ARTICLE
28 July 2025

Data Protection 2025 – México

O
OLIVARES

Contributor

OLIVARES logo
Our mission is to provide innovative solutions and highly specialized legal advice for clients facing the most complicated legal and business challenges in Mexico. OLIVARES is continuously at the forefront of new practice areas concerning copyright, litigation, regulatory, anti-counterfeiting, plant varieties, domain names, digital rights, and internet-related matters, and the firm has been responsible for precedent-setting decisions in patents, copyrights, and trademarks. Our firm is committed to developing the strongest group of legal professionals to manage the level of complexity and interdisciplinary orientation that clients require. During the first decade of the 21st century, the team successfully led efforts to reshape IP laws and change regulatory authorizations procedures in Mexico, not only through thought leadership and lobbying efforts, but the firm has also won several landmark and precedent-setting cases at the Mexican Federal and Supreme Courts levels, including in constitutional matters.
Explore Firm Details
The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the new Federal Law for the Protection of Personal Data Held by Private Parties, published on March 20, 2025...
Mexico Privacy
Abraham Diaz,Gustavo Alcocer, and Carla Huitron
Your Author LinkedIn Connections

1 Relevant Legislation and Competent Authorities

1.1 What is the principal data protection legislation?

The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the new Federal Law for the Protection of Personal Data Held by Private Parties, published on March 20, 2025, and its Regulations, published in December 2011 (hereinafter the "FLPPDHPP").

1.2 Is there any other general legislation that impacts data protection?

Yes: the New General Law for the Protection of Personal Data in the Possession of Obliged Subjects, also published on March 20, 2025, which regulates the processing of personal information ("PI") in the possession of any Federal, State or local governmental authorities ("the Law"); the Privacy Notice Rules, published in January 2013; the Binding SelfRegulation Parameters, also published in January 2013; and the General Guidelines for the Protection of Personal Data for the public sector (Federal, State or local authorities). It is worth mentioning that Mexican data protection laws and general legislation follow international correlative laws, directives and statutes, and thus have similar principles, regulatory scope and provisions. Moreover, there are other laws such as: the Criminal Code; the Law for the Regulation of Credit Information Companies; the Law for Regulating Financing Technology Institutions; provisions set forth in the Copyright Law and the Federal Law for Consumer Protection; and some specific provisions set forth in the Civil Code and the Commerce Code, which are also related to data protection.

1.3 Is there any sector-specific legislation that impacts data protection?

Mexican data protection legislation is not based on sectoral laws. The Law, as described above, is a general law that regulates the collection and processing of any PI by any private entity acting as a Controller or Processor, which impacts any sector that is involved in any sort of personal data collection or processing.

1.4 What authority(ies) are responsible for data protection?

Up to March 20, 2025, the National Institute of Transparency, Access to Information and Personal Data Protection ("INAI") was the authority responsible for overseeing the Law.

As of March 21, 2025, the authority responsible for overseeing the Law is the Ministry of Anti-Corruption and Good Government ("Ministry of ACGG"), which main purpose will be the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The Ministry of ACGG has the authority to: conduct investigations; review and sanction data protection Controllers; and authorise, oversee and revoke certifying entities.

The Ministry is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in the Mexican territory.

2 Definitions

2.1 Please provide the key definitions used in the relevant legislation:

  • "Personal Data"
    Any information concerning an individual that may be identified or identifiable. It is considered that a person is identifiable when their identity may be determined directly or indirectly by any information.
  • "Processing"
    Any operation or set of operations done by manual or automated procedures applied to personal data, related to obtaining, using, recording, organising, preserving, elaborating, communicating, disseminating, storing, possessing, accessing, handling, using, disclosing, transferring or disposing of personal data.
  • "Controller"
    Private individuals or legal entities that carry out the processing of personal data.
  • "Processor"
    The individual or legal entity that, solely or jointly with another, processes personal data on behalf of the Controller.
  • "Data Subject"
    Any identified or identifiable natural person.
  • "Sensitive Personal Data"/"Special Categories of Personal Data"
    Any personal data that may affect the most intimate sphere of an individual, or that which, if misused, may lead to discrimination or carry a serious risk to the individual. By way of example, but not limiting, sensitive personal data are considered those that may reveal information such as ethnic or racial origin, a present or future medical condition, genetic information, religious, philosophical and moral beliefs, union affiliation, political opinions and sexual preference. Other than the "sensitive personal data definition" there are no special categories of personal data in our law.
  • "Data Breach"
    Data breach means any security breach that, if occurring in any phase of the data collection, storage or use, may affect in a significant manner the patrimonial or moral rights of individuals.
  • "Pseudonymous Data"
    Such data that is processed in such a way that it can no longer be attributed to a specific data subject, without the use of additional information.

3 Territorial and Material Scope

3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?

Mexican data protection law is not limited to PI Controllers established or operating in Mexican territory. Although the Law does not provide a specific reach or scope of its applicability, the Regulations to the Law do. In this regard, such regulations (and, therefore, the Law), in addition to being applicable to companies established or operating under Mexican law (whether or not located in Mexican territory) apply to companies not established under Mexican law that are subject to Mexican legislation derived from the execution of a contract or under the terms of international law.

Additionally, Mexican regulations on data protection apply to: company establishments located in the Mexican territory; persons or entities not established in the Mexican territory but using means located in such territory, unless such means are used merely for transition purposes that do not imply a processing or handling of personal data; and when the Controller is not established in the Mexican territory but the person designated as the party in charge of the control and management of its personal data (a service provider) is.

In the case of individuals, the establishment will mean the location of the main place of business or location customarily used to perform their activities or their home.

3.2 Do the data protection laws in your jurisdiction carve out certain processing activities from their material scope?

Mexican Data Privacy Law does not carve out any processing activities from the material scope. Our Law only indicates that the Controller should be responsible for processing personal and/or sensitive data in accordance with the principles set forth in the Law and international treaties, regardless of the processing activity or material scope.

4 Key Principles

4.1 What are the key principles that apply to the processing of personal data?

  • Transparency
    This principle is not defined in the Law; however, the Law makes it clear that personal data can in no way be collected, stored or used through deceitful or fraudulent means.
  • Lawful basis for processing
    The Controller is responsible for processing personal and/or sensitive data in accordance with the principles set forth in the Law and international treaties.
  • Purpose limitation
    Personal data shall only be collected and processed in compliance with the purpose or purposes set forth in the Privacy Notice. Moreover, the purpose of the Privacy Notice must be certain, which is achieved by establishing the purpose for which the personal data will be collected and processed in a clear, objective manner, not leaving any room for confusion.
  • Data minimisation
    The Controller will be responsible and shall endeavour to make reasonable efforts so that the personal data processed are the minimum necessary according to the purpose that originated the collection of PI.
  • Proportionality
    Controllers can only collect personal data that are necessary, appropriate and relevant for the purpose(s) of their collection.
  • Retention
    This translates into the obligation of the Controller to retain personal data only for the period of time necessary for complying with the purpose(s) for which the data were collected, with the obligation to block, cancel and suppress the personal data afterwards.
  • Accuracy
    This principle refers to ensuring that the processed personal data is correct and updated and is strictly related to the following "Quality" principle as described below, which includes accuracy.
  • Responsibility
    The Controller must safeguard and be accountable for any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any of the best international practices, corporate policies, self-regulatory schemes or any other suitable mechanism to this effect.
  • Quality
    This principle is accomplished when the personal data processed are accurate, complete, pertinent, correct and updated as required, in order to comply with the purpose for which the personal data will be collected.
  • Consent
    The Controller must obtain the consent of the data subject at the moment in which PI is being collected and must keep evidence of the consent.
  • Loyalty
    This consists of the obligation of the Controller to process any PI collected favouring the protection of the interests of the data subject and the reasonable expectation of privacy.

5 Individual Rights

5.1 What are the key rights that individuals have in relation to the processing of their personal data?

  • Right of access to (copies of) data/information about processing
     Data subjects have the right to access their personal data held by the Controller at any time they request.
  • Right to rectification of errors
     Data subjects have the right to request the rectification of any of their personal data, held by a Controller, which turns out to be inaccurate, incomplete or out of date.
  • Right to deletion/right to be forgotten
     Data subjects have the right to request the cancellation of their personal data. The cancellation of personal data will result in a blocking period, after which the suppression of the data will take place. Notwithstanding the foregoing, the Controller may keep such personal data exclusively for the purposes of the responsibilities regarding their treatment. Likewise, the Law establishes some cases where the Controller is not obliged to cancel or delete the personal data.
  • Right to object to processing
     Data subjects have the right to object to the processing of their personal data due to a legitimate reason.
  • Right to restrict processing Data subjects have the right to restrict the processing of their personal data due to a legitimate reason.
  • Right to data portability
     Data subjects have the right to obtain, from the subject concerned, a copy of their processed data, which allows the data subject to continue using their PI.
  • Right to withdraw consent
     At any time, the data subject may withdraw their consent for the treatment of their personal data. The Controller must establish simple and free mechanisms that allow the data subjects to withdraw their consent at least by the same means by which they granted it.
  • Right to object to marketing
     In addition to the general rights described above, data subjects have the right to oppose the use of their personal data for marketing or advertising purposes.
  • Right protecting against solely automated decisionmaking and profiling
     Data subjects have the right to oppose to the treatment of their data, at any time, by any mechanism, including automated decision-making and profiling.
  • Right to complain to the relevant data protection authority(ies)
     Data subjects are entitled to submit a claim before the Ministry of ACGG. The claim must be filed in writing and must clearly state the provisions of the Law that are deemed infringed; also, it must be submitted within the 15 days following the date on which the response to the data subject has been communicated by the Controller.
  • Right to a verification procedure
     Data subjects have the right to request a verification procedure before the Ministry of ACGG, by which the authorities will check the Controller's compliance with all the provisions set forth in the Law, or any other applicable regulations.

5.2 Please confirm whether data subjects have the right to mandate not-for-profit organisations to seek remedies on their behalf or seek collective redress.

The only person that might seek remedies for data protection infringements are the data owners themselves, or in its case, their legal representatives. The Law does not contemplate collective redress.

6 Children's Personal Data

6.1 What additional obligations apply to the processing of children's personal data?

Children's legal guardians' consent must be always given when processing children's personal data. This applies to any individual younger than 18 years of age.

7 Registration Formalities and Prior Approval

7.1 Is there a legal obligation on businesses to register with or notify the data protection authority (or any other governmental body) in respect of its processing activities?

No, there is not.

7.2 If such registration/notification is needed, must it be specific (e.g., listing all processing activities, categories of data, etc.) or can it be general (e.g., providing a broad description of the relevant processing activities)?

This is not applicable.

7.3 On what basis are registrations/notifications made (e.g., per legal entity, per processing purpose, per data category, per system or database)?

This is not applicable.

7.4 Who must register with/notify the data protection authority (e.g., local legal entities, foreign legal entities subject to the relevant data protection legislation, representative or branch offices of foreign legal entities subject to the relevant data protection legislation)?

This is not applicable.

7.5 What information must be included in the registration/notification (e.g., details of the notifying entity, affected categories of individuals, affected categories of personal data, processing purposes)?

This is not applicable.

7.6 What are the sanctions for failure to register/ notify where required?

This is not applicable.

7.7 What is the fee per registration/notification (if applicable)?

This is not applicable.

7.8 How frequently must registrations/notifications be renewed (if applicable)?

This is not applicable.

7.9 Is any prior approval required from the data protection regulator?

This is not applicable.

7.10 Can the registration/notification be completed online?

This is not applicable.

7.11 Is there a publicly available list of completed registrations/notifications?

This is not applicable.

7.12 How long does a typical registration/notification process take?

This is not applicable.

To view the full article click here

Originally published by International Comparative Legal Guides (ICLG)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Abraham Diaz
Abraham Diaz
Photo of Gustavo Alcocer
Gustavo Alcocer
Photo of Carla Huitron
Carla Huitron
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More