🇲🇽 Mexico
Informations
Extracts :
Extract :
Their is not evidence that Mexico has a clear definition of Data Subject, that applies to all the sectors, regarding for regulating personal data privacy.
2021
Reference :
Data protection during employment | DataGuidance
Information on data protection during employment - MEX
Extracts :
Extract :
Their is not evidence that Mexico has a clear definition of Data Subject, that applies to all the sectors, regarding for regulating personal data privacy.
2021
Reference :
Data protection during employment | DataGuidance
Information on data protection during employment - MEX
Extracts :
Extract :
Their is not evidence that Mexico has a clear definition of Data Subject, that applies to all the sectors, regarding for regulating personal data privacy.
2021
Reference :
Data protection during employment | DataGuidance
Information on data protection during employment - MEX
Extracts :
Extract :
"In general terms, and unlike the GDPR, the Federal Law does not apply extraterritorially, nor does it ex- plicitly regulate goods and services or monitoring from abroad. The Federal Law does, however, specify that it applies to corporate bodies incorporated outside of Mexico."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"2.2. Territorial scope
The Regulation establishes the territorial scope of application, by stating that the Regulation applies to
all processing of personal data that:
• is carried out in a data controller's establishment located in Mexico;
• is carried out by a data processor, regardless of location, on behalf of a data controller estab-lished in Mexico;
• is carried out when the data controller is not established in Mexico, but is subject to Mexican
laws under a contractual agreement or due to international law; and
• is carried out by a data controller that is not established in Mexico but uses means located in
Mexico, unless such means are used only for transit purposes."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
“Data controller: The 'responsible party' is defined as the natural or legal private person that decides on
the processing of personal data. (Article 3, XIV, of the Law).
Data processor: The 'person in charge' is the individual or legal entity that, alone or jointly with others,
processes personal data on behalf of the data controller (Article. 3, IX, of the Law).”
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2023
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"administrative remedies from regulators and law enforcement
Monetary penalties as high as USD 1.5 million and USD 3 million when Sensitive Personal Data is involved
Administrative warnings"
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"With regard to violations committed in processing sensitive data, sanctions may be increased up to double the established amounts...(II) a fine from 100 to 160,000 days of the Mexico City minimum wage (approx. €355 to €568,000), in the cases described in Article 63(II) to (VII) of the Federal Law;"
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Neither the Federal Law nor the Regulations provide for sanctions that equate to a percentage of turnover."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Article 68 of the Federal Law: Six months to five years imprisonment will be imposed on any person who, with the aim of achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or the person authorised to transmit such data."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Data entered based on reference.
2021
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Under the Law on Personal Data, the data subject has the right to lodge a complaint with the supervi- sory authority."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MYS
Extracts :
Extract :
"Article 68 of the Federal Law: Six months to five years imprisonment will be imposed on any person who, with the aim of achieving unlawful profit, processes personal data deceitfully, taking advantage of an error of the data subject or the person authorised to transmit such data."
2021
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Unlike the GDPR, the PDPA does not require or refer to DPIAs."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MYS
Extracts :
Extract :
"The PDPA does not explicitly refer to pseudonymised data."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"The PDPA does not explicitly require data breach notification to data subjects."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"The PDPA does not explicitly require data breach notification to the PDP."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"The PDPA does not explicitly require data processors to report data breaches."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Data subjects have the right to object, on legitimate grounds, to the processing of their personal data."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"There is no express right to data portability."
2022
Reference :
Data Protection in different countries | Linklaters
Database for comparing other databases for the same information on data protection
Link to reference Extracts :
Extract :
"Not applicable."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.1. Right to be informed
Data controllers must inform data subjects, prior to collecting their personal data, of the characteristics
of the processing. The document must include, at a minimum, the following information:
• the identity and address of the data controller;
• the purposes of the processing; the options and means offered by the data controller to the
data subject to limit the use or disclosure of his/her data;
• the means for exercising ARCO rights;
• the means for exercising the right to revoke consent to the processing;
• the transfers of data that the data controller intends to make, if any; and
• the procedure and means by which the data controller will notify the data subject of any
changes to the privacy notice."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"8.2. Right to access
Data subjects have the right to request access to their personal data from data controllers."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.3. Right to rectification
Data subjects have the right to request that their personal data be rectified where it is either out of date
or inaccurate."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
"8.4. Right to erasure
Data subjects have the right to request the deletion of personal data where the purposes of the processing
have been fulfilled."
2021
Reference :
Mexico Data protection overview | DataGuidance
(Data Protection Overview 2021)/ DataGuidance reports
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Transfers of personal data to third countries are not restricted to the extent that they comply with the FDPL. In general, data subjects need to be informed of transfers of personal data in the privacy notice and their consent is required, unless one of the exceptions considered in Article 37 of the FDPL applies."
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Transfers of personal data to third countries are not restricted to the extent that they comply with the FDPL. In general, data subjects need to be informed of transfers of personal data in the privacy notice and their consent is required, unless one of the exceptions considered in Article 37 of the FDPL applies."
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Transfers of personal data to third countries are not restricted to the extent that they comply with the FDPL. In general, data subjects need to be informed of transfers of personal data in the privacy notice and their consent is required, unless one of the exceptions considered in Article 37 of the FDPL applies."
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"There are national security provisions, which state that information processed by governmental entities classified as national security and public information shall be stored within the facilities of the relevant public entities."
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
International Data transfer Agreements | DataGuidance
Comparison of international data transfer agreements
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"Article 39(X) of the Federal
Law places an obligation on
the National Institute for
Transparency, Access to
Information and Personal
Data Protection ('INAI') to
carry out studies of the im-
pact on privacy prior to the
implementation of new
types of processing of per-
sonal data or material modification of existing types of processing."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Unlike the GDPR, the PDPA does not require the appointment of a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Unlike the GDPR, the PDPA does not require the appointment of a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Unlike the GDPR, the PDPA does not require the appointment of a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
"Unlike the GDPR, the PDPA does not require the appointment of a DPO."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"It is necessary to mention in the Privacy Notice the name and domicile (contact information) of the person or department that will be responsible for the collection, use and storage of the personal data."
Reference :
ICLG Website
Link to reference Extracts :
Extract :
"Not applicable."
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extract :
Extracts :
Extract :
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference Extracts :
Extract :
"The PDPA does not provide specific exemptions from data processing record requirements"
2022
Reference :
GDPR vs countries' comparison | DataGuidance
Comparison of GDPR vs countries' data protection laws, definitions etc. - MEX
Extracts :
Extract :
Data entered based on reference.
2022
Reference :
Global Data Security Handbook
BakerMckenzie
Link to reference | Name | Short name | Classification | Jurisdiction | Year of creation |
|---|---|---|---|---|
| Federal Economic Competition Commission (Comisión Federal de Competencia Económica, or COFECE) | Regulator | Under the government authority | 1993 | |
| Federal Telecommunications Institute (Instituto Federal de Telecomunicaciones, or IFT) | Regulator | Independant agency | 2013 | |
| National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales, or INAI) | INAI | Regulator | Independant agency | 2014 |
| Ministry of Economy (Secretaría de Economía, or SE) | Regulator | Ministry | 1917 | |
| Mexican Central Bank (Banco de México) | Regulator | Under the government authority | 1925 |
| Legal text name | Original text name | Legislation type | Year signed | Regulation status | In effect since | Latest update initiated | Latest update areas | Latest update signed year |
|---|---|---|---|---|---|---|---|---|
| General Law on Protection of Personal Data Held by Mandated Parties | Federal Law on the Protection of Personal Data held by Private Parties (LFPDPPP) | General privacy/data protection law | 2010 | Active | 2010 | 2017 | 2017 |