Mexico: Data Protection Laws of the World Handbook: Second Edition - Mexico (United Mexican States)

E-Commerce And Privacy Alert


The Federal Law on Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares) (the "Law") was enacted and entered into force on 6 July 2010.

The Executive Branch issued (i) the Regulations to the Law (Reglamento de la Ley Federal de Protección de Datos en Posesión de Particulares) on 21 December 2011 (the "Regulations"), which entered into force on December 22, 2011, (ii) the Privacy Notice Guidelines on January 17, 2013 (the "Guidelines") which will enter into force on 18 April 2013, and (iii) the Parameters for Mandatory Self-Regulation on 17 January 2013 (the "Parameters") which entered into force on 18 January 2013. References to the Law throughout this document include the Regulations, the Guidelines and the Parameters.

The Law applies to personal data and sensitive personal data (see definitions below): (i) processed in a facility of the data controller located in Mexican territory; (ii) processed in any facility regardless of its location if the processing is performed on behalf of a Mexican data controller; (iii) where the Law and the Regulations are applicable as a consequence of Mexico's adherence to an international convention (even where the data user is not located in Mexico); or (iv) where the data controller is not located in Mexican territory but uses means located in Mexico to process personal data located abroad. However, when personal data is only in transit through, and is not processed in, Mexico, the Law does not apply.

The Law is limited in its application to the private sector, and does not apply to the government.


"Personal Data" means any information concerning an identified or identifiable individual. Unless otherwise noted in this document, personal data includes sensitive personal data.


"Sensitive Personal Data" means personal data touching on the most intimate areas of the data subject's life, or data the misuse of which may lead to discrimination or serious risk to the data subject. Specifically, the definition includes data which may reveal items such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical or moral beliefs, union affiliation, political views, and sexual orientation.


The Federal Institute for Access of Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos (IFAI)) ("IFAI") and the Ministry of Economy (Secretaría de Economía).


Not required.


All data controllers are required by Law to designate a personal data officer or department (jointly hereinafter referred to as the "Data Protection Officer") to handle requests from any data subjects (called "Data Owners") exercising their rights under the Law. Data Protection Officers are also required to promote the protection of Personal Data within their organizations.

Data controllers located outside Mexico who process personal data of Mexican data subjects abroad must appoint a representative or set up a sufficient alternative mechanism to comply with all aspects of the Law (e.g. comply with "ARCO" rights discussed below).


The term "processing" is broadly defined to include the procurement, use, access, management, transfer, disposal, disclosure or storage of personal data of an identified or identifiable individual by any means

Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data, – i.e. reliance on the assumption that the personal data provided by the data subject will be treated as agreed upon by the parties (in the privacy notice or otherwise) and in compliance with the Law.

To process personal data, data controllers must provide a privacy notice (Aviso de Privacidad) (the "Privacy Notice"), which must be made available to a data subject prior to the collection and processing of his or her personal data. The Privacy Notice may be provided to data subjects in printed, digital, visual or audio formats, or any other technology.

The Privacy Notice must contain: (i) the identity and domicile of the data controller collecting the data; (ii) the purposes of the data processing; (iii) the options and means offered by the data controller to data subjects to limit the use or disclosure of data; (iv) the means for exercising rights of access, correction, cancellation or objection in accordance with the provisions of the Law; (v) where appropriate, the types of data transfers to be made; and (vi) the procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice. For transfers, the Privacy Notice must contain the name of the transferee or the person to whom the information is transferred.

The Guidelines consider three forms of privacy notice: comprehensive, simplified and shortform, depending on whether the data is personally obtained from the data subject, the data is obtained directly or indirectly from the data subject or the space to obtain data is minimal or limited (where the space allotted for the gathering of personal data or the Privacy Notice is also minimal or limited), respectively. Each of these forms must meet specific disclosure requirements. The Privacy Notice must be drafted in simple, clear and comprehensible terms, contain all necessary information specified above, and be available in Spanish. The Privacy Notice must be made available to the data subject prior to the collection of the data, at first contact if obtained indirectly or prior to their use when obtained indirectly and no contact is required with the data subject. There are some exceptions to the requirement to provide a subsequent Privacy Notice, such as when the data will be used for scientific, statistical or historical purposes. The data controller has the burden of proof to show that the Privacy Notice was provided.

Personal data must be collected and processed in a lawful manner, in accordance with the provisions of the Law and Regulations, and may not be obtained through deceptive means.

Consent is required for all processing of personal data, except as otherwise provided by the Law. Implicit consent (notice and opt out) applies to the processing of personal data. Express consent (notice and opt in) applies to the processing of financial or asset data and Sensitive personal data, unless an exception applies. With respect to personal data, consent may be communicated verbally, in writing, by electronic or optical means, via any other technology, or by any other unmistakable indications. However, a Data Controller must obtain express written consent from the data subject for any processing of Sensitive Personal Data; written consent may be obtained through the data subject's written signature, electronic signature, or any other authentication mechanism set up for such purpose.

Further, databases containing sensitive personal data may not be created unless justified by legitimate, concrete and consistent purposes, in furtherance of the explicit objectives or activities pursued by the data controller.

Exceptions to the consent requirement for processing of personal data, including sensitive personal data, apply where: (i) exempted by other legislation; (ii) the data is contained in publicly available sources; (iii) the identity of the data subject has been disassociated from the data; (iv) processing is for the purpose of discharging obligations under a pre-existing relationship between the data subject and the data controller; (v) there is an emergency situation that could potentially harm an individual with regard to his person or property; (vi) processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the data subject is unable to give consent in the manner established by the General Health Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation; or (vii) pursuant to resolution issued by a competent authority.

Processing of personal data must be limited to the fulfilment of the specific purposes set out in the Privacy Notice. If the personal data is used for a purpose not identified in the Privacy Notice, consent of the data subject is required anew.

Databases containing sensitive personal Data may be created only: (i) where necessary to comply with a legal requirement; (ii) where justified for purposes of national security, public order, public health, or for the protection of third party rights; or (iii) when the data controller is compelled to create it for a legitimate and specific purposes.

The data controller must ensure that Personal Data contained in databases are relevant, correct and up to date for the purposes for which they has been collected. When the personal data are no longer necessary for the fulfilment of the objectives set forth in the Privacy Notice and applicable laws, they must be eliminated.

The Data Controller must also, among other things, implement privacy policies and mandatory privacy programs, set up supervisory systems, update and inform its personnel about matters regarding protection of Personal Data, and set up procedures to receive and process complaints and resolve questions from data subjects.


The data controller may freely transfer personal data to domestic or foreign third parties, if the Privacy Notice so provides and the data subject has not opted out. Details regarding the transfers (recipient of the personal data, purposes of the transfer, etc.) of personal data must be provided under the Privacy Notice.

Any third party receiving personal data assumes the same obligations as the data controller that transferred the personal data. Except for disclosures to data processors, personal data may only be transferred for the purposes authorised by the data subject's consent to the Privacy Notice, which must be opt out or opt in depending on whether the information is personal data or sensitive personal data, respectively.

Domestic or international transfers of personal data may be carried out without the consent of the data subject where: (i) the transfer is pursuant to a law or treaty to which Mexico is party; (ii) the transfer is necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management; (iii) the transfer is made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent company or any company of the same group as the data controller, operating under the same internal processes and policies; (iv) the transfer is necessary by virtue of a contract executed or to be executed between the data controller and a third party in the interest of the data subject; (v) where the transfer is necessary or legally required to safeguard public interest or for the administration of justice; (vi) where the transfer is necessary for the recognition, exercise or defence of a right in a judicial proceeding; and (vii) where the transfer is necessary to maintain or comply with an obligation binding on the data controller and the data subject.

The Regulations distinguish between domestic and international transfers of personal data. For international transfers of personal data, the third party receiving the personal data must enter into an agreement or other instrument with the data controller to ensure the lawful processing of the personal data in compliance with the Law. The transfer of personal data between or among related corporate entities is allowed for specific purposes as long as those purposes are mentioned and disclosed to the data subject in the Privacy Notice. If the personal data is intended to be used for purposes other than those indicated in the Privacy Notice, then express consent must be obtained from the data subject anew.


All responsible parties that process personal data must establish and maintain physical, technical and administrative security measures designed to protect personal data from damage, loss, alteration, destruction or unauthorised use, access or processing. Data processors may not adopt security measures with respect to personal data that they process on behalf of a data controller that are inferior to those which the processor has in place to manage its own information. The sufficiency of the security measures will be assessed in relation to the risk involved, potential consequences for data subjects, sensitivity of the data, and technological developments. The Regulations set out criteria that must be considered by the data controller in determining the appropriate security measures and actions to protect the Personal data, and require data controllers to periodically review and update their security measures. The IFAI may also issue non-binding recommendations to data controllers for securing personal data when the data controller's security measures are insufficient or may put the personal data in risk.

Data controllers or third parties involved in any stage of personal data processing must maintain the confidentiality of the data, and this obligation continues even after the end of any relationship with the data subject or with the data controller.

Any third party who is in charge of securing personal data on behalf of the data controller ("Third Party") is subject to the same obligations as the data controller to protect the data. The Third Party shall; (i) process the personal data only in accordance with the instructions of and purposes indicated the data controller; (ii) set up security measures to protect the personal data; (iii) keep the personal data confidential; (iv) eliminate the personal data once the legal relationship between the data controller and the third party is terminated; and (v) refrain from transferring personal data, except where (a) the data controller instructs it to do so; (b) the transfer is made to a subcontractor; or (c) the personal data is requested by an authority.


Security breaches occurring at any stage of processing that materially affect property or Sensitive personal data must be promptly reported by the data controller to the data subject, so that the data subject can take appropriate action to defend his or her rights.

The Regulations provide that breach notification must include at least the following information; (i) a description of the issue; (ii) the personal data that was exposed to the security breach, (iii) recommended actions to the data subject on how to protect his/her own interests and to secure the personal data; (iv) the corrective actions that the data controller will take immediately, and (v) the process pursuant to which the data subject may obtain additional information regarding the data breach, and any information mentioned in the notice to protect his/her interests, the actions to be taken by the data controller to mitigate any harm or damage and the recommendations of the data controller to the data subject on how to mitigate the effect of the breach.


The provisions of the Law are mandatory, and apply to data controllers and any other person processing personal data. the ifai may act ex-officio or in response to complaints regarding violations of the law. if any breach of the law or the regulations is alleged, the IFAI may perform on site inspections at the data controller's facilities to verify compliance with the Law. Inspections may last up to 180 days.

Data subjects can enforce their access, correction, cancellation and objection rights ("ARCO Rights") via the IFAI and ultimately the court system.

Violations of the Law may result in either monetary penalties or imprisonment.

  • The IFAI may impose monetary fines from 100 to 320,000 times the Mexico City minimum wage (approximately US$480 to US$1,534,275, based upon an exchange rate of MxP$13 per US$1). With regard to violations committed concerning the processing of sensitive personal data, sanctions may be increased up to double these amounts.
  • Three months to three years imprisonment may be imposed on any person authorised to process personal data who, for profit, causes a security breach affecting the databases under its custody. Penalties are doubled for sensitive personal data.
  • Six months to five years imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or a person authorised to transmit such data. Penalties are doubled for sensitive personal data.

Data controllers may adopt self regulation mechanisms, such as codes, policies, rules and, standards, or become part of incorporated or unincorporated self-regulatory bodies to support their compliance with the provisions of the Law; these self-regulation standards become binding on Data Controllers and provide prima facie evidence that the Data Controller is in compliance with the Law.

The implementation of the self-regulation mechanisms is regulated at length by the Parameters. The Parameters intend to foster compliance by data controllers with the Regulations, and incentivize the data controllers to apply for certification by the IFAI or other certifying organisms. The Parameters set forth the components that, at a minimum, must be addressed in any self-regulatory mechanism, including, scope, duration, internal updating mechanisms, ARCO rights enforcement, alternate dispute resolution, and form agreements. The Parameters also address the certification system.


Email marketing constitutes the processing of persona data and is subject to the Privacy Notice and opt-out consent requirements of the Law.


The Guidelines which address the use of cookies, web-beacons and other analogous technologies, require that when a data controller uses online tracking mechanisms that permit the automatic collection of personal data, the Privacy Notice must include; a prominent warning to the data subject of the use of such technologies; the fact that personal data is being gathered; and the option to disable such means (unless they are necessary for technical reasons). The notice must also specify the type of personal data being gathered and the purpose.

However, an IP address alone is not likely to rise to the level of personal data under the Law.

© DLA Piper

This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.

DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions