The objective of the Mexico Data Protection Act, formally known as the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), is to protect personal data (PII, financial, IP, HHI, customer-confidential, etc.) held by private entities. Mexican privacy law governs how the data is processed by a data controller in Mexico, by a data processor in Mexican territory, or on behalf of a data controller/processor not located in Mexico but processing the information of Mexican citizens. The law defines processing as personal data collected, used, stored, or processed, transferred by the private entity.
Further, this act provides individuals (data subjects) with rights and controls over their personal data which can be exercised by them. This article is detailed in 11 chapters through 69 articles.
Chapter 1: General Provisions.
The General Provisions state the basic principles and definitions of the law to ensure the right interpretation, protection, legitimate processing, and privacy of personal data held by private entities in Mexico. In Chapter 1, there are five articles summarized below:
- Article 1 establishes the law’s aim to protect personal data, emphasizing its public order nature and general applicability.
- Article 2 specifies the private entities regulated by the law, excluding credit reporting companies and individuals collecting data for personal use without intent for disclosure or commercial use.
- Article 3 defines key terms such as personal data, sensitive data, data controller, and privacy notice, ensuring consistent interpretation and application.
- Articles 4 and 5 outline the law's principles and supplemental legal frameworks.
Chapter 2: Principles of Personal Data Protection
This chapter explains the lawful and fair processing of personal data while respecting individuals' privacy. The law requires personal data to be handled legally with the consent of the data subject, with a clear purpose, and updated information stored as per the legal framework. There are 4 articles (from 6 to 9) in this chapter.
- Article 6 requires data controllers to adhere to principles of legality, consent, notice, quality, purpose, fidelity, proportionality, and accountability.
- Articles 7, 8 & 9 require data subject consent for processing sensitive personal data (racial or ethnic origin, genetic information, and more) explicitly in an informed manner except under specific lawful exceptions.
- Article 10 lists exceptions where consent is not required, including legal obligations and emergencies.
- Article 11 ensures data relevance and mandates the cancellation (erasure) of data when it is no longer necessary.
- Article 12 limits data processing to the purposes stated in the privacy notice, requiring fresh consent for new purposes.
- Article 13 emphasizes that data processing should be necessary and relevant, particularly concerning sensitive data.
- Article 14 stipulates that the controllers must ensure compliance with data protection principles and respect the privacy notice.
- Article 15 states that the data controller must inform data owners about what information is collected and why through a privacy notice.
- Article 16 mandates that the notice must include the identity and address of the data controller, the purposes of data processing, options for limiting data use, methods for exercising rights to access, correct, or delete data, any planned data transfers, and how changes to the notice will be communicated.
- Articles 17 and 18 specify the timing and manner for making privacy notices available to data owners.
- Article 19 requires data controllers to implement security measures to protect personal data.
- Article 20 mandates immediate reporting of security breaches to data owners.
- Article 21 enforces confidentiality obligations for all parties involved in data processing, which continue even after the relationship ends.
Chapter III: Rights of Data Owners
This Chapter focuses on the rights of data owners in detail and explains the obligations of data controllers to facilitate these rights.
- Articles 22, 23, & 24 provide Individuals or their legal representatives the right to access, rectify, cancel (erase), and object to processing their personal data. Furthermore, they can access the data held by the controller and be informed of the applicable privacy notice, ensuring their rights are protected and promptly actionable.
- Article 25 provides the Data owners the right to cancel (wipe) their personal data, which will first be blocked and then erased. The data controller must inform the data owner about the erasure and notify any third parties to correct or perform data erasure.
- Articles 26 & 27 states that the data controller is not required to cancel (delete) personal data when it pertains to contract performance, legal requirements, public interest, or medical management. However, individuals may object to the processing of their data for legitimate reasons. If these reasons are deemed valid, the controller must cease the processing.
Chapter IV: Exercise of Rights of Access, Rectification, Cancellation and Objection
This chapter specifies the rights of data owners with respect to data controllers/processors.
- Articles 28 & 29 specify that the data owner or their legal representative can request access, rectification, cancellation, or objection concerning their personal data from the data controller at any time. The request must include the data owner's name, address, or other means of notification establishing their identity.
- Article 30 requires every data controller to appoint an individual/department to handle requests of data owners as specified in the law. In this, the data controller must encourage personal data to be protected at all times.
- Articles 31 & 32 require the data owner to specify desired changes to be made by providing relevant documentation. The data controller must inform the data owner about the decision within 20 days of the request received for access, rectification, cancellation, or objection.
- Articles 33, 34, and 35 explain that the data owner can get their personal data by asking the data controller for copies or electronic documents. If the person contacted is not the data controller, they must tell the data owner, and this will count as fulfilling the request. A data controller can deny access or changes if the requestor is not authorized, if the data is not in the database if it affects others' rights, if there is a legal restriction, or if the action has already been done. If access is denied, the data controller must tell the data owner or their legal representative why access is denied, using the same method the data owner used to make the request (e.g., email, letter).
Chapter V: Data Transfer
This chapter outlines the conditions and requirements for transferring personal data to third parties, both domestically and internationally, while protecting the data subject's rights.
- Articles 36 & 37 are applicable when the data controller transfers personal data to third parties (not the data processor); in that case, they must provide the privacy notice and usage purposes as specified by the data owner. The data processing must follow the privacy notice terms, including the data owner's consent to the transfer. The third party must follow the same obligations as the data controller. However, this does not apply to data transfer as required by law, treaty, medical purposes, or for contracts involving data owners or legal proceedings.
Chapter VI: Authorities
This chapter is divided into two sections and covers a total of seven articles, focusing on the roles and responsibilities of the authorities in data protection.
SECTION I: The Institute
- Articles 38 & 39 empower the Institute (body of Federal Public administration) to ensure data protection and legal compliance. The Institute must clarify rules, provide support, and advise stakeholders. It must impose penalties, collaborate with organizations, report to Congress, and participate in international forums, alongside providing training on data protection.
SECTION II: Regulatory Authorities
- Articles 40-44 establish a framework for government agencies to create regulations with the Institute's help. The Ministry informs businesses about data protection obligations, promotes best practices, and supports the digital economy. Rules apply to automated databases, creating guidelines, maintaining consumer registries, and raising awareness in trade forums.
Chapter VII: Rights Protection Procedure
The articles in this Chapter outline the procedure for protecting data owners' rights and explain the submission, processing, and resolution of data protection requests.
- Articles 45 and 48 detail the procedure for submitting requests within 15 days of the data controller's response. The Institute forwards the request to the data controller, who must respond within 15 days. The Institute then reviews the evidence and issues a decision. Favorable decisions require the data controller to comply within ten days and report compliance to the Institute.
- Articles 49 & 54 give 5 days extension to remodify ‘Incomplete requests.’ The Institute is liable to correct deficiencies in requests without altering content. The institute must specify five conditions to reject a data protection request: if the Institute doesn’t have authority, has already made a decision on the same issue, there is a related court case, the request is offensive, or if it’s filed late. The request will be dismissed if the data owner dies, withdraws the request, new reasons for rejection arise, or it becomes irrelevant.
- Article 55 specifies that if the data controller fails to respond, the Institute mandates a response within ten days. If the Institute is satisfied, it dismisses the request; otherwise, it issues a decision based on the original request.
- Articles 56 & 57 allow Private parties to file petitions for annulment of the Institute's decisions with the Federal Tax and Administrative Court. The Institute's decisions may be publicly released, omitting identifying information.
- Article 58 allows Data owners the right to seek indemnity for harm or damage from law breaches by data controllers or processors.
Chapter VIII: Verification Procedure
This chapter explains how the Institute monitors the adherence to Federal Law on the Protection of Personal Data.
- Articles 59 & 60 state that the Institute ensures compliance with the Federal Law on Protection of Personal Data. Verification can be initiated by the Institute or an interested party, especially in cases of non-compliance or suspected violations. The Institute can access necessary information and documents, and federal public servants must keep this information confidential. The Regulations will detail the procedures, terms, and timelines for verification.
Chapter IX: Penalty Application Procedure
This chapter explains how penalties are applied when the Institute finds a possible breach of the Federal Law on Protection of Personal Data during rights protection or verification procedures.
- Articles 61 and 62 describe the penalty application procedure for submission and verification. If the Institute finds a presumed breach of the law during a rights protection or verification procedure, it will notify the alleged offender and allow fifteen days to present evidence and arguments. After reviewing all evidence, the Institute will issue a final decision within fifty days, which can be extended once.
Chapter X & XI: Violations, Penalties & Lawsuit For Crimes
This chapter defines violations of the Federal Law on the Protection of Personal Data and outlines the penalties the Institute imposes for such breaches.
- Articles 63-66 outline violations and penalties for data controllers. Violations include neglecting data owner requests, acting fraudulently, and processing data unlawfully.
- Penalties range from warnings to fines between 100 and 160,000 days of the Mexico City minimum wage for minor breaches and
- From 200 to 320,000 days for more severe violations,
- With doubled fines for sensitive data breaches.
The Institute considers data nature, intent, and recurrence when deciding penalties, which do not affect civil or criminal liability.
- Articles 67-69 state stringent penalties for the misuse of personal data. The law imposes:
- Imprisonment of 3 months to 3 years for individuals who are responsible for a security breach in the databases they manage.
- It extends the imprisonment term to 6 months to 5 years for those who deceitfully process personal data for unlawful gain, exploiting the data owner's or transmitter's error.
- The penalties double for offenses involving sensitive personal data, emphasizing the need for heightened protection of such information.
How do Mexico businesses stay compliant with the Data Protection Act?
To stay compliant with the data cancellation policies of the Mexico Data Protection Act, businesses must adhere to specific guidelines. Article 11 mandates that data controllers cancel personal data when it is no longer necessary for its original purpose. Article 37 requires informing third-party vendors to also cancel the data, ensuring complete erasure beyond recovery. The Federal Institute for Access to Information and Data Protection, as specified in Article 40, verifies compliance and may request proof of data erasure. Violations incur severe penalties: Article 64 imposes fines ranging from 24,893 to 79,657,600 pesos, based on the 2024 minimum wage of 248.93 pesos per day, with additional fines for repeated offenses and doubled penalties for breaches involving sensitive data.
Once the data is to be removed or canceled permanently, businesses must use a secure data erasure tool like BitRaser Data Erasure to wipe data from various devices. The software produces a certificate of data destruction (CoD) that helps comply with the Mexican Data Protection Act.
+1-844-775-0101
