Mexico: Data Protection Laws of the World Handbook: Second Edition - Mexico (United Mexican States)

E-Commerce And Privacy Alert


The Federal Law on Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares) (the "Law") was enacted and entered into force on 6 July 2010.

The Executive Branch issued (i) the Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos en Posesión de Particulares) on 21 December 2011 (the "Regulations"), which entered into force on December 22, 2011, (ii) the Privacy Notice Guidelines on January 17, 2013 (the "Guidelines") which will enter into force on 18 April 2013, and (iii) the Parameters for Mandatory Self-Regulation on 17 January 2013 (the "Parameters") which entered into force on 18 January 2013. References to the Law throughout this document include the Regulations, the Guidelines and the Parameters.

The Law applies to personal data and sensitive personal data (see definitions below): (i) processed in a facility of the data controller located in Mexican territory; (ii) processed in any facility regardless of its location if the processing is performed on behalf of a Mexican data controller; (iii) where the Law and the Regulations are applicable as a consequence of Mexico's adherence to an international convention (even where the data user is not located in Mexico); or (iv) where the data controller is not located in Mexican territory but uses means located in Mexico to process personal data located abroad. However, when personal data is only in transit through, and is not processed in, Mexico, the Law does not apply.

The Law is limited in its application to the private sector, and does not apply to the government.


"Personal Data" means any information concerning an identified or identifiable individual. Unless otherwise noted in this document, personal data includes sensitive personal data.


"Sensitive Personal Data" means personal data touching on the most intimate areas of the data subject's life, or data the misuse of which may lead to discrimination or serious risk to the data subject. Specifically, the definition includes data which may reveal items such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical or moral beliefs, union affiliation, political views, and sexual orientation.


The Federal Institute for Access of Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos (IFAI)) ("IFAI") and the Ministry of Economy (Secretaría de Economía).


Not required.


All data controllers are required by Law to designate a personal data officer or department (jointly hereinafter referred to as the "Data Protection Officer") to handle requests from any data subjects (called "Data Owners") exercising their rights under the Law. Data Protection Officers are also required to promote the protection of Personal Data within their organizations.

Data controllers located outside Mexico who process personal data of Mexican data subjects abroad must appoint a representative or set up a sufficient alternative mechanism to comply with all aspects of the Law (e.g. comply with "ARCO" rights discussed below).


The term "processing" is broadly defined to include the procurement, use, access, management, transfer, disposal, disclosure or storage of personal data of an identified or identifiable individual by any means

Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data, – i.e. reliance on the assumption that the personal data provided by the data subject will be treated as agreed upon by the parties (in the privacy notice or otherwise) and in compliance with the Law.

To process personal data, data controllers must provide a privacy notice (Aviso de Privacidad) (the "Privacy Notice"), which must be made available to a data subject prior to the collection and processing of his or her personal data. The Privacy Notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.

The Privacy Notice must contain: (i) the identity and domicile of the data controller collecting the data; (ii) the purposes of the data processing; (iii) the options and means offered by the data controller to data subjects to limit the use or disclosure of data; (iv) the means for exercising rights of access, correction, cancellation or objection in accordance with the provisions of the Law; (v) where appropriate, the types of data transfers to be made; and (vi) the procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice. For transfers, the Privacy Notice must contain the name of the transferee or the person to whom the information is transferred.

The Guidelines consider three forms of privacy notice: comprehensive, simplified and shortform, depending on whether the data is personally obtained from the data subject, the data is obtained directly or indirectly from the data subject or the space to obtain data is minimal or limited (where the space allotted for the gathering of personal data or the Privacy Notice is also minimal or limited), respectively. Each of these forms must meet specific disclosure requirements. The Privacy Notice must be drafted in simple, clear and comprehensible terms, contain all necessary information specified above, and be available in Spanish. The Privacy Notice must be made available to the data subject prior to the collection of the data, at first contact if obtained indirectly or prior to their use when obtained indirectly and no contact is required with the data subject. There are some exceptions to the requirement to provide a subsequent Privacy Notice, such as when the data will be used for scientific, statistical or historical purposes. The data controller has the burden of proof to show that the Privacy Notice was provided.

Personal data must be collected and processed in a lawful manner, in accordance with the provisions of the Law and Regulations, and may not be obtained through deceptive means.

Consent is required for all processing of personal data, except as otherwise provided by the Law. Implicit consent (notice and opt out) applies to the processing of personal data. Express consent (notice and opt in) applies to the processing of financial or asset data and Sensitive personal data, unless an exception applies. With respect to personal data, consent may be communicated verbally, in writing, by electronic or optical means, via any other technology, or by any other unmistakable indications. However, a Data Controller must obtain express written consent from the data subject for any processing of Sensitive Personal Data; written consent may be obtained through the data subject's written signature, electronic signature, or any other authentication mechanism set up for such purpose.

Further, databases containing sensitive personal data may not be created unless justified by legitimate, concrete and consistent purposes, in furtherance of the explicit objectives or activities pursued by the data controller.

Exceptions to the consent requirement for processing of personal data, including sensitive personal data, apply where: (i) exempted by other legislation; (ii) the data is contained in publicly available sources; (iii) the identity of the data subject has been disassociated from the data; (iv) processing is for the purpose of discharging obligations under a pre-existing relationship between the data subject and the data controller; (v) there is an emergency situation that could potentially harm an individual with regard to his person or property; (vi) processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation; or (vii) pursuant to resolution issued by a competent authority.

Processing of personal data must be limited to the fulfilment of the specific purposes set out in the Privacy Notice. If the personal data is used for a purpose not identified in the Privacy Notice, consent of the data subject is required anew.

Databases containing sensitive personal Data may be created only: (i) where necessary to comply with a legal requirement; (ii) where justified for purposes of national security, public order, public health, or for the protection of third party rights; or (iii) when the data controller is compelled to create it for a legitimate and specific purposes.

The data controller must ensure that Personal Data contained in databases are relevant, correct and up to date for the purposes for which they has been collected. When the personal data are no longer necessary for the fulfilment of the objectives set forth in the Privacy Notice and applicable laws, they must be eliminated.

The Data Controller must also, among other things, implement privacy policies and mandatory privacy programs, set up supervisory systems, update and inform its personnel about matters regarding protection of Personal Data, and set up procedures to receive and process complaints and resolve questions from data subjects.


The data controller may freely transfer personal data to domestic or foreign third parties, if the Privacy Notice so provides and the data subject has not opted out. Details regarding the transfers (recipient of the personal data, purposes of the transfer, etc.) of personal data must be provided under the Privacy Notice.

Any third party receiving personal data assumes the same obligations as the data controller that transferred the personal data. Except for disclosures to data processors, personal data may only be transferred for the purposes authorised by the data subject's consent to the Privacy Notice, which must be opt out or opt in depending on whether the information is personal data or sensitive personal data, respectively.

Domestic or international transfers of personal data may be carried out without the consent of the data subject where: (i) the transfer is pursuant to a law or treaty to which Mexico is party; (ii) the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management; (iii) the transfer is made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies; (iv) the transfer is necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject; (v) where the transfer is necessary or legally required to safeguard public interest or for the administration of justice; (vi) where the transfer is necessary for the recognition, exercise or defence of a right in a judicial proceeding; and (vii) where the transfer is necessary to maintain or comply with an obligation binding on the data controller and the data subject.

The Regulations distinguish between domestic and international transfers of personal data. For international transfers of personal data, the third party receiving the personal data must enter into an agreement or other instrument with the data controller to ensure the lawful processing of the personal data in compliance with the Law. The transfer of personal data between or among related corporate entities is allowed for specific purposes as long as those purposes are mentioned and disclosed to the data subject in the Privacy Notice. If the personal data is intended to be used for purposes other than those indicated in the Privacy Notice, then express consent must be obtained from the data subject anew.


All responsible parties that process personal data must establish and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. Data processors may not adopt security measures with respect to personal data that they process on behalf of a data controller that are inferior to those which the processor has in place to manage its own information. The sufficiency of the security measures will be assessed in relation to the risk involved, potential consequences for data subjects, sensitivity of the data, and technological developments. The Regulations set out criteria that must be considered by the data controller in determining the appropriate security measures and actions to protect the Personal data, and require data controllers to periodically review and update their security measures. The IFAI may also issue non-binding recommendations to data controllers for securing personal data when the data controller's security measures are insufficient or may put the personal data in risk.

Data controllers or third parties involved in any stage of personal data processing must maintain the confidentiality of the data, and this obligation continues even after the end of any relationship with the data subject or with the data controller.

Any third party who is in charge of securing personal data on behalf of the data controller ("Third Party") is subject to the same obligations as the data controller to protect the data. The Third Party shall; (i) process the personal data only in accordance with the instructions of and purposes indicated the data controller; (ii) set up security measures to protect the personal data; (iii) keep the personal data confidential; (iv) eliminate the personal data once the legal relationship between the data controller and the third party is terminated; and (v) refrain from transferring personal data, except where (a) the data controller instructs it to do so; (b) the transfer is made to a subcontractor; or (c) the personal data is requested by an authority.


Security breaches occurring at any stage of processing that materially affect property or Sensitive personal data must be promptly reported by the data controller to the data subject, so that the data subject can take appropriate action to defend his or her rights.

The Regulations provide that breach notification must include at least the following information; (i) a description of the issue; (ii) the personal data that was exposed to the security breach, (iii) recommended actions to the data subject on how to protect his/her own interests and to secure the personal data; (iv) the corrective actions that the data controller will take immediately, and (v) the process pursuant to which the data subject may obtain additional information regarding the data breach, and any information mentioned in the notice to protect his/her interests, the actions to be taken by the data controller to mitigate any harm or damage and the recommendations of the data controller to the data subject on how to mitigate the effect of the breach.


The provisions of the Law are mandatory, and apply to data controllers and any other person processing personal data. the ifai may act ex-officio or in response to complaints regarding violations of the law. if any breach of the law or the regulations is alleged, the IFAI may perform on site inspections at the data controller's facilities to verify compliance with the Law. Inspections may last up to 180 days.

Data subjects can enforce their access, correction, cancellation and objection rights ("ARCO Rights") via the IFAI and ultimately the court system.

Violations of the Law may result in either monetary penalties or imprisonment.

  • The IFAI may impose monetary fines from 100 to 320,000 times the Mexico City minimum wage (approximately US$480 to US$1,534,275, based upon an exchange rate of MxP$13 per US$1). With regard to violations committed concerning the processing of sensitive personal data, sanctions may be increased up to double these amounts.
  • Three months to three years imprisonment may be imposed on any person authorised to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties are doubled for sensitive personal data.
  • Six months to five years imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorised to transmit such data. Penalties are doubled for sensitive personal data.

Data controllers may adopt self regulation mechanisms, such as codes, policies, rules and, standards, or become part of incorporated or unincorporated self-regulatory bodies to support their compliance with the provisions of the Law; these self-regulation standards become binding on Data Controllers and provide prima facie evidence that the Data Controller is in compliance with the Law.

The implementation of the self-regulation mechanisms is regulated at length by the Parameters. The Parameters intend to foster compliance by data controllers with the Regulations, and incentivize the data controllers to apply for certification by the IFAI or other certifying organisms. The Parameters set forth the components that, at a minimum, must be addressed in any self-regulatory mechanism, including, scope, duration, internal updating mechanisms, ARCO rights enforcement, alternate dispute resolution, and form agreements. The Parameters also address the certification system.


Email marketing constitutes the processing of persona data and is subject to the Privacy Notice and opt-out consent requirements of the Law.


The Guidelines which address the use of cookies, web-beacons and other analogous technologies, require that when a data controller uses online tracking mechanisms that permit the automatic collection of personal data, the Privacy Notice must include; a prominent warning to the data subject of the use of such technologies; the fact that personal data is being gathered; and the option to disable such means (unless they are necessary for technical reasons). The notice must also specify the type of personal data being gathered and the purpose.

However, an IP address alone is not likely to rise to the level of personal data under the Law.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:
  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.
  • Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.
    If you do not want us to provide your name and email address you may opt out by clicking here
    If you do not wish to receive any future announcements of products and services offered by Mondaq you may opt out by clicking here

    Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

    Use of

    You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


    Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

    The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


    Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

    • To allow you to personalize the Mondaq websites you are visiting.
    • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
    • To produce demographic feedback for our information providers who provide information free for your use.

    Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

    Information Collection and Use

    We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

    We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

    Mondaq News Alerts

    In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


    A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

    Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

    Log Files

    We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


    This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

    Surveys & Contests

    From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


    If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


    From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

    *** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


    This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

    Correcting/Updating Personal Information

    If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

    Notification of Changes

    If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

    How to contact Mondaq

    You can contact us with comments or queries at

    If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.

    By clicking Register you state you have read and agree to our Terms and Conditions