Pérez-Llorca México
What law(s) specifically govern personal data / information?
There are various laws and legal instruments in force, depending on whether the Controller is a private party or a regulated party (governmental entities or persons who receive governmental funds); the most important are the following:
- Private parties (jointly, the 'Mexican DPL'):
- Federal Law on the Protection of Personal Data Held by Private Parties (the 'Law'); (Due to the recent publication of this law that replaced the one issued in 2010, new regulations and guidelines are expected but have yet to be issued. However, the regulations and privacy notice guidelines from the previous law are being used as good practices references.)
- NOM-004-SSA3-2012 Mexican Official Standard (only when related to medical records) (the 'Medical Records Standard').
- Regulated parties:
- General Law on the Protection of Personal Data Held by Regulated Parties.
- Several state laws.
- Data Protection for the Public Sector General Guidelines.
- The Medical Records Standard.
The analysis herein shall focus solely on personal data held by private parties.
What are the key data protection principles in this jurisdiction?:
The key principles that apply to data protection in Mexico are the following:
- Lawfulness: Personal data must be collected and processed lawfully in accordance with the law and other applicable legal provisions. Controllers must not obtain and process personal data through deceptive or fraudulent means, and must prioritise the protection of the data subject's interests and reasonable expectation of privacy.
- Consent: All personal data processing is subject to the data subject's consent, except for the exceptions provided by the law. Consent can be express or tacit, with financial or patrimonial data requiring express consent, and sensitive personal data requiring express written consent
- Information: Controllers have the obligation to inform data subjects, through the privacy notice, about the existence and main characteristics of the processing to which their personal data will be subjected, so they can make informed decisions.
- Purpose: Data processing must be limited to fulfilling the purposes stated in the privacy notice. If the Controller intends to process data for a different purpose, new consent from the data subject must be obtained.
- Loyalty: Controllers must privilege the protection of data subjects' interests and reasonable expectation of privacy, understood as the trust that any person places in another regarding how their personal data will be processed according to what was agreed under the terms established by the law.
- Proportionality: Personal data processing must be necessary, adequate, and relevant in relation to the purposes stated in the privacy notice. For sensitive personal data, Controllers must make reasonable efforts to limit the processing period to the minimum necessary.
- Accountability: Controllers must ensure compliance with the personal data protection principles established by the law, adopting necessary and sufficient measures for their application, and guaranteeing that the privacy notice given to the data subject is respected at all times by them or by third parties with whom they have a legal relationship.
- Data Quality: Controllers must ensure that personal data in databases is accurate, complete, correct, and updated for the purposes for which they were collected. When personal data is no longer necessary for fulfilling the purposes stated in the privacy notice, it must be deleted after blocking, once the retention period concludes.
Additional key requirements include:
- Security Measures: Every Controller must establish and maintain administrative, technical, and physical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorised use, access, or processing.
- Confidentiality: Controllers and processors must establish controls or mechanisms to ensure that all persons involved in any phase of personal data processing maintain confidentiality regarding such data. This obligation persists even after their legal relationship comes to an end.
- Accessibility Requirements Privacy notices must be made available "through printed, digital, visual, audio formats or any other technology" 8, ensuring Mexican data subjects can access information about how their data is processed.
What is the supervisory authority / regulator in charge of data protection?
Since March 2025, the supervising authority is the Anti-Bribery and Good Governance Ministry (Secretaría Anticorrupción y Buen Gobierno), an autonomous constitutional body, which replaced the now extinct INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales).
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A
What are the key data subject rights under the data protection laws of this jurisdiction?
Data subjects have the following key rights: (i) revoke the consent they have granted for the processing of their personal data, at any time; and (ii) access, rectify, cancel or oppose the use of their personal data in possession of the Controller, which are referred to as ARCO (for their acronym in Spanish) rights, and are described in the Mexican DPL, in general terms, as follows:
- Access: data subjects have the right to access their personal data in a Controller's possession.
- Rectification: data subjects have the right to request a Controller to modify their personal data.
- Cancellation: data subjects have the right to request a Controller to stop processing their personal data, partially or in its totality.
- Opposition: Data Subjects have the right to oppose the processing of their personal data by a Controller purposes when:
- There exists a legitimate cause and the data subject's specific situation requires it, which must justify that even though the processing is lawful, it should cease to prevent persistent harm or prejudice to the data subject.
- Personal data is subject to automated processing that produces unwanted legal effects or significantly affects the data subject's interests, rights, or freedoms, particularly when used to evaluate personal aspects without human intervention, analyse or predict professional performance, economic situation, health status, sexual preferences, reliability, or behaviour.
This right of opposition cannot be exercised when the data processing is necessary to fulfil a legal obligation imposed on the Controller.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, all Controllers must appoint a person or a department that shall be responsible for the procedures regarding personal data and for implementing good data protection practices within the entity, pursuant to the Mexican DPL.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
An impact assessment is not mandatory for private parties (it is for regulated parties); however, private parties may still choose to conduct voluntary privacy impact assessments as a best practice to ensure compliance with the law's principles and requirements.
Pursuant to the Mexican DPL, Controllers have the possibility but not the obligation to implement a binding self-regulation procedure, which should include a data protection impact assessment.
Does this jurisdiction have any specific data breach notification requirements?
Yes, pursuant to the Mexican DPL, when there is a breach that significantly affects the patrimonial or moral rights of data subjects, the Controller has the obligation to inform all data subjects of such breach : (i) as soon as possible; (ii) once the Controller has material information of the event; and (iii) when there is no more exposure of the personal data involved in such breach.
The Controller needs to inform, at least, the following:
- Description of the event;
- Personal data involved;
- Recommendations to the data subjects;
- Corrective actions taken by Controller; and
- How to get more information.
Mexican DPL does not currently require notification to the authority in the event of a data breach; however, it is considered a mitigating factor by the authority in case of an investigation. There are bills introduced and pending discussion that would add this obligation to the Mexican DPL.
What restrictions apply to the international transfer of personal data / information?
The Mexican DPL explicitly restricts the transfer of personal data out of the jurisdiction without the consent of the data subject.
The following requirements need to be met for Controllers to be able to transfer personal data out of the jurisdiction, per the Mexican DPL:
- Obtain consent from data subjects to transfer their personal data, per the following:
- data subject must be informed of the transfer in the Controller's privacy notice, detailing to whom the data will be transferred (specifying the receptor by name, sector or industry) and for what purposes the data will be transferred;
- the privacy notice must include a section that allows the data subjects to express their tacit, express, or written consent (depending on the type of data to be transferred) thereto, except in some instances set forth in the law, where no consent is required to transfer personal data to third parties; and
- the transfer must be limited to the purposes that justify it, as consented by the data subject.
- For the Controller and the recipient to sign a Transfer Agreement (or a document containing similar provisions), which must include the following:
- a provision in which the recipient assumes the same obligations the Controller has under the Mexican DPL;
- a copy of the privacy notice pursuant to which the data subjects consented to the processing of their personal data; and
- any additional conditions imposed by the data subjects when consenting to the processing of their personal data.
The Controller can comply with points b.ii. and b.iii. through other means, as long as such evidence thereof is preserved.
Furthermore, it is important to note that the Mexican DPL distinguishes between the above-mentioned transfers (to third parties that become Controllers) and the term 'transmissions' (remisiones), which the law defines as the communication of personal data between a Controller and its processor Although transmissions need not to be informed to data subjects, both transfers and transmissions must comply with specific requirements set forth by law.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Mexican DPL has an extraterritorial application in very limited cases; this means that it does not apply to Controllers that process personal data outside of the Mexican territory. It applies to all personal data processing activities that occur within Mexican borders, regardless of the nationality of the Controller or the data subjects involved.
Controllers located outside Mexico become subject to certain obligations when they receive personal data from Mexican Controllers:
- When a Mexican Controller transfers data to a foreign third party, the third-party recipient assumes the same obligations that correspond to the Controller who transferred the data; and must be informed of the privacy notice and the purposes for which the data subject authorised the processing.
- They must comply with the limitations and purposes specified in the original privacy notice, apply the same level of protection as required under Mexican law, and facilitate the exercise of ARCO rights (access, rectification, cancellation, and opposition.
The practical enforcement of these obligations against foreign Controllers remains limited, relying primarily on contractual mechanisms and international cooperation rather than direct regulatory action.
What rules specifically deal with marketing?
As Controllers under the Mexican DPL:
- Must inform data subjects of the purpose for acquiring and processing their personal data, including direct marketing, by providing them with a privacy notice that needs to comply with specific requirements set forth in the Mexican DPL.
- If the Controller uses a data subject's personal data for marketing purposes, the Controller must implement a mechanism that allows the data subject to reject the use of their information for such purpose, which should be described in the applicable privacy notice and available to data subjects as of the moment the Controller provides the data subject its privacy notice (the 'Opt-out Mechanism'). This mechanism could provide data subjects with the option to send an email to the Controller rejecting the use of personal data for marketing purposes, or through a checkbox that allows data subjects to opt out of receiving marketing communications.
- The treatment must be necessary, adequate, and relevant in relation to the purposes specified in the privacy notice. This means marketing activities cannot involve excessive data collection beyond what is reasonably necessary for the stated marketing purposes.
As a supplier under the Federal Consumer Protection Law (Ley Federal de Protección al Consumidor, the 'LFPC'), the following obligations exist:
- If so required by consumers, to inform them of the information the supplier has in its databases of such consumers.
- Publicity sent to consumers by suppliers must include the name, address, telephone number, or email, of the supplier and the contact data of the Federal Consumer Protection Agency (Procuraduría Federal de Protección al Consumidor, 'PROFECO').
- PROFECO administers the Public Consumer Registry (Registro Público de Consumidores, the 'REPEP'), where consumers who do not want to receive publicity can register their phone number and, per a very recent legal reform to the LFPC Regulations that has yet to be implemented by PROFECO, their email. PROFECO provides suppliers access to this list. Per the LFPC, suppliers and marketing companies must not send advertising to persons who have expressed that they do not want to receive publicity and those who are registered in the REPEP.
- Suppliers must avoid misleading advertising in publicity or any other misleading information in connection with their services, products, and/or goods.
Do different rules apply to business-to-business and business-to-consumer marketing?
Mexican DPL only applies to business-to-consumer marketing, as it only regulates the personal data of individuals.
The LFPC only applies to business-to-consumer marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The Mexican DPL and the LFPC do not distinguish between marketing and electronic marketing.
What rules specifically deal with cookies?
As soon as the data subject comes into contact with any system that uses remote electronic mechanisms or any technology that automatically collects personal data (as an example, but not limitation, cookies), the Controller needs to inform the data subject by using a banner, of such use and how to disable them.
Moreover, the privacy notice shall include which personal information the Controller will collect by using such technologies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Sanctions for infractions of the Mexican DPL range from mere fulfilment requirements to fines from approximately USD$470 to USD$2,069,000, which can be increased in the event of recidivism and doubled if they involve sensitive personal data, to a maximum of USD$4,138,000. These sanctions are imposed without limitation to any civil or criminal liabilities that result from the applicable infraction.
Moreover, imprisonment can be imposed from three months to five years if a Controller, seeking profit, causes a security breach in its Personal Data database or if someone, through deception, acquires or processes Personal Data for such a reason.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
If personal data is to be collected, processed, and stored in Mexico, the Controller may be subject to Mexican DPL. In such regard, the Controller will need to have a privacy notice in Spanish that complies with Mexican DPL, which has requirements unique to our jurisdiction.
It is important to note that pursuant to the Mexican DPL, prior to collecting and processing personal data, consent must be obtained.
In Mexico, consent is the only lawful basis for processing personal data, with certain exceptions set forth by law. Data subjects can provide such consent explicitly, verbally, in writing, electronically, or through any other technological means available, or tacitly, if the Data Subject has 'access' to a privacy notice and no opposition is expressed. A Controller who processes financial information or any other information related to a person's patrimony requires explicit consent. Meanwhile, a Controller who processes sensitive personal data shall require explicit and written consent, through a handwritten signature, digital signature or other identification procedure. All other personal data may be processed with the data subject's tacit consent.
What upcoming data protection developments should multinational organisations be aware of?
The promulgation of the regulations and guidelines for the new law is expected. However, no material changes are anticipated from the previous ones.