Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
1.1 What is the principal data protection legislation?
The legal framework for data protection is found in Articles 6 and 16 of the Mexican Constitution, as well as in the Federal Law for the Protection of Personal Data Held by Private Parties, published in July 2010, and its Regulations, published in December 2011 (hereinafter the "FLPPDHPP").
1.2 Is there any other general legislation that impacts data protection?
Yes, as follows: the General Law for the Protection of Personal Data in the Possession of Obliged Subjects, which regulates the processing of personal information in the possession of any Federal, State or local authority (the "Law"); the Privacy Notice Rules, published in January 2013; the Binding Self-Regulation Parameters, also published in January 2013; and the General Guidelines for the Protection of Personal Data for the public sector (Federal, State or local authorities). It is worth mentioning that Mexican data protection laws and general legislation follow international correlative laws, directives and statutes, and thus have similar principles, regulatory scope and provisions. Moreover, there are other laws such as: the Criminal Code; the Law for the Regulation of Credit Information Companies; the Law for Regulating Financing Technology Institutions; provisions set forth in the Copyright Law and the Federal Law for Consumer Protection; and some specific provisions set forth in the Civil Code and the Commerce Code, which are also related to data protection.
1.3 Is there any sector-specific legislation that impacts data protection?
Mexican data protection legislation is not based on sectoral laws. The Law, as described above, regulates the collection and processing of any personal information ("PI") by any private entity acting as a Controller or Processor, which impacts any sector that is involved in any sort of personal data collection or processing.
1.4 What authority(ies) are responsible for data protection?
The National Institute of Transparency, Access to Information and Personal Data Protection ("INAI") is the authority responsible for overseeing the Law. Its main purpose is the disclosure of governmental activities, budgets and overall public information, as well as the protection of personal data and the individuals' right to privacy. The INAI has the authority to: conduct investigations; review and sanction data protection Controllers; and authorise, oversee and revoke certifying entities.
The Ministry of Economy is responsible for informing and educating on the obligations regarding the protection of personal data between national and international corporations with commercial activities in the Mexican territory. Among other responsibilities, it must issue the relevant guidelines for the content and scope of the Privacy Notice, in cooperation with the INAI.
2.1 Please provide the key definitions used in the relevant legislation:
3.1 Do the data protection laws apply to businesses established in other jurisdictions? If so, in what circumstances would a business established in another jurisdiction be subject to those laws?
Mexican data protection law is not limited to PI Controllers established or operating in Mexican territory. Although the Law does not provide a specific reach or scope of its applicability, the Regulations to the Law do. In this regard, such regulations (and, therefore, the Law), in addition to being applicable to companies established or operating under Mexican law (whether or not located in Mexican territory) apply to companies not established under Mexican law that are subject to Mexican legislation derived from the execution of a contract or under the terms of international law.
Additionally, Mexican regulations on data protection apply to: company establishments located in the Mexican territory; persons or entities not established in the Mexican territory but using means located in such territory, unless such means are used merely for transition purposes that do not imply a processing or handling of personal data; and when the Controller is not established in the Mexican territory but the person designated as the party in charge of the control and management of its personal data (a service provider) is.
In the case of individuals, the establishment will mean the location of the main place of business or location customarily used to perform their activities or their home.
4.1 What are the key principles that apply to the processing of personal data?
To view the full article, click here.
Originally published by ICLG.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.