Data Protection & Privacy 2023

Last Updated February 06, 2023


Law and Practice


Nader Hayaux & Goebel (NHG) is a market leader in M&A, banking and finance, fintech, securities and capital markets, tax, insurance and reinsurance, project finance, real estate, data protection, government procurement and antitrust, among other matters. The firm is made up of 16 partners, 3 consultants and more than 35 associates, and fields one of the largest groups of corporate finance experts in the Mexican market. NHG is the only Mexican law firm with an office in London, with a strong focus on developing and pursuing business opportunities across Mexico, the UK and other European countries. The firm also enjoys excellent working relationships with law firms in all major cities around the world.

Personal data protection is regulated in Mexico by the Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), its Regulation (Reglamento) and the Privacy Notice Guidelines (Lineamientos del Aviso de Privacidad) (jointly, the DPR). The DPR is applicable to any individual or entity of the private sector that processes personal data in Mexico. 

The DPR set forth the principles, requirements and obligations for any individual or entity to process, use and transfer personal data of any individual, as data subject (titular). 

Pursuant to the DPR, the data controllers (responsables) must comply with the following principles: lawfulness, loyalty, information, consent, quality, purpose, proportionality and responsibility. Compliance with these principles will ensure data controllers collect and process personal data adequately and implement the necessary measures to protect personal data. 

The most important principles are (i) information, which refers to the obligation to provide the data subject the privacy notice before they collect and process personal data, and (ii) consent, which refers to the obligation to obtain the data subject’s prior consent to process their personal data. The privacy notice must be in Spanish, with clear information, and must be easy to understand. The data controller may deliver the privacy notice in writing, in digital form, via recording or through any other technological means available.

The DPR establishes a stricter regime for data controllers in relation to sensitive personal data. In order to process sensitive personal data, the data controller must obtain an express and written consent from data subjects. In case of non-compliance, the regulator can impose an economic sanction that may be increased to twice the amount of the sanction that would be imposed if it were another type of personal data.

The authority responsible for the surveillance and enforcement of the DPR in Mexico is the National Institute for Access to Information and Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI). 

The INAI has the authority to initiate audits and investigations as part of its faculty of surveillance, which can be initiated ex officio or upon request by an interested third party. If the INAI detects non-compliance with the DPR, it may issue a warning or impose a financial fine. In 2022, the INAI imposed fines for a total amount of up to MXN60 million (approximately USD3 million, at an exchange rate of MXN20 per USD1).

The DPR set forth the following procedures. 

  • A procedure that can be initiated by the data subjects before the INAI (rights protection procedure), in which the data subjects can claim that the data controller has violated their rights of access, rectification, cancellation or opposition (the “ARCO Rights”). 
  • A procedure that can be initiated by the INAI ex officio or at the request of a third party, with the purpose of obtaining the appropriate information to verify any violation of the DPR.

If, derived from the procedures above, the INAI determines that there has been a breach of the DPR, the INAI will begin with the procedure for the imposition of sanctions, which will begin with a notification to the infringer. The infringer will have 15 days to offer evidence and state in writing any pertinent information. After the INAI has reviewed the evidence, it will notify the infringer so that they can prepare their arguments and present them within the following five days. In total, the INAI will have 50 days from the start of the procedure to issue a resolution and notify the infringer. If the infringer does not agree with the INAI’s resolution, they may appeal the resolution to the Federal Court of Fiscal and Administrative Justice (Tribunal Federal de Justicia Administrativa).

The DPR was prepared based on and includes the principles of data protection set forth in the EU Data Protection Directive (the "EU Directive"). Mexico has not adopted the new regulation set forth in the General Data Protection Regulation (GDPR). As of this date, there is no public information on any proposed bill to amend the DPR or regarding the manner in which the INAI will co-operate in the enforcement of the GDPR in Mexico.

Currently, there are no NGOs or SROs in Mexico that are highly involved, have the sole purpose or have an important role in the protection of personal data rights. However, as private entities subject to the DPR when processing personal data, they must actively comply with the protection of personal data and the implementation of the principles established in the DPR. 

The DPR is based on the guidelines of the EU Directive, and although it has not been standardised in line with the GDPR, it has several shared principles. Compared with other national systems, it lacks stricter risk assessment obligations and risk mitigation measures, and requires legislation that foresees more specific and updated cases, already regulated in other countries.

Mexico must implement and amend the DPR in order to include the requirements to process personal data obtained from innovative and new technologies. 

Some of the new obligations incorporated in the GDPR, which are not yet included in the DPR, are:

  • the portability right;
  • privacy by design;
  • express obligations regarding the consent of minors under 16 years of age; and
  • new obligations and requirements if the data controller implements new technologies in the processing of the personal data.

Since the DPR is based on the guidelines of the EU Directive, and has not been standardised in line with the GDPR, the development of data privacy regulation in Mexico has occurred primarily in terms of enforcement.

Regarding the INAI’s enforcement, in 2022 the number of fines imposed for non-compliance decreased from the number imposed in 2021; however, there was an increase in the recommendations and campaigns implemented by the INAI. Notwithstanding the above, no significant advances have been seen in rule-making, and only certain relevant criteria have been published and established in terms of litigation.

The provision of a broader protection for users’ personal data that includes sensitive information, such as biometric data which is scarcely regulated in Mexico and represents a crucial safety requirement, and the standardisation of the protection of personal data at a regional and federal level are still pending.

Additionally, the DPR lacks the inclusion of certain obligations already included in other jurisdictions around the world, such as:

  • the portability right;
  • impact assessment;
  • the implementation of new technologies in the processing of personal data; and
  • privacy by design. 

Data Protection Officer

Pursuant to the DPR, data controllers must appoint a data protection officer or department (DPO) that has the responsibility of processing the requests of the data subjects in relation to the exercise of their data protection rights, the promotion of personal data protection and compliance with applicable obligations. 

The INAI recommends appointing a DPO that has:

  • expertise in data protection matters;
  • a position within the company that permits the implementation of policies;
  • the necessary material, technical and human recourses; and
  • leadership, organisational and communication skills. 

Processing and Collection

Prior to the processing of personal data, the data controller must obtain consent from the data subject to collect and process their personal data. The type of consent (tacit, express, written and/or express) will depend on the type of personal data that is being collected and processed (patrimonial/financial, sensitive personal data or other). 

In exceptional cases, the DPR permits that the data controller collects and processes personal data of the data subject without their consent when, among others:

  • the personal data is public;
  • the personal data is disassociated;
  • the personal data to be collected is processed to comply with obligations derived from the legal relationship between the data subject and the data controller;
  • there is an emergency situation that may cause harm to the data subject; and/or
  • if there is a judicial ruling or is essential for medical matters of the data subject. 

Privacy by Design

Mexico has not implemented criteria such as “privacy by design” or “privacy by default” in the DPR. 

Privacy Impact Assessment

Pursuant to the DPR, there is no express obligation for the data controller to perform an impact assessment; however, the data subject must establish and maintain security measures for the processing of personal data. 

Privacy Policies

In Mexico, data controllers are obligated to establish and adopt internal privacy policies in order to implement a data privacy protection regime and guarantee compliance with the principles established in such regulation. The internal policies must contain the tools for transparency and continuous monitoring of risk assessments, and proper processing of personal data. 

ARCO Rights

The DPR recognises and incorporates the ARCO Rights. Pursuant to the DPR, the data subject has, at all times, the right to access, rectify, cancel or oppose to the processing of their personal data, as well as to revoke their given consent for the processing of their personal data. Additionally, the data subject may accept or deny the transfer of their personal data. 

The data subject will need to follow the process established by the data controller in its privacy notice to exercise their ARCO Rights and their right to revoke their personal data. In any case, the data controller cannot charge any fee for such purpose.


The DPR does not regulate the right to data portability. 


The DPR recognises the process of dissociation, which refers to the procedure by which personal data cannot be associated with the data subject. If the personal data has been subject to a dissociation process, the data controller does not have to obtain the previous consent of the data subject for the processing of their personal data, as such information will not be subject to the DPR. 

The DPR classifies the information into three categories: (i) sensitive personal data, (ii) financial/patrimonial data, and (iii) other general data. 

Sensitive data refers to the most intimate areas of the individual (racial or ethnic origin, health status, genetic information). Pursuant to the definition established in the DPR, sensitive data refers, in particular, to data that may relate to religious, philosophical and moral beliefs, union membership, political views and sexual preference. 

Data controllers must obtain prior consent from the data subject prior to any processing; however, the type of consent will depend on the category of personal data. In the case of sensitive data, the DPR establishes the highest degree of protection and requirements to process it, as the data controller is required to obtain the express and written consent of the data subject. 

For the creation of a database containing sensitive data, the data controller must legally justify that the data collection is legitimate, concrete and in accordance with the purposes described in its privacy notice.

It is important for the data controller to limit the period of processing of sensitive personal data to the minimum necessary compared to other categories of personal data. 

In relation to location data, there has been an effort in different jurisdictions around the world to regulate location or geolocation as sensitive personal data in order to have specific restrictions on its processing. In Mexico, geolocation is a controversial issue, since the DPR does not mention that it is sensitive personal data and the INAI has not issued an opinion on the matter. However, as of March 2021, it is mandatory for Mexican banks to obtain their user’s geolocation and for users to allow access to it in order to perform banking transactions through mobile devices. This will probably trigger the INAI and other correspondent authorities to amend the DPR or publish criteria that specify how to process localisation or geolocalisation data. 

Regarding biometric data, the INAI published a guideline in which it establishes that biometric data may not be considered as sensitive personal data. In order to determine whether biometric data should be considered as sensitive personal data by the data controller, it is necessary to evaluate whether such biometric data refers to the most intimate sphere of the data subject, its improper use may generate discrimination and/or its unlawful use may entail a serious risk for the data subject. For example, the INAI has determined that a fingerprint is always considered sensitive personal data. 

Notwithstanding, the INAI establishes that the privacy notice must expressly mention whether biometric data are being processed and, if so, whether they will be considered sensitive personal data. 

Pursuant to the DPR, if the data controller processes personal data for purposes that are not necessary or give rise to the legal relationship between the data controller and the data subject, these will be considered secondary purposes (marketing communications, spam email, advertising, call, texts, commercial prospecting, among others).

The data subject has the right to deny or revoke their consent, as well as to oppose to the processing of their personal data when the processing is for secondary purposes. These secondary purposes will have to be included in the privacy notice as well as the means by which the data subject may exercise the right to deny, revoke and oppose the processing for such purposes. 

There are no special rules on the processing of personal data of employees. The terms of the DPR apply to the data processed by the employer of its employees. 

Communications Monitoring

In general, surveillance and supervision in work environments must always be proportional and adequate to the situation at hand. Although communication tools, such as corporate e-mails or mobile phones, are considered work instruments, privacy remains a crucial issue. Therefore, clear and precise procedures must be established, which must be communicated to employees in advance in compliance with the DPR.

Whistle-Blower and Anonymous Reporting

Internal complaint systems must always comply with the DPR and its principles. However, given the nature of the relationship between employer and employee, the fulfilment of obligations as data controllers acquires new elements, eg, proportionality will require that data processing and overall complaints focus exclusively on the employment relationship, and loyalty will mean acting in a manner that protects the reporter՚s interests.

Labour Unions 

Labour unions must follow the same principles provided in the DPR for the protection of its members' information. 


The INAI may initiate inspection visits or verification proceedings at any moment of any alleged violations of the DPR if it has any suspicions, whether as a result of a claim of the data subject or its own investigation. 

Potential Penalties

The DPR identifies the following penalties: 

  • a warning notice, exclusively applied when the data controller fails to comply with a request to exercise a data subject right; or
  • a fine, which varies depending on the infraction of the DPR.

The DPR also includes the following criminal offenses:

  • security violations committed by authorised personnel for profit are punished with three months to three years in prison; and
  • data processing offenses based on deceit, taking advantage of the data subject’s or authorised personnel’s error to profit inappropriately, are penalised with six months to five years in prison. 

If the infraction or conduct involves sensitive personal data, the fines are doubled.

Noteworthy Cases in the Last 12 Months

Currently, the most recent rulings and cases are limited to information from 2020. However, an ongoing procedure involving the Mexican Football Federation is underway. No specific details have been published, but it is reportedly related to assisting the Mexican national team՚s stadium. 

Private Litigation

Since privacy and data protection violations are reviewed and penalised specifically through administrative procedures, there is no civil recourse to enforce privacy or data protection under the DPR. However, Mexican legislation allows data subjects to pursue compensation through civil courts by claiming damages and lost profits.

The DPR permits the processing or transfer of personal data, even without consent of the data subject, in the event of national security, public order, public safety and health, or the protection of the rights of third parties, subject to the request of a competent authority.

The Public Prosecutor's Office may request reports or documentation from other authorities and individuals, and authorisation to perform certain acts of investigation, such as access to private communications and correspondence of individuals, which may include personal data.

Also, the Public Prosecutor may intercept private communications and correspondence with prior authorisation of the competent judge. For that purpose, the Public Prosecutor should communicate and justify the purpose and need to carry out such measure.

The request to the supervisory judge must specify the person, the place where the intervention will be carried out, the type of communication to be intervened, its duration, the lines, numbers or devices to be intervened, and the name of the telecommunications service concessionaire through which the communication is carried out.

The National Security Law (Ley de Seguridad Nacional) establishes that judicial authorisation is required to conduct interventions of private communications in cases relevant to national security. This Law contains a list of national security threats for which the Mexican state may request the intervention of private communications. This list includes terrorism, espionage, sabotage and genocide.

In addition, the Center for Investigation and National Security is authorised to assist in the prosecution of justice; however, such assistance will be regulated by the National Code of Criminal Procedures (Código Nacional de Procedimientos Penales) and not by the aforementioned National Security Law.

The data controller may transfer personal data to foreign governments without the consent of the data subject if a request is made by competent authority in compliance with a Mexican notification request. 

Mexico does not participate in a Cloud Act or similar agreements with the USA. 

In addition to the DPR, the General Law for the Protection of Personal Data in the Possession of Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados) (LFPDPSO), regulates the protection of personal data in the possession of any authority, entity, government body, agency of the executive, legislative and judicial bodies, autonomous bodies, political parties, trusts and public funds. This Law regulates the manner in which the state guarantees the privacy of individuals with respect to information held by the government.

The LFPDPSO provides express obligations on how the government must take care of the personal data of individuals.

Key issues arise from the fact that the corresponding authority does not notify the data subject of violations of its rights under the law. 

The DPR permits data transfers abroad, subject to compliance with the information and consent requirements in the DPR. However, it is stated that general requirements apply, even in international data transfers. Regulation of the DPR also requires international data transfer receivers to assume the same obligations and responsibilities as the original controller.

The regulations of the DPR allow data controllers to use and dispose of any legal instruments to fulfil their obligations. Contract clauses are the first and only tools named explicitly in the DPR that data controllers may rely on to meet their international obligations when performing data transfers. As a general rule, these clauses must contain at least the following:

  • the data receiver must agree to submit to the same obligations as the original data controller; and
  • the data receiver must agree and acknowledge the authorisations granted by the data subject in the privacy notice.

The data controller can also request the INAI’s opinion regarding international data transfers. If deemed necessary, the data controller may submit a request to determine whether the data transfer complies with the DPR.

There are no government notifications or approvals required to transfer data internationally. The data controller will have to include in the privacy notice the transfers of personal data in order to inform the data subject.

There are no specific data localisation requirements. The DPR does not contemplate the need to maintain personal data in-country either. Therefore, it is possible to transfer data internationally; however, data controllers are still required to implement measures to safeguard the data and comply with the requirements for the transfer of personal data established in the DPR, such as the provision of the privacy notice to the data receiver.

Data controllers are not required to share any software code, algorithms or similar technical details with the government in advance. However, it is essential to note that, though it is not explicitly mentioned, an interpretation of Mexican legislation suggests it is possible for the INAI’s General Directorate of Investigation and Verification to request technical details. 

There are no specific requirements for foreign government data requests. Therefore, it is possible to transfer data internationally; however, data controllers are still required to comply with the requirements for the transfer of personal data established in the DPR.

In Mexico, other than the sovereignty of the nation and the provisions set forth in the constitution, there are no specific statutes regarding “blocking”. 

The DPR, which was issued in 2010, has not been subject to modifications. Therefore, it does not address or reflect current issues in the processing of personal data, such as those regarding the use of digital and technological resources. Notwithstanding the foregoing, the DPR addresses the following issues.

Automated Decision-Making

The DPR requires transparency when decisions without human intervention are part of the data processing. Controllers must inform data subjects of such situations before the data processing begins. It is considered good practice to notify the foregoing to the data subject in the privacy notice. 

Profiling or Microtargeting

One of the most common occurrences of this issue is cookies. Using this type of mechanism in electronic media requires controllers to inform the data subject accordingly. Specifically, it is required to notify data subjects (through privacy notice) about the presence and use of these technologies, as well as the collection of personal data through cookies and the way they may be disabled, if possible.

The widespread use of data to generate a profile of employees or candidates is still debatable. Therefore, though it is not specially regulated in Mexican provisions, it is highly recommended to exercise caution when executing psychometric tests and to review compliance with the principles defined in the DPR.

Biometric Data, Facial Recognition and Geolocation

Biometric data, facial recognition and geolocation are not explicitly mentioned in Mexican provisions. In the case of biometric data, the INAI՚s interpretation was published in a guideline in which it establishes that biometric data may not be considered as sensitive personal data. In order to determine whether biometric data should be considered sensitive personal data by the data controller, it is necessary to evaluate the purpose and the use that will be given to the biometric data. 

Other Current Issues

Mexican regulators and legislators must work on amendments to the DPR to regulate technological developments, such as: 

  • big data;
  • artificial intelligence (machine learning);
  • internet of things or ubiquitous sensors;
  • autonomous decision-making;
  • drones;
  • disinformation, deep fakes or other online harms;
  • dark patterns or online manipulation; and
  • fiduciary duty for privacy or data protection.

Nevertheless, through the application of the general principles of the DPR, it is possible to evaluate how cases involving these concepts may be analysed and resolved by the INAI. Therefore, whenever these concepts present themselves in practice, it is possible to act based on the principles of the DPR.

Data controllers are required to designate a person (or department) in charge of addressing ARCO Rights and promoting personal data protection within the organisation. However, there is no mention of their specific functions and responsibilities.

The INAI and the private sector have brought attention to the need for an ethics board in workplaces where technology is being innovated, primarily when referring to artificial intelligence. In Mexico, the United Nations Educational, Scientific and Cultural Organization has proposed the establishment of an Artificial Intelligence Committee, which would be responsible for strategy development focused on humans to govern ethics in that subject.

According to the INAI’s report, the imposed fines in 2022 exceeded MXN60 million (approximately USD3 million, at an exchange rate of MXN20 per USD1). This represents around a 33% reduction in total fines compared to 2021. When reviewed by sector, the following stand out as the most relevant figures:

  • information in mass media was fined over MXN15 million (approximately USD750,000, at an exchange rate of MXN20 per USD1);
  • financial services and insurance were fined over MXN14 million (approximately USD700,000, at an exchange rate of MXN20 per USD1);
  • business support services and waste management services were fined over MXN2 million (approximately USD100,000, at an exchange rate of MXN20 per USD1); and
  • other services were fined over MXN23 million (approximately USD1,150,000, at an exchange rate of MXN20 per USD1).

The INAI has identified the following conducts as the most frequent reasons for sanctions:

  • collect and transfer of personal data without the explicit consent of the data subject;
  • omitting required components in the privacy notice; and
  • processing personal data contravening the principles outlined in the DPR.

Collective actions are not allowed under Mexico՚s personal data protection and privacy laws. Upon receiving multiple related complaints from data subjects, the INAI will process and resolve each claim individually; however, the INAI may initiate inspection visits to the data controller. Furthermore, private litigations regarding personal data protection and privacy are based on claims of damages and lost profits, which are not common in Mexico.

Depending on the nature of the transaction, the process for conducting diligence greatly varies (eg, the merger between companies may require a deep analysis of the data processing within the merged company). The standard process consists of the following steps.

  • Identify if the transaction involves personal data at all.
    1. It is essential to review the presence of sensitive data.
    2. Assessing the categories of personal data involved during the transaction is highly recommended.
    3. Review whether the involvement of personal data complies with the principles of proportionality and purpose.
  • Identify the extent to which personal data will be exposed during and after the transaction.
    1. Determine where the personal data is stored before the transaction.
    2. Determine how the other party or the reviewer will access the personal data.        
    3. Determine where personal data will be held during and after the transaction.
    4. Most importantly, it must be determined who will access the personal data.
    5. Identify if there have been any previous data breaches.
    6. Identify risks of data breaches at three stages:
      1. before the transaction;
      2. during the transaction; and
      3. after the transaction.
  • Ensure proper measures are in place to comply with the data protection principles. 
    1. When sensitive data is present in the transaction, the corresponding arrangements must be strict and secure under the DPR.
    2. Determine if proper consent was collected; this includes identifying if the proper privacy notice was provided.
    3. Review the security measures established to mitigate the identified risks.

There are no obligations in Mexican law that require companies to disclose cybersecurity risks. Mexican legislation does not focus on cybersecurity risks in its requirements; instead, it addresses risks in a broad scope. 

The DPR struggles to keep up with upcoming trends and innovations in technology. Though the principle-based model helps to deal with unforeseen situations and issues, data protection and privacy stand to gain from the implementation of new ideas into legislation. Recent technological developments are frequent, and the generalised approach needs to be revised to manage them properly. Gaps in the DPR have led to numerous interpretations. This, in turn, fosters uncertainty for everyone involved.

There is an increasing tendency for international companies with a presence in Mexico to adapt GDPR principles and obligations in the processing of personal data collected in Mexico. This trend, which is permitted by Mexican law, helps to strengthen personal data protection. 

There are no data protection or privacy issues of major importance not already covered in this chapter.

Nader, Hayaux & Goebel

Torre Arcos
Paseo de los Tamarindos
400 B, 7th Floor
Col Bosques de las Lomas

+52 55 4170 3000

+52 55 4170 3099
Author Business Card

Trends and Developments


Galicia Abogados, S.C. has more than 28 years of experience and is renowned for its knowledge in strategic sectors such as banking and finance, energy and infrastructure, private equity, regulated industries, real estate and hospitality, and health. Galicia differentiates itself from competitors in the Mexican legal market through its ability to provide a unique offer that includes strong transactional and regulatory advice coupled with strategic capabilities in litigation and ESG. Diversity, equity and inclusion (DEI) are a core part of Galicia’s values. The firm's DEI-driven culture has positioned over 17 women as partners, counsel, or in executive and management positions. Its environmental and sustainability model is one-of-a-kind in the Mexico and LatAm market: an ever-evolving programme that assures equal growth in all aspects with actions that cut across multiple sectors.

Shortcomings of Data Security Laws in Mexico

There is no doubt that data has become one of the single-most valuable assets for companies throughout the world. Whether through lead collection, database generation, cloud hosting or machine learning, this highly movable resource is more than a fad. Yet, no good deed goes unpunished. The rise of the digital era has maximised the exposure to, and incidence of, cyber-attacks, calling the attention of lawmakers and regulators across the globe.

Mexico is certainly no exception. In 2022, a foreign group of hackers exposed thousands of emails hosted on the servers of the Mexican Defense Ministry. While this resulted in efforts being made to draft bills addressing information technology security concerns, to date there are no cybersecurity-specific laws or regulations, other than the norms and non-binding recommendations issued in relation to privacy, and some other provisions that will be briefly addressed herein. This chapter is aimed at describing the current legal framework in Mexico, specifically, from a data protection law perspective, while identifying potential loopholes and risks arising from the lack of regulation.

Current regime

While cyberspace regulation is to some degree limited, all data hosted in electronic systems that includes personally identifiable information (personal data) is subject to the provisions of the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (DPA) which, therefore, are of utmost importance, particularly as they impose some widely applicable obligations upon corporations handling data, thereby posing inherent risks for them if they are found not compliant. This, of course, even if they do not know that they are bound by such law.

Some other norms establish certain additional protections, including the banking and financial regulations, which require financial entities using electronic means to have cryptographic safeguards and develop policies aimed at protecting the information thereby hosted. Moreover, cyber-attacks, hacking, virus infection and other cybercrimes may constitute punishable criminal offences under the Federal Criminal Code (FCC), which may lead to imprisonment for up to twelve years.

However, these provisions altogether are not comprehensive enough to effectively protect data itself, let alone the data subjects or the companies owning or in rightful possession of such information. Certain loopholes include rules and mechanisms for threat/incident detection, risk management (ie, response plans), and mitigation and damage control. The closest attempt to cover these issues was made by the data protection regulator, who in 2018 issued certain recommendations for the handling of security incidents involving personal data. These recommendations, albeit non-binding, grant individuals and corporations who process personal data (data controllers) a bona fide presumption that operates in their favour in the assessment and determination of any potential fine that could be levied in respect of a data security incident.

Who is subject to Mexico data protection laws?

The applicability of the Mexican data protection norms is mainly territorial in nature. Therefore, the data protection regulator may exercise jurisdiction over investigations relating to any processing made by data controllers incorporated in Mexico, and their data processors (regardless of their location). More importantly, even data controllers that are not physically established in Mexico are subject to Mexico’s data protection regime, where they use means located in such territory – unless these are limited to transit purposes that do not involve personal data processing. Mexico-based data processors for alien data controllers, naturally, are also subject to the provisions relating to the security measures of the DPA, pursuant to Article 4 of the Regulations to the DPA.

Processing, however, has a broad meaning. It covers the array of activities that a data controller may conduct with respect to personal data. The DPA expressly defines processing as the collection, use, disclosure and storage by any means (eg, automated means) of personal data, and use as any action of access, management, exploitation, transfer or disposition of personal data. This suggests that foreign companies that locally store data – eg, through servers located in Mexico, are bound to comply with Mexican law regardless of their residence or main place of business. Even domain names associated to websites that can be accessed locally could arguably constitute a means, hence, dragging applicability of Mexico’s laws and regulations for virtually a myriad of international businesses operating online.

To the extent that much of the processing inadvertently falls within the scope of Mexican laws, except, in particular, if a data controller uses means located in Mexico exclusively for transit purposes (ie, to allow flows of data, as occurs with telecommunications networks (cables) or postal services), companies operating with data – in Mexican soil – might not be aware of their obligations under the DPA and the Regulations to the DPA with respect to the processing of personal data, including without limitation those described in the following sections.

Data security breaches

Pursuant to the DPA, data controllers must put in place, regularly review and update adequate security measures to protect data against damage, loss, alteration, destruction or unauthorised use, access or treatment. In establishing these measures, controllers should be wary that, by law, they cannot afford lesser protections than those given to the information otherwise owned by such data controller. Moreover, they shall ponder the nature and sensitivity of personal data, technological developments in the market and the possible consequences associated with a security breach thereto.

A security breach under Mexican law occurs when there is a violation to any physical, technical or administrative security measure that compromises personal data at any stage during its processing. Article 63 of the Regulations to the DPA specifically lists loss or unauthorised destruction; theft, misplacement or unauthorised copying; unauthorised use, access or processing; and unauthorised damage, alteration or modification, as data security breaches.

Incident notification: crisis management versus rights’ shielding

While official reporting of personal data breaches to the regulator is not covered by the DPA and thus not mandatory, the DPA does require data controllers to communicate such breaches to the affected data subjects when the breach causes significant harm to the economic or moral rights of such individuals. Individuals’ notification usually takes place after a contention period (ie, the phase to limit the scope or impact of the identified incident), and before any mitigation procedures are enabled (ie, the period or phase seeking to minimise the possibility of a breach being repeated).

Now, harm to economic rights, as described in the regulator’s recommendations, occurs when the breach involves personal property, tax information and credit records, income and outcome, bank accounts, insurance, retirement plans, bonds, and financial services. Moral rights, on the other hand, are harmed when the breach relates to feelings, emotions, beliefs, honour, reputation, private life, physical configuration and aspect, opinions of self from others, or when liberty and the physical and psychological integrity of a person is illegitimately impaired.        

Although the rationale behind Mexico’s data privacy laws notification obligations is to grant data subjects the opportunity to take timely action in defence of their rights (eg, cancelling credit cards), the DPA is arguably less protective of individuals’ rights than the European Union’s General Data Protection Regulation (GDPR) when it comes to the handling of personal data breaches. According to the provisions of the GDPR, communication of personal data breaches is triggered by merely a high risk to the rights and freedoms of data subjects, and not an actual and significant harm effectively caused to such, which results in quite a subjective test.

On one hand, it can be challenging to assess whether a certain event causes grave harm to a person, when the examiner for such test is not acquainted with the person. Moreover, there is data that in and of itself is not sensitive but that under certain circumstances, or paired with certain technologies, can provide information that poses a threat or is harmful to the data subject.

In addition, the complexity of the fact-finding task on the part of data controllers is at odds with the norm’s purpose to achieve a timely reaction of data subjects. As per law, although data controllers must notify in the shortest time possible, such notification must not be made until there is concrete information on the incident and, more importantly, when the breach has been contained and personal data is no longer compromised. This would mean that in a ransomware case, for example, notification would be contingent upon negotiations with the attacker, as data is still compromised during such period and subject to further leakage.

Data controllers would therefore seek to gain time to identify the source, causes and impact of an attack, and to assess whether or not the compromised data meets the threshold of the DPA, hence triggering a notifiable event, all at the expense of data subjects’ opportunity to timely react in protection of their rights and property. While failure to comply with any of the requirements established in the DPA (eg, not communicating data subjects about a notifiable breach) may trigger administrative fines, it is questionable whether delays in delivering such notifications would constitute an infringement. In so far as the interests of data controllers and data subjects are not aligned, an argument can be made that this norm is incorrectly balanced.

Notification form requirements

Under INAI Recommendations, notification to individuals must be independent, personalised and direct (by phone, email, courier or in person) and, exceptionally, can be performed indirectly only where the personal notification may cause more harm to the data subjects, it is excessively costly or where the affected individual’s contact details are not available. In those cases, data controllers may opt for a public statement on such entity’s website or in mass media communication.

Notifications should include the following information:

  • the nature of the breach;
  • the personal data compromised with the breach;
  • recommendations to the data subject regarding measures that can be implemented to protect their interests;
  • the corrective actions implemented by the data controller; and
  • the means by which the data subject may obtain more information in this regard.

Sanctions and criminal offences

The DPA is aimed at achieving compliance (as opposed to discouraging perpetrators) in order to guarantee privacy and individuals’ rights to informational self-determination, so all liabilities are burdened on data controllers/processors, and violations of the law are enforceable against them.

Under the DPA, compromising the security of databases, premises, programmes or equipment, when attributable to the data controller, may result in the imposition of administrative fines that can reach as high as approximately USD1.6 million. In determining this fine, the regulator shall consider aspects such as intent, the nature of the data that was compromised, and the economic capability of the data controller, among others. Compliance by the data controller with such regulator’s recommendations (eg, having multi-factor authentication in place) can mitigate any potential fine. The DPA also catalogues as a criminal offence the intentional and for-profit breach to the security of a database by those in charge of its custody.

Some of the more general typified crimes in Mexico involving information technologies include violations to trade secrets, illegal access to computer systems and equipment, fraud and theft. Additional special laws provide for particular crimes, such as illegal access to computer systems and equipment by officials, employees and servers of financial institutions.

Voluntary reporting

Mexican law does not regulate self-reporting nor provide a legal basis for INAI to issue no-action letters, early termination or similar decisions, so voluntary reporting is not a common practice in Mexico. Moreover, it could be counterintuitive for companies to report cases that would likely force the data protection regulator to launch a full investigation, leading to potential fines – save for massive and publicly scrutinised cases where the opposite can occur.


Security incidents occur frequently and can have a great negative impact on organisations. Mexico’s current data protection regime still falls short in protecting data-stakeholders against hazardous and malicious activities, making them an easy target for cyber-attacks. Moreover, current penalties (including criminal ones) are not sufficiently robust to effectively deter attackers. While the lack of enactment of a thorough cybersecurity law remains, and the long-overdue overhaul of the current laws and regulations is not conducted, it is imperative for the private sector (including offshore corporations that could be subject to Mexican laws and regulations) to be wary of the risks this lack of regulation poses; and, consequently, develop and maintain updated sound policies and processes that actively prevent and mitigate risks, both for their own benefit and that of individuals.

Galicia Abogados, S.C.

Torre del Bosque
Blvd Manuel Avila Camacho 24 – 7th Floor
Lomas de Chapultepec
Mexico City CP 1000

+52 55 5540 9200
Author Business Card

Law and Practice


Nader Hayaux & Goebel (NHG) is a market leader in M&A, banking and finance, fintech, securities and capital markets, tax, insurance and reinsurance, project finance, real estate, data protection, government procurement and antitrust, among other matters. The firm is made up of 16 partners, 3 consultants and more than 35 associates, and fields one of the largest groups of corporate finance experts in the Mexican market. NHG is the only Mexican law firm with an office in London, with a strong focus on developing and pursuing business opportunities across Mexico, the UK and other European countries. The firm also enjoys excellent working relationships with law firms in all major cities around the world.

Trends and Development


Galicia Abogados, S.C. has more than 28 years of experience and is renowned for its knowledge in strategic sectors such as banking and finance, energy and infrastructure, private equity, regulated industries, real estate and hospitality, and health. Galicia differentiates itself from competitors in the Mexican legal market through its ability to provide a unique offer that includes strong transactional and regulatory advice coupled with strategic capabilities in litigation and ESG. Diversity, equity and inclusion (DEI) are a core part of Galicia’s values. The firm's DEI-driven culture has positioned over 17 women as partners, counsel, or in executive and management positions. Its environmental and sustainability model is one-of-a-kind in the Mexico and LatAm market: an ever-evolving programme that assures equal growth in all aspects with actions that cut across multiple sectors.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.