Like many countries of the world, Mexico has adopted the international trend of ensuring the privacy and security of its people. On July 6, 2010 a federal law was enacted that further protected the personal data held by private organizations.

This data law places a major responsibility on data controllers and requires them to have appropriate administrative, technical, and physical safeguards to ensure the protection of its customers' personal data.

Basics of Mexico’s Data Protection Law

The main objective of this law is to protect personal data of customers and employees by establishing foundational principles and implementing them in the entire region of Mexico. The main purpose of this law is to guarantee the safety of people’s personal information and the right of all people to act to protect their personal information from being unlawfully collected.

To further understand this law’s concept take a look at the Mexican commissioner’s statement om the institution transparency and access to information and protection of personal data.

According to the statement:

“The approval of general law for protection of personal data by Mexico’s legislature represents a significant advancement for the right of people to control the handling of their personal information.”

If you look at the legal framework of data protection, you’ll understand that it is covered by Articles 66 and 16 in the Mexican constitution. According to this framework, the Mexican Data Protection Law is  part of the federal law. The detailed rules and regulations of this law were published in July 2010 and implemented in December 2011.

Parameters of the Mexican Data Protection Law

Remember that the Executive Branch is responsible for the issuance of major rules and regulations, while also playing a vital role in determining the parameters of the data protection law of Mexico. Here is what the Executive Branch has issued:

• All basic rules and regulations regarding the data protection of customers (while dealing wthe businesses) and their implementation, which was practically entered into force on December 22, 2011.
• The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which came into force on January 27, 2017.
• All recommendations on personal data security that were provided by private parties. These were practically implemented on November 30, 2013.
• The basic Privacy Notice Guidelines which involve all procedures for taking action against parties who do not follow the privacy rules and regulations, especially the terms mentioned in the Mexican Data Protection Law. These guidelines were implemented on April 18, 2013.

After the issuance of details and basic information related to the Mexican Data Protection Law, the official gazette of the federation published a decree approving all of these rules and regulations on June 12, 2018.

When do the Mexican regulations apply to personal data processing?

Mexican data privacy regulations apply to personal data processing when:

• Information is processed in the facility of the data controller located in Mexican territory.
• These regulations may also apply when Mexico adheres with the international convention and the Mexican legislation becomes applicable.

Here it is worth mentioning that the Mexican Data Protection Law is applicable only to private individuals and legal entities that are responsible for the processing of personal data. In other words, it applies to government or credit reporting companies.

Is there any other general legislation that impacts data protection in Mexico?

This is the most frequently asked question about the Mexican rules and regulations. The answer to this question is yes. There is another general law for the protection of personal data which is quite similar to the Mexican data protection law.  The Data Protection Law or Mexican Data Protection Law and International General Legislation Law both follow the same international rules and regulations. These two laws both have similar objectives.

If we compare these data laws, we’ll notice strong similarities between the criminal codes. There also the Law for the Regulation of Credit Information Companies and the Consumer Protection law with several specific provisions in the civil code commerce quota which resmemble the one of the Data Protection Law.

What authorities are responsible for data protection in Mexico?

The authorities which are responsible for the implementation of the Mexican Data Protection Law include the National Institute of Transparency and its Personal Data Protection subinstitutes.

These institutes keep records of all public information and check whether the individuals are able to practice their right of securing their personal data. It is important to note that there are multiple authorities throughout the country, such as local government bodies, that they can utilise to investigate the overall level of implementation of Mexican Data Protection Law.

They have the right to conduct investigations, view and sanction the data protection practices, control, oversee and revoke the certifying entities, etc.

The Role of Ministry of Economy

As we know,  businesses are deeply connected with all economic processes. In other words, economic conditions greatly impact the relationship between consumers as well as the businesses. Due to this reason the Mexican government holds this Ministry responsible for educating and providing information regarding the protection of personal data between global and national corporations that have commercial activities on the Mexican territory.

Does a Mexican data protection law apply only to businesses?

Remember that the Mexican Data Protection Law is very vast and applies to businesses established in other jurisdictions. In most cases, businesses established in another jurisdiction will also be subject to the rules and regulations mentioned in the Mexican Data Protection Law if they operate on the Mexican teritory.

It is important to eliminate this misconception that the Mexican Data Protection Law is limited to the PIl Controllers established and operating in Mexican territory only. International conpanies with headquoters or operations in Mexico need to conply with this law as well.

What are the key principles of Mexican data protection laws that apply to the processing of personal data?

Here are several key principles of the Mexican Data Protection Law. Without this golden set of rules, the implementation of the Mexican Data Protection Law is not possible.

1. Tansparency

Although, it is not clearly explained and defined in the law, it is the most important principle of the Mexican Data Protection Law. This principle covers all details regarding the collection, storage and usage of personal data. This information should be readily available to the affected person. Moreover, there is dire need to avoid disrespectful and fraudulent use of personal information.

3. Lawful basis for processing

The legislation and processing of personal information can only be carried out according to the principles set forth in the law and international treaties. With this in mind, if organizations are going to use personal information for legal purposes, but it is not according to the principles mentioned in the law, then the organization is bound to provide proof of its lawful basis for processing.

4. Purpose limitation

Personal data can only be utilized according to the rules set forth in the Privacy Notice. It is important to note that the Privacy Notice is unique and provides a specific reason for which personal information is being collected and processed.

The Privacy Notice must be clear enough to provide every detail without keeping anything ambiguous or confusing.

5. Retention

The meaning of retention is quite clear. It means that the company is responsible for retaining data only for the specific time necessary to legally complete the task. In other words, companies have no right to keep the data after its main purpose is fulfilled.

The Mexican Data Protection Law strictly orders organizations to block, cancel, and suppress personal data after using the information for the particular purpose.

6. Quality

This principle of the Mexican Data Protection Law ensures that the processed personal data is accurate, complete and correct. Moreover, it must be updated and comply with the purpose for which it is being collected.

Make sure to follow these key principles found within the Mexican Data Protection Law that ensure the protection of personal data to keep your data safe!