A Q&A guide to data protection in Mexico.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The Mexican House of Deputies and the Senate passed the Bill for the Federal Law for the Protection of Personal Data in Possession of Private Persons (Personal Data Protection Law) in April 2010, and it was published on 5 July 2010 in the Official Gazette of the Federation.
Personal data stored and handled by the federal government is regulated by the Federal Law for Information Access and Government Transparency. The Regulations to the Personal Data Protection Law have not yet been published.
The Personal Data Protection Law applies to any private person who stores and handles personal data for commercial exploitation and use.
The Personal Data Protection Law regulates personal data and sensitive personal data.
The principal acts regulated by the Personal Data Protection Law are the:
Treatment of personal data and sensitive personal data.
Consent that any persons must provide about the use and destination of his personal data or sensitive personal data.
Blocking of any action that might endanger personal data or sensitive personal data.
Destruction of the stored personal data and sensitive personal data.
The Personal Data Protection Law relates to all data protection issues occurring in Mexico, regarding the private sector.
Personal data protection proceedings and legal enforcement on data protection are handled by the Federal Institute for Information Access and Data Protection (Instituto federal de acceso a la información pública) (IFIA) (see box, The regulatory authority).
The Personal Data Protection Law does not apply to:
Credit information societies.
Any private person who stores and handles personal data without the intent to commercially exploit or use that data.
The controller of the personal data, or sensitive personal data, must issue a privacy notification to the person whose data will be processed. The notification must contain the:
Identity and address of the data processor.
Data processing objectives.
Options and means by which the processor will protect against any unlawful disclosure of the personal data.
Means by which the data subject(s) can exercise their right to:
access the data;
correct the data;
cancel the data; or
oppose the data's disclosure.
Details of any data transfers that will be done.
The main obligations imposed on data controllers are to:
Conduct their activity in a lawful way.
Obtain the consent of any individual whose personal data will be processed.
Inform any individual whose personal data will be processed.
Check that the personal data to be processed is correct and updated.
Delete the personal data when it has been used for the purposes contained in the privacy notification.
Express or tacit consent must be obtained from any individual whose personal data will be processed. Written or online consent is permitted.
No special provision exists for consent by minors.
If a person does not respond to the privacy notification, tacit consent is presumed (Personal Data Protection Law).
Mandatory express consent must be obtained from any person whose sensitive data will be processed. Written or online consent is permitted.
See Question 7.
There are no other specific rights granted to data subjects.
Data subjects do have a right to ask the data controller to delete their data.
Security measures must be taken through administrative, physical and technical means (Personal Data Protection Law). The data controller must adopt the pertinent measures to guarantee that the security of the data remains paramount, and that the data subjects' interests and their reasonable expectation of privacy are respected.
Among the measures that must be adopted by the data controller, the following matters must, as a minimum, be implemented:
Develop mandatory and executable privacy policies and programmes for any organisation or enterprise.
Put into practice a training, updating and awareness programme for the employees concerning their obligations relating to personal data protection matters.
Establish an inner surveillance and supervision system and external audits in order to check that the privacy policies are being complied with.
Allocate resources for the implementation of privacy programmes and policies.
Have in place procedures to handle any risk to personal data protection when new products, services, technologies and business methods are implemented (including having in place procedures to mitigate such a risk).
Periodically review the security policies and programmes in order to determine any necessary modifications to those policies and programmes.
Establish procedures for receiving and responding to questions or complaints from data subjects.
Have in place mechanisms to ensure privacy policies and programmes are complied with. These mechanisms must include sanctions for non-compliance with these policies and programmes.
Establish the measures for securing personal data, which should consist of a a set of technical and administrative actions which allow the data controller to guarantee compliance with its legal obligations.
Establish measures for tracking personal data, which includes implementing technical actions, measures and procedures for tracking personal data whilst it is being utilised.
The data controller (or data manager) must establish and maintain the technical, administrative and physical security measures for the protection of personal data, and these security measures must be independent from the systems used to handle the data.
The security measures can be handled either:
By the data controller.
By a third party hired for the purpose.
The data controller will determine the applicable security measures for the personal data, taking into consideration the following factors:
The inherent risks depending on the type of personal data.
The sensitivity of the personal data.
The potential consequences for the data subjects in the event of a security breach.
Additionally, the data controller must consider taking into account the following matters:
The number of data subjects.
Any previous vulnerabilities that may have been present whilst the data was being utilised.
Any risk derived from the potential qualitative or quantitative value that the personal data may have to any unauthorised third party.
Any other factors which may be relevant to the level of risk applicable to the data, or that may result in the infringement of other laws.
In order to establish and maintain the security of personal data, the data controller must also consider the following actions:
Developing an inventory of personal data and of the systems that contain the data.
Fixing the functions and obligations of the persons in charge of protecting the data.
Conducting a risk analysis of the personal data, in order to identify any dangers and estimate any risks to the personal data.
Establishing the security measures that will be applicable to the personal data.
Conducting gap analysis to evaluate the existing security measures and identify any missing measures that will need to be implemented.
Compiling a working plan to implement any missing security measures that were identified in the gap analysis.
Conducting appropriate reviews and audits.
Training all personnel in charge of the protection of personal data.
Registering the means of storing the personal data.
The Personal Data Protection Law requires that data subjects be notified when data security breaches occur.
If a third party processes data on a data controller's behalf, the data subjects must be notified. The processing must still be performed in accordance with the original privacy notification. The third party is also subject to confidentiality obligations in respect of the personal data.
There are no provisions regarding the storage of cookies or equivalent devices on data subjects' terminal equipment in Mexican law.
There are no provisions imposing requirements on the sending of unsolicited electronic commercial communications in Mexican law.
International transfer of data is permitted by law, but does not require any special provisions.
There are no data transfer agreements contemplated or in use.
The data transfer agreement is sufficient to legitimise data transfer.
Approval by a regulator is not required by federal law.
The IFIA (see box, The regulatory authority) is in charge of conducting data protection, data verification and sanctions proceedings.
Attempts to annul a resolution by the IFIA can be made through an annulment trial at the Federal Court for Tax and Administrative Justice. Failing that, a writ (amparo) can be filed against the Federal Court at the Federal Circuit Courts. Criminal offences related to data protection are handled by federal judges.
The sanctions for non-compliance are mainly economic fines, although the Personal Data Protection Law also includes criminal offences regarding both:
Security breaches caused by the data controller.
Obtaining personal data for personal gain through deceit.
Infringements of the Personal Data Protection Law are punishable by the following:
A warning for the infringer to carry out the actions requested by the data subject, following the Personal Data Protection Law.
Fines ranging from 100 days to 320,000 days of the current daily minimum wage (MXN5,982 to MXN19,142,400) in the Federal District. (As at 1 March 2012, US$1 was about MXN12.8.) If the infringements relate to the processing of sensitive information, the penalties can increase by up to two times the established amount.
If the infringements repeatedly continue, an additional fine can be imposed, again ranging from 100 days to 320,000 days of the current daily minimum wage in the Federal District.
When a personal data controller causes a security breach in its database for profit, this is punishable by a prison term ranging from three months to three years.
A person who, for improper gain, processes personal data by deceit, taking advantage of confusion or a mistake by the data subject or data controller, can be punished by a prison term ranging from six months to five years. If this offence concerns sensitive personal data, the penalties can be doubled.
Main areas of responsibility. The IFIA has the following areas of responsibility:
Promoting personal data protection rights.
Verifying compliance with the Federal Law for Protection of Personal Data in Possession of Private Persons.
Setting quality standards for data protection treatments and measures.
Conducting data protection enforcement, data verification and sanctions proceedings.
Areas of practice. IP; advertising law; administrative law; trade marks; copyrights; patents; unfair competition; domain names.