Mexico: Privacy Notice to Be Given By Mexican Entities And Individuals Under The Federal Protection Law Of Personal Data

1. Description of Mexico's Federal Protection Law of Personal Data

The Federal Protection Law of Personal Data (the "Law") was published in the Mexican Federal Official Gazette on July 5, 2010, in Mexico City and was effective one day after its publication. This Law regulates the manner and conditions in which personal data can be used by entities and individuals that obtain personal data from individuals. Its purpose is to guarantee the protection of personal information and the individuals' right to decide on how individuals and entities use their data. Pursuant to the transitory articles of the Law, the regulations of the same will be published no later than July 6, 2011.

The Law provides that when handling personal data, there is a reasonable expectation of privacy; and when an individual or entity responsible for the handling of data obtains personal data or sensible personal data, the individual or entity is required to obtain the express consent of the holder of the data.

The Law defines personal data as any information concerning an individual identified or identifiable and defines as sensitive personal data the personal data that affects the most-intimate sphere of the holder or which unlawful use could cause discrimination or convey a gross risk to them. In particular, it encompasses data that can reveal aspects like racial or ethnic origin; actual and future health; genetic information; religious, philosophical and moral beliefs; labor union affiliation; political opinions; and sexual preference.

2. Privacy Notice—Immediate Action to Be Taken

Notwithstanding that the Law exempts certain individuals and entities—that the Law defines as responsible—from requesting consent from the holders of the data when a legal relationship between the entity and the holder of the data exists, the Law obliges the individuals and entities to give a privacy notice. This notice is a document in hard-copy or electronic format made available, through physical, digital, visual or sound means or any other technology, to the holder of the data (the "Privacy Notice"). Pursuant to the Law, individuals and entities in receipt of personal data are required to provide such Privacy Notice to the holders of the data no later than July 6, 2011. In addition, any changes or modifications to such Privacy Notice must be conveyed to the holder of the data. The Privacy Notice applies to Mexican employers who possess data of employees and which are required under the Law to provide the Privacy Notice to their employees.

The following are the minimum requirements the Privacy Notice has to contain:

  • Identity and domicile of the responsible individual or entity;
  • Purpose of the data use;
  • Options and methods to limit the use and disclosure of the data;
  • Means or mechanisms to exercise the rights of access, correction, cancelation and opposition;
  • The transfer of data that will be made; and
  • The mechanism or proceeding by which the responsible individual or entity will inform the holders of any changes to the Privacy Notice.

In the event that the individual or entity in receipt of personal information makes any transfer of data, it is unnecessary to indicate such transfer in the privacy notice if:

  • The transfer is foreseen or established in a law or treaty to which Mexico is a party;
  • The transfer is necessary for medical attention, prevention, diagnosis, rendering of sanitary assistance, medical treatment or execution of sanitary services;
  • It is done between related parties;
  • It is necessary by virtue of an agreement executed or to be executed between the responsible individual or entity and a third party at the interest of the holder;
  • It is necessary or legally claimable for the safeguard of a public interest, or for the provision and administration of justice;
  • It is necessary for the recognition, exercise or defense of any right in a judicial process; or
  • It is necessary for the maintenance or fulfillment of a legal relationship between the individual or entity responsible for the data and the holder.

3. Main Responsibilities of the Entities or Individuals Handling the Data

  • Designate a responsible individual in charge of handling and correcting the personal data, and develop the processes for consulting or correcting the information. This designation has to be made no later than July 6, 2011.
  • Obtain the consent of the holder of the data (except in the specific cases provided by the Law) if the purpose of usage of the data changes.
  • Issue the Privacy Notice and verify its fulfillment and authorization. This notice has to be given no later than July 6, 2011.
  • Include in the Privacy Notice the consent of the holder of the data to transfer data (except in the specific cases provided by the Law).
  • Establish the handling that will be given to personal data.
  • If databases are created, they have to contain minimum information in accordance with the purpose of their use.
  • Maintain confidentiality of the information (continues after the legal relationship has been finished) and extends to third parties.
  • Provide personnel training (such as a handbook of practices or process guidelines).
  • Establish proceedings for the holder to exercise his rights.
  • Establish safety measures for the handling of the data to avert modification, loss and unauthorized access.
  • Comply with the time frames to respond to requests and implement the requested changes (20 days and 15 days, respectively).

4. Breach of the Law

Each of the following events constitutes a breach of the Law:

  • Failure to fulfill the request made by the holder to exercise the rights of access, correction, cancelation and opposition to the handling of their personal data, without a justified reason.
  • Act with negligence or bad faith in the process or response of the holder's requests.
  • Declare with bad faith the inexistence of data, when there is actually data or part of the data in the responsible party's databases.
  • Handle the data contravening the Law.
  • Failure to include in the Privacy Notice all the items mentioned in article 16 of the Law that are described in section three above.
  • Keep data that are incorrect or imprecise, or failure to make the corrections or cancellations of the data according to the Law.
  • Failure to comply with the disciplinary measure of the authorities in order to perform what the holder of the data requested.
  • Failure to comply with the confidentiality duty.
  • Substantially change the original purpose of the handling of the data, without obtaining a new consent of the holder.
  • Transfer data to third parties without informing them of the Privacy Notice.
  • Affect the safety of the local databases, programs or equipment.
  • Perform the transfer of data in the cases not allowed by the Law.
  • Obtain or transfer personal data without the express consent of the holder.
  • Obstruct or hamper the verification acts of the authority.
  • Obtain data in a deceitful or fraudulent manner.
  • Continue with the illegitimate use of the data when the cease of their use was previously requested.
  • Handle the data impeding or affecting the exercise of the holder's rights.
  • Create databases with a purpose other than for the one they were created.
  • Any breach by any individual appointed by the entity as responsible for the data.

5. Sanctions

Sanctions vary from a disciplinary measure against the responsible party in breach of the Law to a fine from 100 to 320,000 days of the minimum general wage effective in the federal district, and additional fines in the case of relapse.

It is a crime if the responsible individual or entity handles the data with the purpose of obtaining a profit that would render vulnerable the safety of the databases. This conduct would result in a sentencing of three months to three years in prison. If the responsible individual or entity takes advantage of the error and obtains data by means of fraud or deception, the sanction is six months to five years in prison; and if it is related to sensible data, the sanctions are doubled.

If you would like additional information regarding Mexico's federal law on protecting personal data, please contact any of the members of the Mexico Business Group or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions