out the collection and storage of personal data exclusively for personal use, and without purposes of disclosure or commercial use.

The General Law regulates obligated subjects, which are public agencies pertaining to the three levels of government: federal, state, including Mexico City, and municipal, as well as the constitutional autonomous organisms, political parties and public trusts. 

Processing: Any operation or set of operations carried out by means of manual or automated procedures applied to personal data, related to the collection, use, recording, organization, preservation, storage, processing, use, communication, dissemination, storage, possession, access, handling, use, disclosure, transfer or disposal of personal data, (Art. 2, XIX, LFPDPPP).

Generally, personal data must be collected with the data subject's consent, unless one of the exceptions for consent applies, and only after a privacy notice has been made available to them. When collecting personal data, the data protection principles must also be observed (e.g., information, consent, proportionality, purpose limitation, data quality, legitimacy and accountability).

Note: Prior to collecting personal data, the data controller needs to make available to data subjects a privacy notice explaining the characteristics of the processing of their personal data. Such a privacy notice must include the name and address of the data controller, personal data that is going to be processed, the purposes of the processing, data transfers to be made, information regarding means for data subjects to exercise their rights, etc.

Additionally, as a general rule consent from data subjects is needed in order to process their personal data. Written consent is necessary for the processing of sensitive personal data, explicit consent for the processing of financial data and implied consent for other categories of personal data.

Consent will not be necessary when:

• a law so provides;
• the data are contained in publicly available sources;
• the personal data are subject to a prior dissociation procedure;
• they have the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller;
• there is an emergency situation that could harm an individual in his person or property; or
• personal data is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health medical management, where the data subject is unable to give consent.

Personal data may only be used to fulfill the purposes of the processing, as stated in the privacy notice that was made available to data subjects.

The use and disclosure of personal data must only be done in accordance with what is established in the privacy notice and personal data may only be processed in connection with clearly defined and legitimate objectives, as mentioned in the privacy notice made available to data subjects.

Additionally, the use and disclosure of personal data must be done in compliance with the data protection principles of proportionality, purpose limitation, legality, consent, information, loyalty. In particular, personal data may only be used for purposes that are necessary, appropriate, relevant and not excessive in connection with the purposes for which personal data was collected. In addition, a data controller is obliged to make reasonable efforts to limit the personal data being processed to the minimum necessary.

Personal data must be kept for as long as is needed to comply with the purposes of the processing. There must always be appropriate security measures to protect personal data from unauthorized use, access, disclosure or processing.

In general, personal data may be kept or stored for as long as it is necessary to comply with the purposes of the processing, and after that, for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, the data processing.

Once personal data is no longer necessary, it must be securely deleted.

Data controllers must establish and maintain organizational, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing.

Data controllers should adopt security measures similar to the ones that they use to protect their own information.

The risk, previous security incidents, the sensitivity of the personal data and the possible consequences for the data subjects, technological development and the amount of data must be taken into account when determining the security measures that will be in place.

In Mexico, data subjects have the right to exercise the access, rectification, erasure (cancellation), and/or opposition, at any time. Therefore, controllers must be able to guarantee such exercise. 

The data protection rights are:

• to access under Article 22 LFPDPPP (see ‘fair processing notices’ above in this table);
• to rectification under Article 23 LFPDPPP;
• to erasure (cancellation) under Article 24 LFPDPPP;
• to object to processing/profiling under Article 26 LFPDPPP 
• to limit the use or disclosure under Article 15, IV, LFPDPPP; and
• to revoke consent Article 7 LFPDPPP
• to information when personal data is processed within a decision-taking procedure without human intervention, Article 112 RLFPDPPP
• to reconsideration of the decision taken with AI tools without human intervention Article 112 RLFPDPPP

Notwithstanding, data subjects must always be able to exercise them, depending on the specific situation the right could be denied or not applicable.

Not applicable.

Not applicable.

Data Controller to Data Controller data transfer rules:

The data controller that transfers (whether national or international) personal data may use contracts and other legal instruments that contain at least the same obligations as those to which the data controller is subject under the Mexican data protection legislation, as well as the conditions under which the data subject consented to the processing of his personal data.

The main rules for data transfer between data controllers: 

• The data subject must be informed by a privacy notice, and the transfer must be limited to the purposes that justify it.
• Any transfer of personal data, whether national or international, is subject to the consent of the data subject. 
• The transferring party (transferor) shall provide the privacy notice to the third-party recipient.
• Cross-border transfers of personal data are possible when the receiver of the personal data assumes the same obligations as the controller transferring the personal data. 
• For purposes of proving that the transfer, whether domestic or international, was made in accordance with the provisions of the Mexican data protection legislation, the burden of proof shall be, in all cases, on the transferring data controller and on the recipient of the personal data. 
• Cross-border or national data transfers to third-party controllers do not require data subject consent when the transfer is:
  • made to a holding company, subsidiary, or affiliate under common control with the transferring party or to a parent company or any company of the same group as the transferring party, operating under the same internal processes and policies.
  • made based on a law or treaty to which Mexico has agreed.
  • If the transfer is required to maintain or fulfill a legal relationship between the transferring party and the data subject.
  • If the transfer is required for medical diagnosis or prevention, health care delivery, medical treatment, or health services management.
  • If the transfer is necessary by virtue of a contract executed or to be executed in the interest of the data subject between the data controller and a third party, or
  • If the transfer is legally required to safeguard public interests or for the administration of justice, or for the recognition, exercise, or defense of a right in a judicial proceeding.

Not applicable.

When a data breach that could materially affect the rights or property of data subjects occurs, it is mandatory to immediately notify data subjects of the breach, so they can take appropriate actions to protect themselves.

Data controllers must inform the data subjects about the breaches that can significantly affect their rights or property, but first, they have to confirm that the breach has actually occurred, and the magnitude and scope of the breach. This must be done without delay so that the data subjects affected can take the appropriate measures to protect themselves or their rights.

The data protection authority does not need to be notified.

The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI is its acronym in Spanish).

The INAI is an autonomous body responsible for promoting and disseminating the right to access public information and the right to data protection within governmental agencies and private parties. This body is committed to working with other federal, state and municipal authorities in order to promote data protection in different industries and sectors, such as the financial, educational and health sectors.

The INAI is also the competent authority to prosecute and sanction breaches of data protection and transparency laws and regulations.

In addition to the notification requirement, consequences may be the imposition of fines to the data controller or of imprisonment penalties for individuals that cause a security breach for profit.

Note: The first consequence is the obligation to notify, without delay, the data subject when a breach occurs, in the terms referred to before.

Then, an investigation could be initiated by INAI that may result in the imposition of a fine ranging from 100 to 320,000 units of account called UMA. Currently, one UMA amounts to MXN 96.22 (approx. EUR 4.20), thus fines range from approximately EUR 420 to EUR 1,341,000.00. If sensitive personal data was involved in the breach, the fine may double.  

Imprisonment may be imposed on any person who, with the intent of achieving an unlawful profit, causes a security breach.

Marketing is considered a secondary purpose of the processing, and as such, it must be clear in the privacy notice that this purpose is voluntary, as well as the means available to opt out of receiving marketing communications.

The privacy notice must inform data subjects that their personal data may be used for marketing purposes, and that such use is secondary or voluntary. Data controllers must provide means to opt out from receiving marketing communications, and such means can be included in the privacy notice (as boxes) or described in the privacy notice but included somewhere else (like unsubscribe). Marketing may be done on an opt-out basis.

In Mexico, the data protection law is of the federal level, it is of a public order and of general observance throughout the national territory. Therefore, any sector or industry must observe this law; however, specific sectors may have additional or more stringent requirements, e.g., banking and health.  

In Mexico, all data controllers (no exceptions), regardless of the type or scale of processing activities or the type of personal data processed, must appoint a Data Protection Officer (“DPO”). (Article 29 LFPDPPP).
If a data controller´s local entity in Mexico processes any personal data in Mexico (e.g., from its employees, suppliers, etc.), it is mandatory for this local entity to appoint a DPO. There is no requirement for the DPO to be based in-country. Therefore, the DPO can be based overseas.

Appoint a DPO and allocate to the DPO the responsibility for ensuring that biometric recognition-related policies and procedures are followed. It is not necessary or that the details of the DPO be provided to the SABG; however, they must be included in the relevant Privacy Notices.

For further information, please see the guidance issued by the extinct INAI, available at: https://home.inai.org.mx/wp-content/uploads/Recomendaciones-para-los-sujetos-obligados-en-la-designaci%C3%B3n-del-oficial-de-protecci%C3%B3n-de-datos-personales-1.pdf  

Even though this guidance (not mandatory) was issued by the extinct data protection authority and for authorities in the government sector that process personal data, we refer to it as an orientate document. 

These obligations are not expressly mandated by the LFPDPPP.

Undertaking a DPIA is not mandatory as such but recognized by the former data protection authority (INAI) as best practice. Similar to a DPIA, controllers, according to Article 48, V, RLFPDPPP, must implement a procedure to deal with data protection-related risks in the context of the implementation of new products, services, technologies and business models, as well as to mitigate them. In this regard, performing a DPIA is useful in this regard.

When engaging a Processor (whether another group company or a third-party provider), the entity that is the Controller (or Joint Controller) of the personal data processed in connection with the operation of the biometric system retains the primary responsibility for the compliance of the Processor. The Controller is required under Article 51 RLFPDPPP to:

• ensure that the Processor provides sufficient guarantees to implement appropriate technical and organisational measures for the processing to comply with the UK GDPR (including with respect to security, storage and the use of properly trained staff). The Controller can, for example, ask the Processor to complete a supplier due diligence questionnaire to help it gather and assess the relevant information; and
• Enter into a written contract with the Processor, which must, at a minimum, include the terms set out in Article 50 RLFPDPPP.
• Data Subjects do not need to consent or be informed of domestic or international data remissions from a Controller to a Processor, as the controller is the party ultimately responsible for the processing of personal data.
• The agreements between the controller and processor related to the processing of personal data must be in accordance with the controller's privacy notice.

Data Controller to Data Processor remissions of personal data rules:

There must be a written agreement specifying the scope and content of the processing relationship. The contract must include the following obligations to data processors:

1. Process personal data strictly in accordance with the instructions of the controller.
2. Refrain from processing personal data for purposes other than those instructed by the controller.
3. Implement the security measures required by Mexican legislation on data protection and other applicable laws and regulations.
4. Maintain the confidentiality of personal data subject to processing.
5. Delete the personal data once the legal relationship with the controller has concluded or upon instructions from the latter, provided that there is no legal obligation to retain the data.
6. Refrain from transferring personal data unless instructed to do so by the data controller or where the transfer derives from a subcontracting authorized by the data controller, or where it is required by a competent authority.

Violations of this Law shall be sanctioned by the Secretariat with:

• A warning to the data controller to carry out the actions requested by the data subject.
• A fine ranging from 100 to 320,000 units called UMA in Mexico City, currently 113.14 Mexican pesos (approx. USD 5.9). Therefore, fines range from approx. USD 590 to approx. USD 1,888,000.

In case of recurrence, additional fines may be imposed based on the previous paragraph, and if the violations were committed in the processing of sensitive personal data, the penalties may be doubled.

Additionally, imprisonment may be imposed on those who unlawfully breach security measures or facilitate the violation of data in a database under their custody, or those who unlawfully profit from the processing of personal data by taking advantage of any error of the data subject.

Privacy and security policies must be kept up to date and according to Article 62 of the RLFPDPPP:
Data controllers must update the list of security measures when the following events occur:

1. I. Security measures or processes are modified for continuous improvement, derived from the revisions to the security policy of the Data Controller
2. There are substantial modifications in the processing that result in a change in the level of risk
3. The processing systems have faced a data breach
4. There is an effect on personal data different from the above.

In the case of sensitive personal data, the controllers will try to review and, where appropriate, update the corresponding relationships once a year.

Mexico has acceded to Convention 108 and its Additional Protocol. Also, the United States, Canada and Mexico have agreed on a Trade Agreement that includes a chapter with provisions on the protection of personal data. 

At the end of 2018, an amendment to different laws was proposed to the Senate. According to this proposal, explicit consent of data subjects will be required to carry out marketing.  This proposal has been approved by the Senate and must now be discussed in the Chamber of Deputies. 

Note: Mexico acceded to Convention 108 and its Protocol in June 2018, and such international treaties entered into force for Mexico on October 1, 2018. Convention 108 will have an impact in Mexico, especially regarding trans-border data flows. It is possible that reforms to Mexican legislation on data protection take place in the future to fully match current legislation to the treaties of reference. 

The United States, Canada and Mexico have agreed on a new Free Trade Agreement, the United States-Mexico-Canada Agreement ("USMCA"), that entered into force on July 1, 2020. This agreement includes, among others, provisions on cross-border data flows, corporate binding rules and data location.  It is possible that reforms to Mexican legislation on data protection take place in the future in connection with this international agreement.

The proposed amendment regarding marketing practices has not been approved yet and does not seem to be a priority of this government. Thus, it may be left pending indefinitely.