Global Data Privacy Guide |
|
Mexico |
|
|
(Latin America/Caribbean)
Firm
Basham, Ringe Y Correa, S.C.
Contributors
Adolfo Athie |
|
| What is the key legislation? | The key legislation in Mexico is the Federal Law on Protection of Personal Data Held by Private Parties and its regulations (private sector) and the General Law on Protection of Personal Data Held by Obligated Subjects (public sector). Note: The Federal Law on Protection of Personal Data held by Private Parties (“Data Protection Law”), was published in July 2010, and it regulates the processing of personal data by private entities or individuals. This law is federal, which means that it applies to the whole country. In 2011 the Regulations of the Federal Law on Protection of Personal Data held by Private Parties were published, and in 2013 the Guidelines of the Privacy Notice were issued. The Data Protection Law, its regulations and the guidelines form the Data Protection Legal Framework for the Private Sector. Such framework regulates the processing of personal data, defined as the collection, use, disclosure or storage of personal data by any means. Use covers any action of access, management, exploitation, transfer or disposal of personal data. On the other hand, regulating the public sector is the General Law on Protection of Personal Data held by Obliged Subjects (“General Law”), which was published in January 2017. The General Law establishes the general framework, and, contrary to what happens with the Data Protection Law, each state enacted a law to regulate the processing of personal data in possession of public agencies, or obligated parties, in accordance with the General Law. The General Law is similar to the Data Protection Law, and for the purposes of this guide, our answers will be based on the Data Protection Law, and only a few references to the General Law will be made. |
| What data is protected? | All personal data, which is all information concerning an identified or identifiable individual, is protected. Note: All information concerning an identified or identifiable individual is considered personal data. There is a special category of personal data, sensitive personal data, which is personal data that relates to the most intimate areas of a data subject's life, or which misuse might lead to discrimination or involve a serious risk for the data subject. In particular, sensitive personal data is that which may reveal racial or ethnic origin, present and future health condition, genetic information, religious, philosophical and moral beliefs, union membership, political views, sexual orientation. |
| Who is subject to privacy obligations? | The Data Protection Law applies to all individuals and private legal entities. The General Law applies to all obligated subjects. Note: The parties regulated under the Data Protection Law are private parties, individuals or legal entities that process personal data, except for (i) credit bureaus; and (ii) individuals that carry out the collection and storage of personal data exclusively for personal use, and without purposes of disclosure or commercial use. The General Law regulates obligated subjects, which are public agencies pertaining to the three levels of government: federal, state, including Mexico City, and municipal, as well as the constitutional autonomous organisms, political parties and public trusts. |
| What are the principles applicable to personal data processing? | Generally, personal data must be collected with the data subject's consent, unless one of the exceptions for consent applies, and only after a privacy notice has been made available to them. When collecting personal data, the data protection principles must also be observed (e.g. information, consent, proportionality, purpose limitation, data quality, legitimacy and accountability). Note: Prior to collecting personal data, the data controller needs to make available to data subjects a privacy notice explaining the characteristics of the processing of their personal data. Such privacy notice must include the name and address of the data controller, personal data that is going to be processed, the purposes of the processing, data transfers to be made, information regarding means for data subjects to exercise their rights, etc. Additionally, as a general rule consent from data subjects is needed in order to process their personal data. Written consent is necessary for the processing of sensitive personal data, explicit consent for the processing of financial data and implied consent for other categories of personal data. Consent will not be necessary when:
|
| How is the processing of personal data regulated? | Personal data may only be used to fulfill the purposes of the processing, as stated in the privacy notice that was made available to data subjects. Note: The use and disclosure of personal data must only be done in accordance with what is established in the privacy notice and personal data may only be processed in connection with clearly defined and legitimate objectives, as mentioned in the privacy notice made available to data subjects. Additionally, the use and disclosure of personal data must be done in compliance with the data protection principles of proportionality, purpose limitation, legality, consent, information, loyalty. In particular, personal data may only be used for purposes that are necessary, appropriate, relevant and not excessive in connection with the purposes for which personal data was collected. In addition, a data controller is obliged to make reasonable efforts to limit the personal data being processed to the minimum necessary. |
| How are storage, security and retention of personal data regulated? | Personal data must be kept for as long as is needed to comply with the purposes of the processing. There must always be appropriate security measures to protect personal data from unauthorized use, access, disclosure or processing. Note: In general, personal data may be kept or stored for as long as it is necessary to comply with the purposes of the processing, and after that, for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, the data processing. Once personal data is no longer necessary, it must be securely deleted. Data controllers must establish and maintain organizational, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing. Data controllers should adopt security measures similar to the ones that they use to protect their own information. The risk, previous security incidents, the sensitivity of the personal data and the possible consequences for the data subjects, technological development and the amount of data must be taken into account when determining the security measures that will be in place. |
| What are the data subjects' rights? | Data subjects have the right to access and correct their personal data, as well as to ask for its deletion and to oppose to the processing of personal data for specific purposes. Note: Data subjects have the right to access, rectify, and cancel their personal data, as well as to oppose to its processing, to limit its use and disclosure and to revoke the consent they have provided for the processing. In some situations, it may not be possible to exercise all of these rights. Data controllers must include information in the privacy notice regarding the means that it has available for data subjects to exercise the mentioned rights, as well as information regarding what documentation or information the request to exercise a right must contain in order to be valid. Upon receipt of a request from a data subject, the data controller will have twenty business days to respond if the request is valid or not. If it is a valid request, the data controller will then have fifteen business days to make it effective. |
| Are there restrictions on cross-border data transfers? | Data transfers between a data controller and another data controller must be consented by data subjects (unless one exception applies). There are no restrictions based on location, meaning the same restrictions apply regardless of the country where data will be transferred. Note: When the controller wants to transfer personal data to third parties different from the processor, consent must be obtained from the data subject, and the transfers must be done in terms of the privacy notice that was given to the data subject. The controller must communicate the privacy notice and the objectives to which the data processing was subject to the third party, and the third party will assume the same obligations that are binding for the controller. This is done through a data transfer agreement. The Data Protection Law establishes some exceptions under which transfers, national or international, can be carried out without the data subject´s consent. The exceptions referred are the following:
|
| Are there any notification requirements for data breaches? | When a data breach that could materially affect the rights or property of data subjects occurs, it is mandatory to immediately notify data subjects of the breach, so they can take appropriate actions to protect themselves. Note: Data controllers must inform the data subjects about the breaches that can significantly affect their rights or property, but first, they have to confirm that the breach has actually occurred, and the magnitude and scope of the breach. This must be done without delay so that the data subjects affected can take the appropriate measures to protect themselves or their rights. The data protection authority does not need to be notified. |
| Who is the privacy regulator? | The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI is its acronym in Spanish). Note: The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI is its acronym in Spanish). The INAI is an autonomous body responsible for promoting and disseminating the right to access public information, and the right to data protection within governmental agencies and private parties. This body is committed to working with other federal, state and municipal authorities in order to promote data protection in different industries and sectors, such as the financial, educational and health sectors. The INAI is also the competent authority to prosecute and sanction breaches to data protection and transparency laws and regulations. |
| What are the consequences of a privacy breach? | In addition to the notification requirement, consequences may be the imposition of fines to the data controller or of imprisonment penalties for individuals that cause a security breach for profit. Note: The first consequence is the obligation to notify, without delay, the data subject when a breach occurs, in the terms referred to before. Then, an investigation could be initiated by INAI that may result in the imposition of a fine ranging from 100 to 320,000 units of account called UMA. Currently, one UMA amounts to MXN 96.22 (approx. EUR 4.20), thus fines range from approximately EUR 420 to EUR 1,341,000.00. If sensitive personal data was involved in the breach, the fine may double. Imprisonment may be imposed on any person who, with the intent of achieving an unlawful profit, causes a security breach. |
| How is electronic marketing regulated? | Marketing is considered as a secondary purpose of the processing and as such, it must be clear in the privacy notice that this purpose is voluntary, as well as the means available to opt-out from receiving marketing communications. Note: The privacy notice must inform data subjects that their personal data may be used for marketing purposes, and that such use is secondary or voluntary. Data controllers must provide means to opt- out from receiving marketing communications and such means can be included in the privacy notice (as boxes) or described in the privacy notice but included somewhere else (like unsubscribes). Marketing may be done on an opt-out basis. |
| Are there any recent developments or expected reforms? | Mexico has acceded to Convention 108 and its Additional Protocol. Also, the United States, Canada and Mexico have agreed on a Trade Agreement that includes a chapter with provisions on the protection of personal data. At the end of 2018, an amendment to different laws was proposed to the Senate. According to this proposal, explicit consent of data subjects will be required to carry out marketing. This proposal has been approved by the Senate and must now be discussed in the Chamber of Deputies. Note: Mexico acceded to Convention 108 and its Protocol in June 2018, and such international treaties entered into force for Mexico on October 1, 2018. Convention 108 will have an impact in Mexico, especially regarding trans-border data flows. It is possible that reforms to Mexican legislation on data protection take place in the future to fully match current legislation to the treaties of reference. The United States, Canada and Mexico have agreed on a new Free Trade Agreement, the United States-Mexico-Canada Agreement ("USMCA"), that entered into force on July 1, 2020. This agreement includes, among others, provisions on cross-border data flows, corporate binding rules and data location. It is possible that reforms to Mexican legislation on data protection take place in the future in connection with this international agreement. The proposed amendment regarding marketing practices has not been approved yet and does not seem to be a priority of this government. Thus, it may be left pending indefinitely. |
Global Data Privacy Guide
Mexico
(Latin America/Caribbean) Firm Basham, Ringe Y Correa, S.C.Contributors Adolfo Athie
Updated 01 Mar 2022The key legislation in Mexico is the Federal Law on Protection of Personal Data Held by Private Parties and its regulations (private sector) and the General Law on Protection of Personal Data Held by Obligated Subjects (public sector).
Note:
The Federal Law on Protection of Personal Data held by Private Parties (“Data Protection Law”), was published in July 2010, and it regulates the processing of personal data by private entities or individuals. This law is federal, which means that it applies to the whole country.
In 2011 the Regulations of the Federal Law on Protection of Personal Data held by Private Parties were published, and in 2013 the Guidelines of the Privacy Notice were issued.
The Data Protection Law, its regulations and the guidelines form the Data Protection Legal Framework for the Private Sector. Such framework regulates the processing of personal data, defined as the collection, use, disclosure or storage of personal data by any means. Use covers any action of access, management, exploitation, transfer or disposal of personal data.
On the other hand, regulating the public sector is the General Law on Protection of Personal Data held by Obliged Subjects (“General Law”), which was published in January 2017.
The General Law establishes the general framework, and, contrary to what happens with the Data Protection Law, each state enacted a law to regulate the processing of personal data in possession of public agencies, or obligated parties, in accordance with the General Law.
The General Law is similar to the Data Protection Law, and for the purposes of this guide, our answers will be based on the Data Protection Law, and only a few references to the General Law will be made.
All personal data, which is all information concerning an identified or identifiable individual, is protected.
Note: All information concerning an identified or identifiable individual is considered personal data.
There is a special category of personal data, sensitive personal data, which is personal data that relates to the most intimate areas of a data subject's life, or which misuse might lead to discrimination or involve a serious risk for the data subject. In particular, sensitive personal data is that which may reveal racial or ethnic origin, present and future health condition, genetic information, religious, philosophical and moral beliefs, union membership, political views, sexual orientation.
The Data Protection Law applies to all individuals and private legal entities. The General Law applies to all obligated subjects.
Note: The parties regulated under the Data Protection Law are private parties, individuals or legal entities that process personal data, except for (i) credit bureaus; and (ii) individuals that carry out the collection and storage of personal data exclusively for personal use, and without purposes of disclosure or commercial use.
The General Law regulates obligated subjects, which are public agencies pertaining to the three levels of government: federal, state, including Mexico City, and municipal, as well as the constitutional autonomous organisms, political parties and public trusts.
Generally, personal data must be collected with the data subject's consent, unless one of the exceptions for consent applies, and only after a privacy notice has been made available to them. When collecting personal data, the data protection principles must also be observed (e.g. information, consent, proportionality, purpose limitation, data quality, legitimacy and accountability).
Note: Prior to collecting personal data, the data controller needs to make available to data subjects a privacy notice explaining the characteristics of the processing of their personal data. Such privacy notice must include the name and address of the data controller, personal data that is going to be processed, the purposes of the processing, data transfers to be made, information regarding means for data subjects to exercise their rights, etc.
Additionally, as a general rule consent from data subjects is needed in order to process their personal data. Written consent is necessary for the processing of sensitive personal data, explicit consent for the processing of financial data and implied consent for other categories of personal data.
Consent will not be necessary when:
- a law so provides;
- the data are contained in publicly available sources;
- the personal data are subject to a prior dissociation procedure;
- they have the purpose of fulfilling obligations under a legal relationship between the data subject and the data controller;
- there is an emergency situation that could harm an individual in his person or property; or
- personal data is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health medical management, where the data subject is unable to give consent.
Personal data may only be used to fulfill the purposes of the processing, as stated in the privacy notice that was made available to data subjects.
Note: The use and disclosure of personal data must only be done in accordance with what is established in the privacy notice and personal data may only be processed in connection with clearly defined and legitimate objectives, as mentioned in the privacy notice made available to data subjects.
Additionally, the use and disclosure of personal data must be done in compliance with the data protection principles of proportionality, purpose limitation, legality, consent, information, loyalty. In particular, personal data may only be used for purposes that are necessary, appropriate, relevant and not excessive in connection with the purposes for which personal data was collected. In addition, a data controller is obliged to make reasonable efforts to limit the personal data being processed to the minimum necessary.
Personal data must be kept for as long as is needed to comply with the purposes of the processing. There must always be appropriate security measures to protect personal data from unauthorized use, access, disclosure or processing.
Note: In general, personal data may be kept or stored for as long as it is necessary to comply with the purposes of the processing, and after that, for a period equal to the statute of limitations of the actions that could arise as a result of, or in connection with, the data processing.
Once personal data is no longer necessary, it must be securely deleted.
Data controllers must establish and maintain organizational, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing.
Data controllers should adopt security measures similar to the ones that they use to protect their own information.
The risk, previous security incidents, the sensitivity of the personal data and the possible consequences for the data subjects, technological development and the amount of data must be taken into account when determining the security measures that will be in place.
Data subjects have the right to access and correct their personal data, as well as to ask for its deletion and to oppose to the processing of personal data for specific purposes.
Note: Data subjects have the right to access, rectify, and cancel their personal data, as well as to oppose to its processing, to limit its use and disclosure and to revoke the consent they have provided for the processing. In some situations, it may not be possible to exercise all of these rights.
Data controllers must include information in the privacy notice regarding the means that it has available for data subjects to exercise the mentioned rights, as well as information regarding what documentation or information the request to exercise a right must contain in order to be valid.
Upon receipt of a request from a data subject, the data controller will have twenty business days to respond if the request is valid or not. If it is a valid request, the data controller will then have fifteen business days to make it effective.
Data transfers between a data controller and another data controller must be consented by data subjects (unless one exception applies). There are no restrictions based on location, meaning the same restrictions apply regardless of the country where data will be transferred.
Note: When the controller wants to transfer personal data to third parties different from the processor, consent must be obtained from the data subject, and the transfers must be done in terms of the privacy notice that was given to the data subject.
The controller must communicate the privacy notice and the objectives to which the data processing was subject to the third party, and the third party will assume the same obligations that are binding for the controller. This is done through a data transfer agreement.
The Data Protection Law establishes some exceptions under which transfers, national or international, can be carried out without the data subject´s consent. The exceptions referred are the following:
- when the transfer is stated in law or in international treaties that are binding for Mexico;
- when the transfer is necessary for medical or sanitary purposes;
- when the transfer is carried out between subsidiaries or controlling companies, or to the parent company, or to any company from the same group that operates under the same processes and policies.
- when the transfer is necessary because of a contract celebrated or about to be celebrated between the controller and a third party in the data subject’s interest;
- when the transfer is necessary or legally required for public interest or justice administration purposes;
- when the transfer is necessary in order to exercise or defend a right in a legal proceeding; and
- when the transfer is necessary in order to maintain or comply with a legal relationship between the controller and the data subject.
When a data breach that could materially affect the rights or property of data subjects occurs, it is mandatory to immediately notify data subjects of the breach, so they can take appropriate actions to protect themselves.
Note: Data controllers must inform the data subjects about the breaches that can significantly affect their rights or property, but first, they have to confirm that the breach has actually occurred, and the magnitude and scope of the breach. This must be done without delay so that the data subjects affected can take the appropriate measures to protect themselves or their rights.
The data protection authority does not need to be notified.
The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI is its acronym in Spanish).
Note: The National Institute of Transparency, Access to Information and Protection of Personal Data (INAI is its acronym in Spanish).
The INAI is an autonomous body responsible for promoting and disseminating the right to access public information, and the right to data protection within governmental agencies and private parties. This body is committed to working with other federal, state and municipal authorities in order to promote data protection in different industries and sectors, such as the financial, educational and health sectors.
The INAI is also the competent authority to prosecute and sanction breaches to data protection and transparency laws and regulations.
In addition to the notification requirement, consequences may be the imposition of fines to the data controller or of imprisonment penalties for individuals that cause a security breach for profit.
Note: The first consequence is the obligation to notify, without delay, the data subject when a breach occurs, in the terms referred to before.
Then, an investigation could be initiated by INAI that may result in the imposition of a fine ranging from 100 to 320,000 units of account called UMA. Currently, one UMA amounts to MXN 96.22 (approx. EUR 4.20), thus fines range from approximately EUR 420 to EUR 1,341,000.00. If sensitive personal data was involved in the breach, the fine may double.
Imprisonment may be imposed on any person who, with the intent of achieving an unlawful profit, causes a security breach.
Marketing is considered as a secondary purpose of the processing and as such, it must be clear in the privacy notice that this purpose is voluntary, as well as the means available to opt-out from receiving marketing communications.
Note: The privacy notice must inform data subjects that their personal data may be used for marketing purposes, and that such use is secondary or voluntary. Data controllers must provide means to opt- out from receiving marketing communications and such means can be included in the privacy notice (as boxes) or described in the privacy notice but included somewhere else (like unsubscribes). Marketing may be done on an opt-out basis.
Mexico has acceded to Convention 108 and its Additional Protocol. Also, the United States, Canada and Mexico have agreed on a Trade Agreement that includes a chapter with provisions on the protection of personal data.
At the end of 2018, an amendment to different laws was proposed to the Senate. According to this proposal, explicit consent of data subjects will be required to carry out marketing. This proposal has been approved by the Senate and must now be discussed in the Chamber of Deputies.
Note: Mexico acceded to Convention 108 and its Protocol in June 2018, and such international treaties entered into force for Mexico on October 1, 2018. Convention 108 will have an impact in Mexico, especially regarding trans-border data flows. It is possible that reforms to Mexican legislation on data protection take place in the future to fully match current legislation to the treaties of reference.
The United States, Canada and Mexico have agreed on a new Free Trade Agreement, the United States-Mexico-Canada Agreement ("USMCA"), that entered into force on July 1, 2020. This agreement includes, among others, provisions on cross-border data flows, corporate binding rules and data location. It is possible that reforms to Mexican legislation on data protection take place in the future in connection with this international agreement.
The proposed amendment regarding marketing practices has not been approved yet and does not seem to be a priority of this government. Thus, it may be left pending indefinitely.