Data protection in Mexico: overview

A Q&A guide to data protection in Mexico.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit

Roberto Arochi, Arochi Marroquí­n & Lindner, SC



1. What national laws regulate the collection and use of personal data?

The Mexican House of Deputies and the Senate passed the Bill for the Federal Law for the Protection of Personal Data in Possession of Private Persons (Personal Data Protection Law) in April 2010, and it was published on 5 July 2010 in the Official Gazette of the Federation.

Personal data stored and handled by the federal government is regulated by the Federal Law for Information Access and Government Transparency. The Regulations to the Personal Data Protection Law have not yet been published.

Scope of legislation

2. To whom do the laws apply?

The Personal Data Protection Law applies to any private person who stores and handles personal data for commercial exploitation and use.

3. What data is regulated?

The Personal Data Protection Law regulates personal data and sensitive personal data.

4. What acts are regulated?

The principal acts regulated by the Personal Data Protection Law are the:

  • Treatment of personal data and sensitive personal data.

  • Consent that any persons must provide about the use and destination of his personal data or sensitive personal data.

  • Blocking of any action that might endanger personal data or sensitive personal data.

  • Destruction of the stored personal data and sensitive personal data.

5. What is the jurisdictional scope of the rules?

The Personal Data Protection Law relates to all data protection issues occurring in Mexico, regarding the private sector.

Personal data protection proceedings and legal enforcement on data protection are handled by the Federal Institute for Information Access and Data Protection (Instituto federal de acceso a la información pública) (IFIA) (see box, The regulatory authority).

6. What are the main exemptions (if any)?

The Personal Data Protection Law does not apply to:

  • Credit information societies.

  • Any private person who stores and handles personal data without the intent to commercially exploit or use that data.


7. Is notification or registration required before processing data?

The controller of the personal data, or sensitive personal data, must issue a privacy notification to the person whose data will be processed. The notification must contain the:

  • Identity and address of the data processor.

  • Data processing objectives.

  • Options and means by which the processor will protect against any unlawful disclosure of the personal data.

  • Means by which the data subject(s) can exercise their right to:

    • access the data;

    • correct the data;

    • cancel the data; or

    • oppose the data's disclosure.

  • Details of any data transfers that will be done.


Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

The main obligations imposed on data controllers are to:

  • Conduct their activity in a lawful way.

  • Obtain the consent of any individual whose personal data will be processed.

  • Inform any individual whose personal data will be processed.

  • Check that the personal data to be processed is correct and updated.

  • Delete the personal data when it has been used for the purposes contained in the privacy notification.

9. Is the consent of data subjects required before processing personal data?

Express or tacit consent must be obtained from any individual whose personal data will be processed. Written or online consent is permitted.

No special provision exists for consent by minors.

10. If consent is not given, on what other grounds (if any) can processing be justified?

If a person does not respond to the privacy notification, tacit consent is presumed (Personal Data Protection Law).


Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Mandatory express consent must be obtained from any person whose sensitive data will be processed. Written or online consent is permitted.


Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?
13. What other specific rights are granted to data subjects?

There are no other specific rights granted to data subjects.

14. Do data subjects have a right to request the deletion of their data?

Data subjects do have a right to ask the data controller to delete their data.


Security requirements

15. What security requirements are imposed in relation to personal data?

Security measures must be taken through administrative, physical and technical means (Personal Data Protection Law). The data controller must adopt the pertinent measures to guarantee that the security of the data remains paramount, and that the data subjects' interests and their reasonable expectation of privacy are respected.

Among the measures that must be adopted by the data controller, the following matters must, as a minimum, be implemented:

  • Develop mandatory and executable privacy policies and programmes for any organisation or enterprise.

  • Put into practice a training, updating and awareness programme for the employees concerning their obligations relating to personal data protection matters.

  • Establish an inner surveillance and supervision system and external audits in order to check that the privacy policies are being complied with.

  • Allocate resources for the implementation of privacy programmes and policies.

  • Have in place procedures to handle any risk to personal data protection when new products, services, technologies and business methods are implemented (including having in place procedures to mitigate such a risk).

  • Periodically review the security policies and programmes in order to determine any necessary modifications to those policies and programmes.

  • Establish procedures for receiving and responding to questions or complaints from data subjects.

  • Have in place mechanisms to ensure privacy policies and programmes are complied with. These mechanisms must include sanctions for non-compliance with these policies and programmes.

  • Establish the measures for securing personal data, which should consist of a a set of technical and administrative actions which allow the data controller to guarantee compliance with its legal obligations.

  • Establish measures for tracking personal data, which includes implementing technical actions, measures and procedures for tracking personal data whilst it is being utilised.

The data controller (or data manager) must establish and maintain the technical, administrative and physical security measures for the protection of personal data, and these security measures must be independent from the systems used to handle the data.

The security measures can be handled either:

  • By the data controller.

  • By a third party hired for the purpose.

The data controller will determine the applicable security measures for the personal data, taking into consideration the following factors:

  • The inherent risks depending on the type of personal data.

  • The sensitivity of the personal data.

  • Technological development.

  • The potential consequences for the data subjects in the event of a security breach.

Additionally, the data controller must consider taking into account the following matters:

  • The number of data subjects.

  • Any previous vulnerabilities that may have been present whilst the data was being utilised.

  • Any risk derived from the potential qualitative or quantitative value that the personal data may have to any unauthorised third party.

  • Any other factors which may be relevant to the level of risk applicable to the data, or that may result in the infringement of other laws.

In order to establish and maintain the security of personal data, the data controller must also consider the following actions:

  • Developing an inventory of personal data and of the systems that contain the data.

  • Fixing the functions and obligations of the persons in charge of protecting the data.

  • Conducting a risk analysis of the personal data, in order to identify any dangers and estimate any risks to the personal data.

  • Establishing the security measures that will be applicable to the personal data.

  • Conducting gap analysis to evaluate the existing security measures and identify any missing measures that will need to be implemented.

  • Compiling a working plan to implement any missing security measures that were identified in the gap analysis.

  • Conducting appropriate reviews and audits.

  • Training all personnel in charge of the protection of personal data.

  • Registering the means of storing the personal data.

16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

The Personal Data Protection Law requires that data subjects be notified when data security breaches occur.


Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

If a third party processes data on a data controller's behalf, the data subjects must be notified. The processing must still be performed in accordance with the original privacy notification. The third party is also subject to confidentiality obligations in respect of the personal data.


Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

There are no provisions regarding the storage of cookies or equivalent devices on data subjects' terminal equipment in Mexican law.

19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

There are no provisions imposing requirements on the sending of unsolicited electronic commercial communications in Mexican law.


International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

International transfer of data is permitted by law, but does not require any special provisions.


Data transfer agreements

21. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

There are no data transfer agreements contemplated or in use.

22. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

The data transfer agreement is sufficient to legitimise data transfer.

23. Does the relevant national regulator need to approve the data transfer agreement?

Approval by a regulator is not required by federal law.


Enforcement and sanctions

24. What are the enforcement powers of the national regulator?

The IFIA (see box, The regulatory authority) is in charge of conducting data protection, data verification and sanctions proceedings.

Attempts to annul a resolution by the IFIA can be made through an annulment trial at the Federal Court for Tax and Administrative Justice. Failing that, a writ (amparo) can be filed against the Federal Court at the Federal Circuit Courts. Criminal offences related to data protection are handled by federal judges.

25. What are the sanctions and remedies for non-compliance with data protection laws?

The sanctions for non-compliance are mainly economic fines, although the Personal Data Protection Law also includes criminal offences regarding both:

  • Security breaches caused by the data controller.

  • Obtaining personal data for personal gain through deceit.

Infringements of the Personal Data Protection Law are punishable by the following:

  • A warning for the infringer to carry out the actions requested by the data subject, following the Personal Data Protection Law.

  • Fines ranging from 100 days to 320,000 days of the current daily minimum wage (MXN5,982 to MXN19,142,400) in the Federal District. (As at 1 March 2012, US$1 was about MXN12.8.) If the infringements relate to the processing of sensitive information, the penalties can increase by up to two times the established amount.

  • If the infringements repeatedly continue, an additional fine can be imposed, again ranging from 100 days to 320,000 days of the current daily minimum wage in the Federal District.

  • When a personal data controller causes a security breach in its database for profit, this is punishable by a prison term ranging from three months to three years.

  • A person who, for improper gain, processes personal data by deceit, taking advantage of confusion or a mistake by the data subject or data controller, can be punished by a prison term ranging from six months to five years. If this offence concerns sensitive personal data, the penalties can be doubled.


The regulatory authority

Federal Institute for Information Access and Data Protection (Instituto Federal de Acceso a la Información y Proteccion de Datos) (IFIA)


Main areas of responsibility. The IFIA has the following areas of responsibility:

  • Promoting personal data protection rights.

  • Verifying compliance with the Federal Law for Protection of Personal Data in Possession of Private Persons.

  • Setting quality standards for data protection treatments and measures.

  • Conducting data protection enforcement, data verification and sanctions proceedings.

Contributor details

Roberto Arochi

Arochi, Marroquín & Lindner, SC

T +52 55 5095 2050
F +52 55 5095 2028

Areas of practice. IP; advertising law; administrative law; trade marks; copyrights; patents; unfair competition; domain names.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247371313039", "objName" : "Data protection in Mexico overview", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-78747d6c:15041e7c073:57fa", "analyticsSessionCookie" : "2-78747d6c:15041e7c073:57fb", "statisticSensorPath" : "" }