Social Network

Select Language

Data Protection and Privacy

The Data Protection and Privacy practice, as part of the Telecommunication, Media and Technology practice, has been formed to respond to the changing needs of those obligated to comply with the provisions of the Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter, “LFPD” for its acronym in Spanish), and other applicable and in force legislation.

The Data Protection practice is composed by specialized lawyers that have international training in the field. The foregoing, combined with the experience and prestige of BGBG since its founding, is aimed to provide our clients complete, informed and quality services.

The development of our practice is embedded on the concept “boutique”, from which the firm came to life; namely, an organizational model that has allowed us to provide professional, personal, and avant-garde services, that meet the specific needs of our clients.

The Data Protection and Privacy practice offers consulting and advisory services, such as data protection compliance projects, drafting of international and domestic data transfer agreements (i.e. controller-controller and controller-processor), development of self-regulatory mechanisms and other measures (codes of conduct), personal design of procedures to respect data subjects’ right, drafting and implementation of data protection policies and contracts, among others.
Since the publication of the Mexican Data Protection Law, BGBG designed and developed a unique methodology, in order to achieve an optimal compliance thereof, executing effective “LFPD Compliance Projects”. The aforementioned, is supported by the extensive, national and international experience of our members.

Since then, BGBG defined the following key points as guiding principles of its methodology:

  • Knowledge and level of development of domestic and international Data Protection legislation;
  • State of the information security culture in Mexico;
  • State of the data protection culture in Mexico;
  • Knowledge of vulnerable sectors;
  • Spreading of the culture of prevention vs the culture of reaction;
  • Flexibility on the provision of services.

Our compliance methodology has evolved on the basis of the development of domestic (and international) legislation. Taking into account the subsequent publication of the LFPD Regulations, the Privacy Notice Guidelines, the Recommendations regarding a Model of Video Surveillance Short Privacy Notice, the Recommendations on Security of Personal Data, the Parameters of Self-regulation on Data Protection, among others.

The Data Protection Due Diligence aims to identify and asses the level of compliance or non-compliance in each entity. The foregoing, in accordance with several provisions set out in the LFPD, its Regulations, Privacy Notice Guidelines, Recommendations on Security of Personal Data, among other applicable legislations.

Some activities of a Data Protection Due Diligence, include:

  • Identification and evaluation of personal data flows;
  • Identification and evaluation of existing personal data processes and procedures;
  • Identification and evaluation of existing personal data processes and procedures;
  • Identification and review of domestic and international transfers of personal data, as well as data process agreements;
  • Identification of information systems, which should audit their compliance in accordance to the Recommendations on Security of Personal Data.
The Personal Data Consultancy and Advisory Services (hereinafter, “CAPD” for its acronym in Spanish), aims to provide entities and/or individuals with expert counseling, consulting, implementation and support services to effectively comply with the LFPD, its Regulations, and other applicable norms, within the framework of article 30 of the LFPD.

The CAPD Service offers such entities and/or individuals the possibility to instruct a third party with a high degree of knowledge, experience and expertise, its obligations set forth in the LFPD and rest of applicable legislations.

The CAPD Service is based on three groups, i.e. Preventive Security Actions, Advisory Security Actions and Reactive Security Actions. These services include:

  • Legal advice and consultation;
  • Responding and monitoring ARCO rights requests (Access, Rectification, Cancellation and Opposition), as well as requests of revocation of consent, and limitation and/or disclosure of personal data;
  • Key decisions regarding the implementation of data protection measures and compliance policies.
The Mexican Data Protection Law grants the data subjects the right of access to their data, ratify it, cancel such information and oppose processing of their data (ARCO rights), which they can exercise before the data controller, according to the regulations and proceedings for data protection. In the department of Data Protection and Privacy of BGBG we offer the data controller specialized legal counseling, regarding the admissibility and extent of the requests made by the data subjects, in order to provide a proper response that complies with the legal framework, which includes but is not limited to the Mexican Data Protection Law.

This legal service includes, among other, a regulatory analysis of the data controller’s activity, determination of deadlines and preservation of the information, and offer appropriate responses to specific ARCO rights requests.

When needed, in BGBG we will help our clients to implement layouts and other internal process in order to respond to such requests, in which case the data controller may choose to keep them as part of actions taken to comply with the data protection legal framework.
Among its power and authority, the Federal Data Protection Authority (INAI for its acronym in Spanish), can make any request, investigate and verify the data controller´s activity to make sure that they comply with the Mexican Data Protection Law (LFPD for its acronym in Spanish) and, when necessary, penalize them for violations to the Law.

The legal counseling and representation before such Authority aims to provide the data controller with legal assurance in any proceedings, making sure that in every instance they have the best legal advice to reply to any notified requests, to provide the proper information and, if needed, suppress or minimize the consequences that such proceedings may have.

This legal service includes:

  • Legal representation before the proper Authority.
  • Provide response to the requests and reports required by the Authority.
  • Follow proceedings, until they have concluded.
  • If needed, give legal counsel and follow proceedings before the Federal Court of Administrative Justice.
Our Compliance Projects include training courses for diverse target audiences, about the implementation of the LFPD, its Regulations, and other applicable norms.

The training that BGBG offers satisfies its clients' specific requirements. Moreover, its members have extensive experience in the delivery of relevant courses, whose audience is, and has been, diverse in number and professional profiles.

An example of the aforesaid courses, are the following:
  • Data Protection Legal Framework;
  • Functions and Obligations of Employees, on the field of Personal Data;
  • Responding to ARCO rights requests (Access, Rectification, Cancellation and Opposition), as well as requests of revocation of consent and limitation and/or disclosure of personal data;
  • Among others.
Since the publication of the Parameters of Self-regulation on Data Protection (hereinafter, the “Parameters”), BGBG has been monitoring and developing new work methods and measures to offer alternatives to its clients that may be subject to the provisions of such Parameters. With the foregoing, BGBG offers solutions and advice in self-regulatory mechanisms under the framework of article 44 of the Federal Law on the Protection of Personal Data Held by Private Parties (“LFPD”, for its acronym in Spanish).

Moreover, BGBG provides consultancy in this specific area, in order to assist interested clients that expect the Federal Institute for Access to Information and Data Protection to issue the Regulations on Operating Rules of Self-Regulatory Mechanisms Registry.
Ever since the Court of Justice of the European Union issued its ruling on the “Right to be Forgotten” on May 13, 2014, such decision has been studied, analyzed and commented worldwide.

Its significance for the Internet search engines is so important, that on the following five months after the issuance of the ruling, the most renowned search engine (Google®) received more than 120,000 requests, in relation to the removal of links leading to content considered injurious to individuals who promoted those requests.

In this scenario, BGBG provides legal advice to data subjects who consider that their rights have been infringed because of certain content that is indexed on the Internet.

Our experts will personally advise you, in order to define the possibilities of requesting the cancellation of your personal data from such search engines results and, where appropriate, any other rights that you may exercise before those data controllers.
International training and expertise to provide practical and efficient compliance solutions.



Agustín Manuel Chávez 1-001
Centro de Ciudad de Santa Fe
México, D.F., 01210
Tel. +52 (55) 5292 5232


Avenida de Brasil, 29 - 1º
28020 Madrid, España
Tel. +34 91 192 0017