González Calvillo, S.C.
The following law(s) specifically govern personal data / information:
There are various laws and legal instruments in force, depending if the Controller is a private party or a regulated party (governmental entities or persons who receive governmental funds); the most important are the following:
- Private parties (jointly, the “Mexican DPL”):
- Federal Law on the Protection of Personal Data Held by Private Parties (the “Law”);
- The Law’s Regulations (the “DPL Regulations”); and
- Privacy Notice Guidelines (Lineamientos del Aviso de Privacidad) (the “Guidelines”)
- Regulated parties:
- General Law on the Protection of Personal Data Held by Regulated Parties.
- Several state laws.
- Data Protection for the Public Sector General Guidelines.
The analysis herein shall focus solely on personal data held by private parties.
The key data protection principles in this jurisdiction are:
The key principles that apply to data protection in Mexico are the following:
- Legality: Controllers must ensure that processing complies with the provisions of the applicable Mexican and international law.
- Consent: Controllers must obtain consent for the processing of personal data unless it is not required under the law; the request for consent shall refer to a specific purpose(s) set forth in the Controller’s privacy notice.
- information: Controllers must provide data subjects with the applicable privacy notice, which should include the personal data that the Controller will process and the purposes thereof, among others.
- purpose: The personal data processing must be limited to fulfilment of the purposes set out in the privacy notice.
- loyalty: When processing personal data, Controllers must give priority to the protection of the data subject and the reasonable expectation of their privacy.
- proportionality: Controllers may only process personal data that is necessary, appropriate, and relevant to fulfilment of the purposes for which personal data is obtained.
- accountability: Controllers must protect and are responsible for the processing of personal data when such information: (i) is in the custody or in the possession of the Controller; and (ii) when personal data is communicated to a Processor, whether or not it is located in Mexico. Controllers must determine the standards, policies, practices, or any other mechanism are adequate for such purpose.
The supervisory authority / regulator in charge of data protection is:
National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, INAI).
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
Data subjects have the following key rights: (i) revoke the consent they have granted for the processing of their personal data, at any time; and (ii) access, rectify, cancel or oppose the use of their personal data in possession of the Controller, which are referred to as ARCO rights, and are described in the Mexican DPL, in general terms, as follows:
- Access: data subjects have the right to access their personal data in a Controller’s possession.
- Rectification: data subjects have the right to request a Controller to modify their personal data.
- Cancelation: data subjects have the right to request a Controller to strop processing their personal data, partially or in its totality.
- Opposition: data Subjects have the right to oppose the processing of their personal data by a Controller for specific purposes.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes, all Controllers must appoint a data protection officer or a data protection department who shall be responsible for the procedures regarding personal data and for the implementation of good data protection practices within the entity, pursuant to the Mexican DPL.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
An impact assessment is not mandatory for private parties (it is for regulated parties); however, the INAI considers it as a good practice.
Pursuant to the Mexican DPL, Controllers have the possibility but not the obligation to implement a binding self-regulation procedure which should include a data protection impact assessment. In such regard, the INAI has published the Guide for the Preparation of Privacy Impact Assessments (Guía para la elaboración de evaluaciones de impacto a la privacidad).
Does this jurisdiction have any specific data breach notification requirements?
Yes, pursuant to the Mexican DPL when there is a breach, the Controller has the obligation to inform all data subjects of such breach: (i) as soon as possible; (ii) once the Controller has material information of the event; and (iii) when there is no more exposure of the personal data involved in such breach.
The Controller needs to inform, at least, the following:
- Description of the event;
- Personal data involved;
- Recommendations to the data subjects;
- Corrective actions taken by Controller; and
- How to get more information.
Mexican DPL do not currently include an obligation to notify the INAI in case of a data breach. There are bills introduced and pending discussion that would add this obligation to the Mexican DPL.
The following restrictions apply to the international transfer of personal data / information:
The Mexican DPL specifically restricts the transfer of personal data out of the jurisdiction.
The following requirements need to be met for Controllers to be able to transfer personal data out of the jurisdiction, per the Mexican DPL:
- Obtain consent from data subjects to transfer their personal data, per the following:
- data subject must be informed of the transfer in Controller’s privacy notice, detailing to whom the data will be transferred (specifying the receptor by name, sector or industry) and for what purposes the data will be transferred;
- the privacy notice must include a section that allows the data subjects to express their tacit, express or written consent (depending on the type of data to be transferred) thereto, except in certain cases set forth in the law, where no consent is required to transfer personal data to third parties; and
- the transfer must be limited to the purposes that justify it, as consented by the participants.
- For the Controller and the recipient to sign a Transfer Agreement (or a document containing similar provisions), which must include the following:
- a provision in which the recipient assumes the same obligations the Controller has under the Mexican DPL;
- a copy of the privacy notice pursuant to which the participants consented the processing of their personal data; and
- any additional conditions imposed by the data subjects when consenting the processing of their personal data.
*The Controller can comply with points 2.b. and 2.c through to other means, as long that evidence thereof is kept.
Furthermore, it is important to note that the Mexican DPL differentiates between the above-mentioned transfers and the term “transmissions” (remisiones), which the law defines as the communication of personal data between a Controller and its processor. Although transmissions need not to be informed to data subjects, both transfers and transmissions need to comply with certain requirements set forth by law.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The Mexican DPL has an extraterritorial application in very limited cases; this means that it is not applicable to Controllers that process personal data outside of the Mexican territory, except in the events set forth in article 4 of the Law’s Regulations, which states that the Mexican DPL applies to personal data processing when:
- it is carried out in an establishment of the Controller located in Mexican territory;
- it is carried out by a processor, regardless of the processor’s location, if the processing is performed on behalf of a Mexican Controller;
- Mexican law is applicable as a consequence of international law or of the execution of a contract, even if the Controller is not located in Mexico; or
- the Controller is not located in Mexican territory but uses means/resources located in Mexico to process Personal Data, unless such means are used exclusively for transit purposes.
The following rules specifically deal with marketing:
- As Controllers under the Mexican DPL:
As a supplier under the Federal Consumers Protection Law (Ley Federal de Protección al Consumidor, the “LFPC”) the following obligations exist:
- Must inform data subjects of the purpose for acquiring and processing their personal data, including direct marketing, by providing them with a privacy notice which needs to comply with specific requirements set forth in the Mexican DPL.
- If the Controller uses a data subject’s personal data for marketing purposes, the Controller must implement a mechanism that allows the data subject to reject the use of their information for such purpose, which should be described in the applicable privacy notice and available to data subjects as of the moment the Controller provides the data subject its privacy notice (the “Opt-out Mechanism”). This mechanism could be providing data subject the option to send an email to the Controller rejecting the use of personal data for marketing purposes or through a checkbox that allows data subjects to opt-out of receiving marketing communications.
- If so required by consumers, to inform them the information the supplier has in its databases of such consumers.
- Publicity sent to consumers by suppliers must include the name, address, telephone number, or alternatively email, of the supplier and the contact data of the Federal Consumer Protection Agency (Procuraduría Federal de Protección al Consumidor,"PROFECO”).
- PROFECO administers the Public Consumer Registry (Registro Público de Consumidores, the “REPEP”), where consumers who do not want to receive publicity can register their phone number and, per a very recent legal reform to the LFPC Regulations that has yet to be implemented by PROFECO, their email. PROFECO provides suppliers access to this list. Per the LFPC, suppliers and marketing companies must not send advertising to persons that have expressed that they do not want to receive publicity and those who are registered in the REPEP.
- Suppliers must avoid misleading advertising in publicity or any other misleading information in connection to their services, products and/or goods.
Do different rules apply to business-to-business and business-to-consumer marketing?
Mexican DPL only applies to business-to-consumer marketing, as it only regulates personal data of individuals.
The LFPC only applies to business-to-consumer marketing.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
The Mexican DPL and the LFPC do not make any distinctions between marketing and electronic marketing.
The following rules specifically deal with cookies:
As soon as the data subject comes into contact with any system that uses remote electronic mechanisms or any technology that automatically collects personal data (as a way of example but not limitation, cookies), the Controller needs to inform data subject by using a banner, of such use and how to disable them.
Moreover, the privacy notice shall include what personal information the Controller will collect by using such technologies.
The consequences of non compliance with data protections laws (including marketing laws) are:
Sanctions for infractions of the Mexican DPL range from mere fulfilment requirements, to fines from approximately USD$470 to USD$1’502,000, which can be increased in the event of repeated violations. These sanctions are imposed without limitation to any civil or criminal liabilities that results from the applicable infraction.
Moreover, imprisonment can be imposed from three months to five years if a Controller, looking for profit, causes a security breach in its Personal Data database or if someone, through deception, acquires or processes Personal Data for such reason. These sanctions will be increased in event of recidivism and will doubled for Sensible Personal Data.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
If personal data is to be collected, processed and stored in Mexico, the Controller may be subject to Mexican DPL. In such regard, the Controller will need to have a privacy notice that complies with Mexican DPL, which has requirements unique to our jurisdiction.
It is important to consider that pursuant to the Mexican DPL, prior to collecting and processing personal data, consent must be obtained.
In Mexico, consent is the only lawful basis for processing personal data, with certain exceptions set forth by law. Data subjects can provide such consent explicitly, verbally, in writing, electronically or through any other technological means available, or tacitly, if Data Subject has “access” to a privacy notice and no opposition is expressed. A Controller who processes financial information or any other related to a person’s patrimony require explicit consent; meanwhile, a Controller who processes sensitive personal data shall require explicit and written consent, through handwritten, digital signature or other identification procedure. All other personal data may be processed with data subject’s tacit consent.
Multinational organisations should be aware of the following upcoming data protection developments:
Andrés Manuel López Obrador, President of Mexico, has mentioned on several occasions, his wish to abolish the INAI. It is still unclear who would be the new regulator in the event the institute is abolished.
There is a clear intention by our current government to regulate the Internet and this will probably result, at least in cybersecurity legislation(s).
Separately, several bills have been introduced to the Mexican Congress (and pending discussion) on data privacy related items such as the obligation to notify the INAI in case of a data breach, and also to expand the applicability of the Mexican DPL to foreign data controllers indirectly processing data in Mexico through affiliates or third parties.