Social Network

Select Language

Mexico’s Data Protection Legal Framework. It’s Real And It’s Serious.

Mexico’s Data Protection Legal Framework.

It’s Real And It’s Serious.

By Héctor Guzmán Rodríguez Data Protection and Privacy  / Published on July 13th, 2017.


7 years ago, the Mexican Federal Law on the Protection of Personal Data held by Private Parties (the Federal Law on Data Protection) was enacted. 7 years ago, things started to change in Mexico.

At that time, when companies faced the question “Do you comply?” it was not unusual to hear this kind of answers:

-        This is a fad!

-        Who REALLY cares about personal data?

-        My company doesn’t need to comply with THAT law, I only process client’s information.

-        My IT department is in charge.

-        My parent company is American/European, they are in charge of THAT stuff.

Nowadays, things are different and data protection is here to stay in Mexico.

It doesn’t matter if your company is 100% Mexican or if it is a subsidiary of a foreign company, chances are that you must have to comply and that you need to review your compliance level.


Is it a unique legal framework?

In a broad sense, the Federal Law on Data Protection is unique in its own way, but it is impossible not to find European, American and APEC-region influences on it. Simply, Mexico was behind a global trend and its new Federal Law was feed with the experience of several countries.

Many times, I have said that the Mexican Data Protection Law has an 80% European DNA, mostly because of the data protection principles that we introduced into our legal system (and the “ARCO rights”) by reference to the then-in-force Data Protection Directive and the then-forthcoming GDPR.

Because of that, it is easier for European organizations to understand the Mexican data protection requirements; but any DPO with knowledge about the requirements of the European GDPR will find that some Mexican principles are quite similar to those that soon will be enforceable in the EU.


My parent company has a “Privacy Policy” and they told us to use it in Mexico

Over the last years, we have heard a lot of Mexican Legal Counsels and/or CIOs to assert that because they use their parent companies’ Privacy Policy they are quite confident that their (Mexican) companies comply with the Mexican data protection law.

However, it is a fact that a number of companies that relied on their parent company’s privacy policy have found themselves on fault when the Mexican Data Protection Authority (INAI) investigates and prosecutes breaches of the Mexican law, because… you know… a Privacy Notice (or a Global Privacy Policy) is not enough to comply.


What should I do?

The truth is that you will have to comply at a local level, by means of at least:

•    a review and assessment of all your data flows,
•    a review of electronic and physical formats that your company uses to collect personal data,
•    an assessment over how your company complies with eight (8) data protection principles,
•    an inventory of your filing systems and the relevant security measures applied to them,
•    a review of your contracts with the relevant data processors,
•    a review of your contracts with data importers (including foreign data processors, if that is the case),
•    implementation of an effective procedure to address data access, rectification, deletion or opposition rights (known in Mexico [and Spain] as ARCO Rights).
•    designation of an internal or external “personal data person or department”, which in certain cases will be the equivalent of a DPO,
•    ensure the existence of a Data Breach Management and Notification Procedure,
•    implement “accountability” measures like data protection training for your personnel and the implementation of data protection policies, codes of conducts and/or information security procedures, and
•    YES! Draft and made available new privacy notices.


What are the fines?

For 2017, the following sanctions and fines apply:

a)     Warnings,

b)     Fines from $7,549.00 to $12,078,400.00 Mexican pesos (approx. US$424 to US$677,000 or €372 to €595.000) per breach, and

c)     Fines from $15,098.00 to $24,156,800.00 Mexican pesos (approx. US$848 to US$1,354,000 or €744 to €1.190.000) per breach.

Please note that sanctions for any breach of the Federal Law on Data Protection that involves sensitive data may double the amount of the relevant fine.


BGBG and Data Protection

Our team will be glad to assist you at any moment to answer your questions and to provide legal counseling to comply with the Mexican data protection legal provisions. A list of our specialized services can be reached, here.

Please note that BGBG has been recognized, for the third year in a role, as one of the best Mexican law firms on data protection. You can check the complete ranking, provided by Leaders League®, here.

If you want to contact our Data Protection partner (Héctor Guzmán), you can contact him writing to