In Mexico, personal data protection is governed by a layered framework that applies nationwide to the private sector and, through a parallel regime, to the public sector. At its apex, the Political Constitution of the United Mexican States (Constitución Política de los Estados Unidos Mexicanos) recognises privacy and the protection of personal data as rights.

For the private sector, the main instrument is the Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares, or LFPDPPP). It governs the processing of personal data by private entities across Mexico and operates as a national baseline irrespective of the state in which an organisation is established or conducts its operations.

The LFPDPPP is supplemented by its Regulation (Reglamento), which develops and operationalises the statute and provides practical detail that the law sets out only at a high level. In addition, the private-sector regime is applied alongside secondary instruments issued by the competent authority – such as guidelines, criteria and recommendations – which shape interpretation and enforcement practice (together with the LFPDPPP and its Regulation, the “Private DPRs”).

Processing by the public sector is governed by a separate statutory regime, the General Law for the Protection of Personal Data Held by Obligated Parties (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), complemented by state-level legislation (together, the “Public DPRs”).

Mexican private-sector rules do not expressly claim extraterritorial reach. Cross-border scenarios are addressed instead through transfer and accountability mechanisms. Where a data controller transfers personal data to a third-party recipient that will act as an independent controller, the transferring controller must ensure that the recipient assumes and complies with obligations it is subject to under the Private DPRs.

Finally, the DPRs regulate personal data only (ie, information relating to an identifiable individual). Non-personal data will generally fall outside their scope, although the boundary is not clear-cut; certain processing may still be treated as personal data. Against that backdrop, as organisations adopt automated tools and AI-enabled processing, the Private DPRs remain the central reference point for lawful processing and accountability, while other legal regimes may impose parallel obligations.

Principles and Requirements for Processing

The Private DPRs are built around a set of principles that must be observed cumulatively, as listed below. In practice, processing will be considered compliant only where these principles are embedded in the design and day-to-day operation of processing activities.

• Lawfulness: Processing must be grounded in a valid legal basis and carried out in accordance with the applicable framework.
• Purpose: Data may only be collected and used for specific and legitimate purposes.
• Loyalty: Processing must be carried out in a manner consistent with the individual’s reasonable expectations.
• Consent: Processing requires the individual’s consent, subject to recognised exceptions.
• Quality: Controllers should take reasonable steps to ensure data is accurate, complete and kept up to date.
• Proportionality: Only data that is adequate, relevant, and necessary for the stated purposes should be processed.
• Information:The individual must be informed about the details of the data processing.
• Accountability: Controllers must implement and be able to demonstrate compliance through governance measures, confidentiality duties, appropriate security controls, and effective oversight of processors and recipients.

Data Subject Rights and Remedies

Data subjects have a core set of rights that enable individuals to control and challenge the processing of their personal data (“ARCO Rights”), as listed below. In practice, data controllers should treat these rights as operational requirements, supported by clear request channels and internal procedures.

• Access: The right to confirm whether a controller processes the individual’s data and, if so, to obtain access and information about the relevant processing.
• Rectification:The right to require correction or completion of personal data.
• Cancellation: The right to request deletion of personal data.
• Opposition: The right to object to processing in certain circumstances.
• Revocation of consent: The right to withdraw consent where it is the basis for processing.
• Limitation of use or disclosure: The right to request limits on certain uses or disclosures of personal data.
• Complaint and redress: Where the individual is not satisfied with the controller’s response (or receives no response), the framework provides a route to seek review through the competent authority, which may issue binding determinations and trigger further oversight actions.

Main Compliance “To-Dos” for Companies

Though specific requirements for organisations vary depending on their business, operations and capabilities, the following workstreams are typically the core building blocks for adequate compliance:

• Provide privacy notice: Deliver a fully compliant privacy notice that includes, among other things, the purposes of data processing, the transfers to be carried out, the types of data to be collected, and the rights of the data subjects.
• Obtain consent: Collect and process personal data only after obtaining the data subject’s consent (the type of consent will depend on the type of data to be processed).
• Data quality: Ensure that the personal data collected is accurate, relevant, and up to date for its intended purposes.
• Data security: Implement appropriate technical, physical and administrative measures to protect personal data from unauthorised access, loss or damage.
• Guarantee ARCO Rights: Allow data subjects to exercise their ARCO Rights and provide mechanisms and procedures that comply with the Private DPRs for their handling.
• Retention period: Store personal data only for the duration necessary to fulfil the purposes stated in the privacy notice.
• Internal procedures: Establish internal policies, procedures and training to ensure compliance with the Private DPRs, including appointing a Data Protection Officer or Department.
• Data breach notification: Notify data subjects in compliance with the requirements set forth in the Private DPRs in case the data controllers are subject to a data breach.
• Third-party compliance: Verify that any third-party data processor or recipient of personal data adheres to the Private DPRs and aligns with the controller’s privacy notice.

Although the Private DPRs cover multiple categories of personal data, they single out sensitive personal data as particularly important to protect. Sensitive personal data is generally understood as personal data that affects an individual’s most intimate sphere or that, if misused, could give rise to discrimination or entail a serious risk to the individual. Because of its heightened risk profile, sensitive personal data attracts stricter compliance expectations and a higher standard of care throughout the processing life-cycle.

In practical terms, controllers should ensure enhanced safeguards, including:

• Stricter consent standard: Processing sensitive personal data generally requires express, written consent.
• Narrowly defined purposes and minimisation: Purposes should be tightly framed and limited to what is genuinely necessary.
• Clear outlines: The privacy notice should clearly identify the sensitive categories of data involved and the relevant information about its processing.
• Heightened security and confidentiality: Controllers should implement stronger administrative, technical and physical measures.
• Stronger vendor and transfer controls: Where processors or third-party controllers are involved, contracts and transfer documentation should reflect the higher sensitivity.

For minors, the Private DPRs should be read alongside the overarching standard that the best interests of the child must be the primary consideration when designing and operating data processing, meaning a controller should prioritise a minor’s welfare over commercial objectives.

In any event, data relating to minors – and, more broadly, data relating to any category of data subject – should be assessed against the applicable definition of personal data to determine the compliance requirements that follow, since such data may fall within that definition and therefore trigger the obligations set out in the Private DPRs.

Processing for research and development purposes is allowed if data controllers comply with the Private DPRs. Furthermore, the Private DPRs recognise the concept of dissociation (disociación), defined as a procedure through which personal data cannot be associated with the relevant data subject, nor can it be identified by virtue of its structure, content, or degree of disaggregation. Where dissociation is implemented with that effect, the resulting dataset would no longer qualify as personal data and may therefore be processed outside the scope of the Private DPRs. Any process that does not exclusively involve dissociated data remains subject to the Private DPRs.

On automated decision-making, the Private DPRs take a more targeted approach than establishing an “AI risk taxonomy”. A data subject may oppose processing where (i) their personal data are used in automated processing that produces undesired legal effects or otherwise significantly affects their interests, rights or freedoms, and (ii) where the processing is intended to evaluate, analyse or predict aspects of the individual without meaningful human intervention.

Accordingly, specific and binding AI prohibitions are not features of the Private DPRs themselves; constraints arise from applying general rules. Specifically, a risk-sensitive compliance expectation is embedded through (i) heightened requirements for sensitive personal data, and (ii) security obligations that should scale with the risk profile of the processing (including foreseeable harm).

Under the Private DPRs, data controllers are expected to implement safeguards to protect personal data and to respond promptly where a security incident compromises it. Where a breach occurs, the Private DPRs require controllers to take the following steps:

• Immediate containment and mitigation: Take prompt measures to stop the incident and reduce exposure, including technical and organisational remediation.
• Impact assessment: Evaluate the main aspects of the incident and its legal implications for rights and obligations.
• Notification to affected individuals where warranted: Where the breach significantly affects data subjects’ property or moral rights, the controller must notify the affected individuals so they can take protective steps. Notifications should be made without undue delay and in clear, accessible terms.
• Post-incident assessment: Determine and implement corrective actions and improvements to avoid future occurrences with the same characteristics.

The 2024 constitutional reform provided for the dissolution of the National Institute for Transparency, Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, or INAI) and the redistribution of its personal data protection mandates among various public bodies according to the type of entity being regulated. These changes took effect in 2025 upon the entry into force of new legislation.

For organisations, the most significant consequence is that the Ministry for Anti-Corruption and Good Government (Secretaría de Anticorrupción y Buen Gobierno, or SABG) now serves as the primary regulator of the private sector.

Furthermore, functions previously exercised by the INAI in the public sector were reassigned to diverse government entities, in some cases at the constitutional level. The National Electoral Institute (Instituto Nacional Electoral), for example, now oversees the processing of personal data by political parties.

From an enforcement perspective, matters under the Mexican data protection framework arise from data subject complaints, security incidents, or other events that put a processing practice in question; referrals or findings generated by the public sector; and ex officio initiatives in which the competent authority opens a file on its own motion. Co-ordination within Mexico is further shaped by the post-INAI allocation of mandates described above. Cross-border engagement is not organised around a “one-stop shop” model and may instead be handled on a case-by-case basis when international elements are present (for example, cross-border transfers, foreign vendors or multinational group processing).

As mentioned in 1.1 Overview of Data and Privacy-Related Laws, the guidelines, criteria and recommendations issued by the competent authorities typically operate as interpretative tools and enforcement benchmarks. Even where such guidance is not formally binding in the same manner as legislation, it often carries significant practical weight in audits, verification procedures and the authorities’ assessment of compliance.

Enforcement by the SABG is typically structured as a step-by-step administrative workflow. In practice, the first operational step for a data controller is usually receiving a formal request for information and documentation from the authority. The authority then reviews the response and may issue follow-up requests to address inconsistencies or obtain further evidence. Regardless, companies are subject to three main tracks: (i) the rights-protection procedure (focused on ARCO Rights disputes); (ii) the verification procedure (fact-finding and compliance review); and (iii) the sanctioning procedure (imposition of penalties). Although these tracks may be connected in practice, each follows its own sequence of procedural acts and statutory timeframes.

Decisions issued by the SABG may be challenged through judicial remedies. Specifically, affected parties may seek constitutional relief (amparo) against acts and resolutions of the SABG.

Rights-Protection Procedure

If the SABG receives and admits a rights-protection request from any data subject, the SABG serves it on the controller and requests a response with supporting evidence. The file then moves through an evidentiary phase, followed by final allegations, and ends with a binding decision. As a useful rule of thumb, the authority’s decision is issued within 50 days, with the possibility of an extension for justified cause. Where the decision favours the data subject, the controller is expected to implement the ordered measures and report compliance.

Conciliation may be promoted at any stage (subject to specific limitations). If the parties reach and comply with an agreement, the matter is generally closed without the need for a final decision on the merits.

Verification Procedure

Once verification is opened, the SABG typically begins with documentary information requests and may, where warranted, escalate to an on-site verification visit to confirm processing practices and controls. The overall verification stage is subject to a maximum duration of 180 days, with the possibility of an extension for justified cause.

Sanctioning Procedure

Sanctioning usually follows findings from a rights-protection or verification matter. It starts with formal service of the alleged infringement, after which the alleged infringer is given an opportunity to respond and submit evidence. The authority then closes the evidentiary record, receives final submissions and issues a final resolution. The sanctioning procedure has an overall statutory decision period of 50 days, with the possibility of an extension for justified cause.

Potential Sanctions and Remedies

Depending on the nature of the breach, exposure may arise on three tracks:

• Administrative sanctions: The SABG may issue orders (including warnings requiring corrective action) and impose fines, potentially multiple in a single matter. Where sensitive personal data is involved, the framework allows for fines to be doubled.
• Criminal exposure: Certain profit-driven conduct (eg, causing a breach for gains) may trigger criminal liability, with enhanced penalties where sensitive data is involved.
• Civil liability (damages claims): Affected individuals may pursue damages claims under general civil liability rules, with remedies centred on compensation rather than public sanctions.

The SABG’s recent communications and enforcement activity suggest the following:

• Increased enforcement action: A more assertive response to non-compliance, with investigations used as deterrence, and an explicit narrative linking breach cases to administrative fines and, in serious scenarios, criminal exposure.
• Preventive engagement: A parallel push for controllers to seek early institutional engagement and compliance support, signalling an emphasis on prevention alongside sanctions.
• Execution and collection focus: Increased attention to ensuring that sanctions are executed (including fine collection) and follow-ups on legacy matters previously treated as closed.
• Reform-oriented posture: An expressed intention to pursue updates to the federal and general data protection framework, suggesting enforcement may be accompanied by a legislative and policy push.

Privacy disputes in Mexico have not yet matured into a robust, standalone litigation stream. The legal system does not generally recognise a direct “private enforcement” action whose sole purpose is to vindicate data protection breaches in court. Rather, individuals who consider themselves affected typically need to frame their case as a civil liability claim, seeking damages for the harm allegedly caused by the relevant conduct.

This private route operates on a different logic from administrative oversight. Regulatory proceedings are designed to protect the public interest through corrective measures and sanctions (notably fines), whereas civil litigation is intended to compensate the claimant. Accordingly, the remedy most frequently pursued is monetary compensation. Assessment is usually case-specific and tied to the proof and seriousness of the alleged impact, rather than to a bespoke statutory tariff for privacy harm.

Unlike other jurisdictions, Mexico does not rely on case law to apply data privacy regulation. However, recent resolutions issued by Mexico’s Supreme Court of Justice (Suprema Corte de Justicia de la Nación) have addressed modern issues, such as the role of search engines as intermediaries in internet access, their processing of personal data, and the implications for free speech rights.

Mexican data protection law does not provide for collective administrative proceedings. Where a breach causes harm and civil liability arises, data subjects may pursue claims under the civil framework.

Non-personal data generally falls outside the scope of the Private and Public DPRs, which apply only to the processing of personal data. Information labelled “non-personal” may still be treated as personal data where individuals can reasonably be identified from the dataset itself or by linkage with other data. By contrast, data that has been robustly dissociated, such that identification is not possible, will typically remain outside the data protection regulations.

Mexico does not have a dedicated, cross-sector legal framework governing non-personal data access and sharing (including for IoT or cloud environments). Instead, non-personal data governance is primarily driven by general legal protections (notably confidentiality and trade secrets), sector-specific rules (such as financial secrecy and open finance for Mexican financial institutions), cybersecurity expectations, and contractual boundaries among data holders, service providers and data users.

Where a dataset includes both personal and non-personal elements, the approach is essentially cumulative: privacy rules govern the personal-data layer, while other legal regimes govern the non-personal value layer (confidentiality, trade secrets and IP), with contracts typically co-ordinating how these obligations operate in practice.

Overall, the interaction is less about statutory “data access rights” and more about layering: the Private DPRs set the compliance perimeter for identifiable information; confidentiality and IP rules protect the commercial value of non-personal datasets, as well as contractual arrangements allocate rights, responsibilities and risk among data holders, service providers and data users.

Unless a dataset has been properly dissociated so that individuals are no longer identifiable, the processing will generally fall within the scope of the data protection regime, and the primary rights available to individuals are the ARCO Rights.

Under Mexico’s current framework, non-personal data is not overseen by a single, cross-sector regulator; instead, the applicable rules and enforcement authorities vary depending on the nature of the dataset and the sector in which it is used.

The Private DPRs require data controllers to inform data subjects when using remote or local electronic, optical or other technologies that automatically and simultaneously collect personal data upon interaction, such as cookies. This notification must be provided at the moment of contact through a visible communication or warning that details the use of such technologies, the data collected, and how to disable them.

Personalised and targeted advertising under the Private DPRs is regulated in the same way as other data processing. A key aspect is the distinction between primary and secondary purposes: processing that is necessary to provide the product or service requested by the individual will be categorised as primary, whereas advertising, commercial prospecting and similar activities will generally fall within secondary purposes (subject to a case-by-case assessment).

Where marketing or profiling is treated as a secondary purpose, the data controller must ensure that it is clearly disclosed in the privacy notice and that individuals are given straightforward mechanisms to withhold consent or withdraw consent for those purposes. Individuals may exercise the right of opposition to processing for secondary purposes, which is particularly relevant where profiling or behavioural targeting is involved.

Additional sensitivity arises in two scenarios. Firstly, it applies where marketing relies on sensitive personal data. Secondly, where advertising relates to minors, controllers should apply a heightened standard of care and avoid practices that could be seen as undermining a child’s best interests, as discussed in 1.3 Special Categories of Personal Data.

Mexican data protection rules apply to employers in the same way they apply to any other data controller. Accordingly, an employer that collects or uses employee or candidate information must comply with the Private DPRs throughout the employment life-cycle.

In practice, this means that workplace monitoring and the use of IT systems should be structured around necessity and proportionality. Although corporate devices and accounts are work tools, employees retain privacy interests, and monitoring should be limited.

In M&A transactions, the regular data privacy requirements apply. Personal data often becomes part of the due diligence exercise, the integration planning and – depending on the structure – the assets being acquired. Where that is the case, the parties should also treat data protection as a discrete workstream and implement controls designed to ensure compliance with the Private DPRs throughout the deal cycle.

In practice, companies should consider the following steps:

• Confirm whether personal data is in scope (and at what sensitivity).
1. Identify whether the transaction involves personal data at all, and whether any sensitive personal data is implicated.
2. Map the categories of data likely to be reviewed or transferred (eg, employee, customer, supplier, health, financial, geolocation).
3. Confirm that the contemplated uses of the data (diligence, valuation, integration) align with the principles of purpose limitation and proportionality.
• Define how, when and by whom the data will be accessed.
1. Determine where relevant datasets are stored and how they will be made available (eg, data room, clean teams, extracts, redacted samples).
2. Identify the recipients (deal team, advisers, auditors, consultants, potential buyers) and apply need-to-know access controls.
3. Clarify where the data will be held during the process and after closing, including any cross-border elements.
• Implement deal-specific safeguards and documentation.
1. Put in place appropriate confidentiality and data-handling terms, including restrictions and covenants on processing, onward disclosure, retention and deletion/return.
2. Where the buyer (or advisers) will process data on behalf of the seller, adopt suitable processor-type controls; where disclosure is to an independent recipient, ensure the transfer is properly documented and consistent with the applicable privacy notice and any required consents.
3. Apply stricter controls where sensitive data is involved, including tighter access, segmentation and enhanced security measures.
• Assess security posture and breach history.
1. Identify prior security incidents affecting relevant datasets and evaluate any open remediation items.
2. Assess foreseeable breach risks at three points – pre-closing, during diligence/transition and during post-closing integration – and align technical and organisational measures accordingly.
• Validate compliance foundations.
1. Confirm that the data was collected and is being used under appropriate transparency practices (privacy notices) and, where required, valid consents.
2. Review whether existing security measures are proportionate to the risks and adequate for the intended deal-related processing and subsequent integration.

This approach helps reduce unnecessary exposure during due diligence, supports smoother post-closing integration, and mitigates regulatory and litigation risk when personal data forms part of the transaction footprint.

The Private DPRs permit cross-border transfers of personal data, provided the transferring data controller complies with the applicable transparency and, where required, consent requirements. For these purposes, a transfer should be understood broadly as any communication, disclosure or making available of personal data to a third party other than the data subject (or its subsidiaries, affiliates and service providers), within or outside Mexico. Importantly, the fact that a transfer is international does not dilute the controller’s obligations: the general processing requirements continue to apply, and cross-border transfers are treated as an extension of the originating processing activity rather than as a separate, unregulated step.

A defining feature of the Mexican approach is that the foreign recipient must assume obligations equivalent to those borne by the transferring controller under the Private DPRs. In practice, this is typically implemented through contractual arrangements. While the DPRs allow controllers to rely on a range of legal instruments to meet their duties, contractual clauses are the principal mechanism expressly contemplated for international transfers. As a baseline, transfer clauses should ensure that:

• the recipient undertakes to comply with obligations equivalent to those applicable to the transferring controller under the Private DPRs; and
• the recipient agrees to process the data consistently with the scope of the authorisations and limitations communicated to the data subject through the applicable privacy notice (including the stated purposes and any transfer conditions).

Where there is uncertainty about whether a contemplated cross-border transfer aligns with the Private DPRs, a controller may seek a non-binding view from the competent authority on the transfer’s permissibility and the adequacy of the proposed safeguards.

No government notifications or approvals are required to transfer data internationally. The data controller must include transfers of personal data in the privacy notice to inform the data subject when consent is required.

Mexico’s regulation on personal data protection (both Private and Public DPRs) does not establish specific data localisation requirements, nor do they contemplate the need to store personal data in-country. Therefore, under the scope of personal data protection, data can be transferred internationally; however, data controllers are still required to implement measures to safeguard data and comply with the requirements for transferring personal data established in the DPRs, such as providing a privacy notice to the data recipient.

Aside from the nation’s sovereignty and the provisions of the Constitution, there are no specific statutes regarding “blocking”.

As discussed in 1.7 Regulators, recent regulatory changes primarily focused on dissolving the INAI and reallocating its responsibilities. On this note, the Regulation of the LFPDPPP has not been amended to properly address these changes; therefore, further updates are expected for this instrument. Additionally, while several legislative initiatives on specific data protection matters were proposed in 2025, none have been enacted; however, the SABG has stated that additional regulatory changes are needed.