Data Protected - Mexico

Contributed by Ritch Mueller, S.C.

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

Federal Law for the Protection of Personal Data in the Possession of Private Parties (the “LFPDPPP”) supplemented by the Rules of the Federal Law for the Protection of Personal Data in the Possession of Private Parties (the “Regulation”).

These laws were supplemented in January 2013 by the Parameters for the proper improvement of the mandatory self-regulation schemes referred to in Article 44 of the Federal Law for the Protection of Personal Data in the Possession of Private Parties (Parámetros para el correcto desarrollo de los esquemas de autorregulación vinculante a que se refiere el artículo 44 de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the “Parameters for Mandatory Self-Regulation”), which are designed to establish rules, standards and procedures for the improvement and implementation of mandatory self-regulation for the protection of personal data.

Entry into force

The law was published on 5 July 2010 and came into effect on 6 July 2010. The Regulation was published on 21 December 2011 and came into effect on 22 December 2011.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

National Institute of Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (the “INAI”).

Av. Insurgentes Sur # 3211
Col. Insurgentes Cuicuilco
Coyoacán
C.P. 04530
Delegación Coyoacán
México D.F.

www.ifai.org.mx

Notification or registration scheme and timing

Not required.

Exemptions to notification

None.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Regulation applies to processing: (i) by an entity with an establishment in Mexico; (ii) outside of Mexico if conducted for controller in Mexico; (iii) where the Regulation is applicable by principles of international law; or (iv) where the controller is based outside of Mexico but uses equipment in Mexico (other than for the purposes of transit).

Is there a concept of a controller and a processor?

The Regulation does not contain the concept of controller and processor.

Are both manual and electronic records subject to data protection legislation?

Yes.

Are there any national derogations?

Data protection legislation is applicable to private parties (both individuals and legal entities), except for credit information companies and individuals who collect and store information for personal or domestic use for a non-commercial purpose or without the intent to disclose such information.

_____________________________________________________________________ Top

Personal Data

What is personal data?

“Personal data” is defined as any information relating to an identified or identifiable individual. However, the Regulation does not apply to information regarding: (i) legal entities; (ii) individuals acting as merchants or professionals; or (iii) basic work related contact details.

Is information about legal entities personal data?

No.

What are the rules for processing personal data?

In order to process personal data, the controller must obtain the consent of the data subject through a Privacy Notice. Consent is not required for the processing of personal data when: (i) it is permitted by law; (ii) the personal data has been obtained from public sources; (iii) personal data has been submitted to a dissociation process; (iv) the processing of personal data is made to comply with the obligations deriving from a contract between the controller and the data subject; (v) there is an emergency that might harm an individual or his property; (vi) the processing is for healthcare purposes; or (vii) it is provided by a resolution of the competent authority.

The law also has specific provisions governing domestic and international data transfers. Controllers may transfer personal data if notice of the transfers and their specific purposes are provided in the relevant privacy notice. Controllers must obtain the data subject’s consent by such privacy notice except when, inter alia: (i) permitted by domestic law or a treaty to which Mexico is a party; (ii) the transfer is made for healthcare purposes; (iii) the transfer is made within the same group of companies operating under the same internal processes and policies; (iv) it is necessary pursuant to a contract entered into, or to be entered into, for the benefit of the data subject, by the controller and a third party; or (v) it is necessary for the pursuit of justice or to safeguard the public interest.

Under the Regulation, the controller must also take steps to ensure that data is processed in an accountable manner by, amongst other things: (i) developing policies and programmes; (ii) training staff; (iii) auditing compliance; (iv) reviewing new products and services; and (v) implementing security policies.

The Parameters for Mandatory Self-Regulation provide for the establishment of self-regulatory schemes. These are a combination of self-adopted and mandatory standards, rules and procedures including: (i) procedures to be used for the protection of personal data; (ii) procedures to measure the effectiveness of mandatory self-regulation; (iii) monitoring and review systems, internal and external; (iv) training programs for those who process personal data; and (v) effective remedies in case of default. The scheme must also establish appropriate sanctions for those who fail in the fulfilment of the mandatory self-regulation such as: warnings, financial penalties, temporary or permanent suspension of the self-regulation programme. The scheme supplements the provisions of the LFPDPPP and the Regulation and must be validated by the INAI. When a controller adopts a scheme, it becomes bound by the terms of that scheme.

Are there any formalities to obtain consent to process personal data?

Consent may be express or implied. Express consent may be given verbally, in writing, through an electronic medium, or by unequivocal signs. Implied consent results from non-objection to a privacy notice provided to the data subject.

In certain circumstances, express consent must be obtained, for example the processing of financial information or sensitive personal data (see below).

Are there any special rules when processing personal data about children?

There are no additional rules when processing personal data about children.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

“Sensitive personal data” is personal data that affects the owner’s most intimate sphere, or whose improper use could give rise to discrimination or involves a serious risk to the owner; in particular, data is deemed to be sensitive if it could reveal aspects such as racial or ethnic origin, present or future state of health, genetic information, religious, philosophical or moral beliefs, union affiliation, political opinions or sexual orientation.

Are there additional rules for processing sensitive personal data?

For sensitive personal data, the privacy notice sent to the data subject must expressly indicate the subject matter of the information.

Are there additional rules for processing information about criminal offences?

 

There are no additional rules for processing information about criminal offences.

 

Are there any formalities to obtain consent to process sensitive personal data?

Consent must be both express and written, containing the written, electronic or otherwise authenticated signature of the data subject.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Every controller must appoint a person or compliance department to aid compliance with the LFPDPPP.

What are the duties of a data protection officer?

The relevant person or compliance department must deal with the exercise of the data subject’s rights and promote compliance within the controller.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation.

Are privacy impact assessments mandatory?

No, privacy impact assessments are not mandatory.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

The controller must provide a privacy notice to the data subject containing: (i) the identity and domicile of the controller; (ii) the purposes of the processing of information; (iii) the options and mediums that the controller offers to limit the use of disclosure of the information; (iv) the transfer of information to be undertaken, if applicable; and (v) the procedure and medium the controller shall use to communicate modifications to the Privacy Notice.

Rights to access information

Owners of personal data have the right to have access to his/her personal information.

Rights to data portability

There is no express right to data portability.

Right to be forgotten

An individual also has the right to request the protection of his/her data, the right rectify his/her personal information, the right to have his/her personal information deleted and the right to oppose the use of his/her personal information.

Objection to direct marketing and profiling

The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing subscribers’ information to third parties.

Other rights

An individual may rectify incorrect or incomplete data and additionally may request the cancellation/withholding of its personal data.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

It is necessary to establish and maintain physical and technical administrative security measures designed to protect personal data. The Regulation contains detailed security requirements including obligations to carry out a security risk analysis.

Specific rules governing processing by third party agents (processors)

A controller must ensure that there is a written contract (or similar instrument) with any processor that obliges such party to: (i) process personal data only under the controller’s instructions; (ii) implement appropriate security measures and ensure personal data is kept confidential; (iii) delete personal data at the end of the relationship, unless required to keep a record of such information by law; and (iv) not disclose personal data unless instructed to do so, to a subcontractor or when required by law.

The Regulations also contain specific provisions applicable to outsourcing and cloud computing.

Notice of breach laws

It is necessary to inform the data subject of any security violations so that the data subject takes the appropriate measures to protect its personal data. The Regulations set out certain requirements for the content of such notifications.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

There are obligations applicable to both domestic and international transfers (see “What are the rules for processing personal data?”, above). However, for international transfers, the transferor must also enter into an agreement or legal instrument, or include a clause to establish the same obligations, to ensure that the use of the personal data continues to be subject to the same level of protection.

Notification and approval of national regulator (including notification of use of Model Contracts)

Not necessary.

Use of binding corporate rules

None.

_____________________________________________________________________ Top

Enforcement

Fines

Penalties vary from a warning notice to fines ranging from 100 to 320,000 days of the minimum daily wage in Mexico City to imprisonment. These penalties may double in the case of sensitive personal data.

The adoption of self-regulatory scheme under the Parameters for Mandatory Self-Regulation can be used as evidence of compliance with the LFPDPPP and the Regulation and may help to reduce any sanctions should a breach occur.

Imprisonment

Penalties include imprisonment ranging from three months to five years. These penalties may double in the case of sensitive personal data.

Compensation

No right to compensation.

Other powers

None.

Practice

According to the website of the INAI, there have been 631 claims filed before the INAI that initiated a data protection proceeding since 2012 to this date. In the same period of time, 123 enforcement proceedings were commenced and only 83 were resolved and sanctioned; 40 of such proceedings remain pending.

Between 2011 and 2016, the INAI has conducted 137 audits of local companies including insurance companies, financial services providers, hospitals and medical clinics, home appliance stores, restaurants, hotels and supermarkets. 

Most of these sanctions are for unauthorized data processing, failure to provide access, rectification, cancellation or right to oppose the use of his/her personal data and failure to provide a Privacy Notice.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

None.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

No.

Regulatory guidance on the use of cookies

No.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing their information to third parties.

Conditions for direct marketing by e-mail to corporate subscribers

None.

Exemptions and other issues

None.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

The Federal Law on Consumer Protection grants consumers the right to object to direct marketing – i.e. to be free from being contacted in their home, at their place of work, by email or by any other means to offer goods and/or services. Additionally, subscribers may prohibit companies from disclosing their information to third parties.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

None.

Exemptions and other issues

None.

_____________________________________________________________________ Top