{"id":105506,"date":"2025-04-29T10:14:15","date_gmt":"2025-04-29T10:14:15","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=105506"},"modified":"2025-08-19T10:23:58","modified_gmt":"2025-08-19T10:23:58","slug":"mexico-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/mexico-data-protection-cybersecurity\/","title":{"rendered":"Mexico: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-105506","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-mexico"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bello, Gallardo, Bonequi y Garc\u00eda, S.C.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/04\/LOGO-bgbg.png\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bello, Gallardo, Bonequi y Garc\u00eda, S.C.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/04\/LOGO-bgbg.png\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Mexico<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Mexico, data protection is regulated by two separate laws, depending on whether the data is processed by private or by public controllers.<\/p>\n<p>\u201cPrivate\u201d controllers are regulated by the recently published (<a href=\"https:\/\/dof.gob.mx\/nota_detalle.php?codigo=5752569&amp;fecha=20\/03\/2025\">March 20, 2025<\/a>) Federal Law on the Protection of Personal Data Held by Private Parties (hereinafter, the Mexican Data Protection Law or MDPL). This new law replaced the 2010 Federal Law on the Protection of Personal Data Held by Private Parties, introducing a few changes to the latter.<\/p>\n<p>The MDPL is the main legal instrument regulating the processing of personal data by natural and legal persons across all private sectors, when they act as controllers or processors. It establishes:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Core data processing principles (e.g., consent, lawfulness, purpose limitation, minimization, accountability, etc.),<\/li>\n<li>ARCO rights (Access, Rectification, Cancellation, and Opposition),<\/li>\n<li>Security and confidentiality obligations,<\/li>\n<li>Requirements for privacy notices,<\/li>\n<li>Sanctions for non-compliance.<\/li>\n<\/ul>\n<p>On the other hand, the new General Law on the Protection of Personal Data Held by Obligated Entities (also published on March 20, 2025) regulates the processing of personal data by federal, state and municipal authorities, as well as autonomous bodies, political parties, trusts, and public funds; this law establishes general provisions that must be implemented by the 32 Mexican States.<\/p>\n<p>Unless otherwise indicated, the content of this Guide will be focused on the provisions of the MDPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As part of the administrative simplification initiatives carried out by the Mexican Government that started on October 2024, the autonomous authority known as \u201cINAI\u201d (the National Institute for Transparency, Access to Information and Protection of Personal Data) was extinguished and its former data protection enforcement powers were transferred to the Ministry of Anticorruption and Good Governance (SACBG, for its abbreviation in Spanish). The SACBG is the new Mexican data protection authority.<\/p>\n<p>The new MDPL was published on March 20, 2025, and it is already in effect. The most substantial changes are the following:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Simplified privacy notice: it introduces the obligation to make them available whenever the data is obtained by electronic, visual, optical or similar means, and to include the website where the comprehensive notice can be consulted.<\/li>\n<li>Public access sources: Its scope is restricted by clarifying that those whose information has an unlawful origin will not be considered as such.<\/li>\n<li>Consent: The provisions in which the consent of the subject will NOT be required are expanded, including:\n<ul style=\"padding-left: 5\">\n<li>When a legal provision states it,<\/li>\n<li>To exercise a right,<\/li>\n<li>When there is a court order, resolution or justified and motivated mandate from a competent authority.<\/li>\n<\/ul>\n<\/li>\n<li>Elimination of analogous purposes: It is no longer possible to process personal data for purposes &#8220;compatible or analogous&#8221; to those originally foreseen in the privacy notice.<\/li>\n<li>Modifications on the right to object: The possibility to object to the processing by artificial intelligence systems or automated means intended to review, evaluate or predict personal aspects such as professional performance, health, economic situation, reliability or behavior when they cause undesired legal effects or affect the interests, rights or freedoms of the data subject is introduced.<\/li>\n<\/ol>\n<p>It is important to note that before June 20, 2025, the Mexican President must issue and publish the new Regulations to the MDPL. Once this new Regulations enter into force, we will have certainty of the extent of the whole new provisions on data protection applicable in Mexico.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul style=\"padding-left: 0\">\n<li><strong>Personal data<\/strong> is defined as any information concerning an identified or identifiable person. A person is identifiable when their identity can be determined directly or indirectly through any information.<\/li>\n<li><strong>Sensitive personal<\/strong> data is defined as the data that affects the most intimate sphere of the data subject, or whose improper processing may cause discrimination or harm for the subject. The definition provides also some examples such as: racial or ethnic origin, present or future health status, genetic information, religious, philosophical and moral beliefs, political opinions and sexual preferences.<\/li>\n<li>A <strong>controller<\/strong> is an individual or private legal entity that carries out (and decides on) the processing of personal data.<\/li>\n<li>A <strong>processor<\/strong> is defined as a natural or legal person who alone or jointly with others processes personal data on behalf of the controller.<\/li>\n<li>A <strong>data subject<\/strong> is the person to whom the personal data corresponds.<\/li>\n<li><strong>(Data) processing<\/strong> is any operation or set of operations performed by means of manual or automated procedures applied to personal data, related to the collection, use, recording, organization, preservation, processing, use, communication, dissemination, storage, possession, access, handling, use, disclosure, transfer or disposal of personal data.<\/li>\n<li>The final key definition pertains to data transfers. Mexican law distinguishes between <strong>data transfers<\/strong> and <strong>data transmissions<\/strong>. A data transfer is defined as any communication of personal data, whether within or outside Mexican territory, to a party other than the data subject, controller, or processor. In contrast, transmission refers to the communication of personal data between the controller and the processor, regardless of the processor\u2019s location.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>1. Principles<\/strong><\/p>\n<p>The MDPL establishes the following principles for personal data processing:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Lawfulness: Data must be collected and processed in compliance with the laws.<\/li>\n<li>Consent: Explicit or tacit consent from the data subject must be obtained in order to process their personal data.<\/li>\n<li>Information: Data subjects must be informed of how their data will be processed through a privacy notice.<\/li>\n<li>Accuracy: Data must be accurate, complete, and up to date to fulfill its intended purpose.<\/li>\n<li>Purpose: Data may only be processed for specific, explicit, and legitimate purposes, as outlined in the privacy notice.<\/li>\n<li>Fairness: Processing must prioritize the interests of the data subject and the reasonable expectation of privacy.<\/li>\n<li>Proportionality: Only the minimum necessary, adequate and relevant data should be collected for the intended purpose.<\/li>\n<li>Accountability: Data controllers must implement necessary measures to protect personal data and demonstrate compliance with the law.<\/li>\n<\/ul>\n<p><strong>2. Legal Basis for Processing<\/strong><\/p>\n<p>Mexico does not explicitly use the term &#8220;legal basis&#8221; like the GDPR, but consent is generally required to be able to process the data, unless an exception applies, such as:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The data is in public records.<\/li>\n<li>The data is dissociated.<\/li>\n<li>In an emergency that could harm an individual or their property.<\/li>\n<li>When indispensable for medical care, prevention, diagnosis, healthcare services, or health management, provided that the data subject is unable to give consent. This must be done in accordance with the General Health Law and other applicable legal provisions, and the processing must be carried out by a person bound by professional secrecy or an equivalent obligation.<\/li>\n<li>It is necessary for a legal relationship between the data subject and the data controller.<\/li>\n<li>It is required by law.<\/li>\n<li>When there is a court order or resolution.<\/li>\n<\/ul>\n<p><strong>3. Transparency Requirements<\/strong><\/p>\n<p>Transparency is ensured mainly through the privacy notice, which must be provided before or at the time of collecting personal data. It must include:<\/p>\n<p><strong>4. Retention Period<\/strong><\/p>\n<p>The law requires that personal data be retained only for as long as necessary to fulfill the purpose for which it was collected. Once that purpose is achieved, data must be deleted or anonymized, unless a legal obligation requires longer retention.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Mexico, consent is generally required for the processing of personal data with the previously mentioned exceptions.<\/p>\n<p><strong>1. Type of Consent<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Personal data: Tacit consent is allowed (i.e., if the data subject does not object after being informed through a privacy notice).<\/li>\n<li>Financial or patrimonial data: Express consent is required, often in writing or through another verifiable method.<\/li>\n<li>Sensitive personal data: Explicit (express) and written consent is required, meaning the data subject must provide a clear affirmative action, such as signing a document.<\/li>\n<\/ul>\n<p><strong>2. Form, Content, and Administration of Consent<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Can consent be implied?<\/li>\n<\/ul>\n<p>Yes, tacit consent is valid for personal data when the privacy notice is provided, and the data subject does not object. However, for sensitive, financial, or patrimonial data, express consent is required (e.g., written or electronic confirmation).<\/p>\n<ul style=\"padding-left: 0\">\n<li>Can consent be incorporated into broader documents (e.g., Terms of Service)?<\/li>\n<\/ul>\n<p>No, consent must be separated and explicit when required (e.g., not simply accepting Terms of Service). The privacy notice must clearly inform the data subject about data processing.<\/p>\n<ul style=\"padding-left: 0\">\n<li>Can consent be bundled for multiple processing operations?<\/li>\n<\/ul>\n<p>No, as consent must be specific it may not be bundled. An opt-out mechanism must be provided for secondary purposes at the time of requesting consent.<\/p>\n<p><strong>\u00a03. Consent withdrawal<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Data subjects have the right to revoke consent at any time, subject to legal or contractual limitations. The process for withdrawal must be simple and described in the privacy notice.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong>1. Special Requirements for Processing Sensitive Data<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Explicit consent is mandatory. The data subject must provide express and written consent (e.g., signature).<\/li>\n<li>Heightened security measures must be implemented to protect this data.<\/li>\n<li>Processing must be strictly necessary and justified for the purpose disclosed in the privacy notice.<\/li>\n<li>Data minimization applies, meaning only essential sensitive data should be collected.<\/li>\n<\/ul>\n<p><strong>2. Prohibitions on Sensitive Data<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Processing is prohibited unless there is a clear legal basis or necessity.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not mandate to conduct risk or impact assessments. However, the regulations to the MDPL emphasize the necessity for data controllers to conduct risk assessments to implement appropriate security measures to protect personal data. \u00a0Controllers may decide which methodologies to apply to carry out their assessments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not introduce specific codes of practice for processing particular categories of personal data, such as children&#8217;s or health data. Nonetheless, controllers are advised to implement stricter protocols when handling sensitive personal data to ensure its security and confidentiality.\u200b<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, the law mandates to have a record of processing activities. However, there are no specific requirements on what it must include which enables controllers to decide how they want to keep such record.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The Regulations to the MDPL mandate that controllers establish and document procedures for the preservation, blocking, and deletion of personal data, including specifying retention periods.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not mandate prior consultation or approval from the data protection regulator for standard data processing operations. \u200bHowever, while not legally required, consulting with the data protection authority may be advisable in certain situations, such as when planning to process sensitive personal data, implementing new technologies that could impact privacy, or when facing complex data protection challenges. Engaging with the regulator in these contexts can help ensure compliance with data protection principles and mitigate potential risks associated with data processing activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The law requires appointing a personal data officer or department responsible for handling data subjects&#8217; requests. While it does not prescribe specific qualifications for this role, it is recommended that the appointed individual or team possesses expertise in data privacy and has sufficient authority and resources to implement adequate compliance measures within the organization.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The regulations provide recommendations of security measures to comply with the accountability principle. Among them it includes the implementation of a training and awareness program for employees in the obligations regarding personal data protection.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL provides that the data subjects must be informed about the processing activities through a privacy notice. The privacy notice must include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The identity and address of the data controller.<\/li>\n<li>The data that will be collected and the identification of the sensitive data.<\/li>\n<li>The purposes of processing, identified by primary and secondary purposes.<\/li>\n<li>Whether the purposes require consent or not.<\/li>\n<li>The mechanisms to exercise ARCO rights.<\/li>\n<li>The information of whether the controller uses artificial intelligence or other automated means for the data processing.<\/li>\n<li>The process for consent withdrawal.<\/li>\n<li>If applicable, information about cookies, web beacons or other tracking technologies and how they may be disabled.<\/li>\n<li>Mechanism on where to find the privacy notice and how its changes will be notified.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL differentiates between data controllers and data processors. Data controllers are entities that decide on the processing of personal data, while data processors handle personal data on behalf of controllers. The law requires that the relationship between controllers and processors be formalized through contractual clauses or other legal instruments, outlining the scope and content of the data processing activities.<\/p>\n<p>Controllers are primarily responsible for ensuring compliance with data protection principles. They must:\u200b<\/p>\n<ul style=\"padding-left: 0\">\n<li>Obtain explicit consent from data subjects before collecting their personal data, especially in the case of sensitive personal data.<\/li>\n<li>Inform individuals about the specific purposes for which their data is being collected and processed.<\/li>\n<li>Ensure that personal data is collected and processed only for the purposes communicated to the data subject at the time of data collection.<\/li>\n<li>Implement appropriate security measures to protect personal data against damage, loss, alteration, unauthorized access, or processing.<\/li>\n<li>Respect and facilitate the exercise of the data subject\u2019s rights, including the rights to access, rectify, cancel, and oppose the processing of their personal data<\/li>\n<\/ul>\n<p>On the other hand, data processors must:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Process personal data only according to the instructions of the data controller.<\/li>\n<li>Implement adequate security measures.<\/li>\n<li>Maintain confidentiality regarding the personal data subject to processing.<\/li>\n<li>Eliminate personal data that was processed after the legal relationship with the data controller is concluded or upon instructions of the controller, provided there is no legal requirement for the retention of the data.<\/li>\n<li>Not transfer personal data unless the data controller determines so, the communication arises from subcontracting, or if required by a competent authority.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Automated decision-making and profiling are not explicitly defined in the MDPL, but they fall under the general principles of personal data protection, including purpose limitation, proportionality, and informed consent.<\/p>\n<p>While the law does not prohibit automated decisions, data controllers must ensure that data subjects are informed about such processes. Additionally:<\/p>\n<ul style=\"padding-left: 0\">\n<li>If a decision significantly affects an individual\u2019s legal situation or rights, the data subject should have the right to object to their data processing.<\/li>\n<li>Profiling activities must be aligned with the principle of fairness and cannot lead to discriminatory outcomes.<\/li>\n<\/ul>\n<p>Regarding tracking technologies such as cookies or web beacons, although they are not specifically defined in the MDPL, the Regulations provide that the controller must inform about the use of such technologies and how they may be disabled at the moment in which the subject comes in contact with them.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the MDPL does not explicitly define &#8220;targeted advertising&#8221; or &#8220;behavioral advertising,&#8221; they are generally understood as:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Targeted advertising: The use of collected personal data to display personalized advertisements based on user characteristics (e.g., demographics, interests, or previous interactions).<\/li>\n<li>Behavioral advertising: A subset of targeted advertising that involves tracking user activities across websites or platforms over time to create profiles and predict preferences.<\/li>\n<\/ul>\n<p><strong>Transparency and Privacy Notice Requirements<\/strong><\/p>\n<ul style=\"padding-left: 0\">\n<li>Advertisers and data controllers must inform users, in their privacy notice, if they process personal data for targeted or behavioral advertising purposes.<\/li>\n<li>The privacy notice should specify what data is collected, how it is used, with whom it is shared, and how users can exercise their rights.<\/li>\n<li>Express consent is required if sensitive personal data is involved.<\/li>\n<li>Opt-out mechanisms must be provided at the moment of data collection, allowing users to reject the use of their data for advertising purposes.<\/li>\n<\/ul>\n<p>At any moment, data subjects must be able to withdraw consent or request the deletion of their data if they do not want it to be used for advertising purposes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While the sale per se is not prohibited, any transfer of personal data to a third party\u2014whether for monetary gain or not\u2014is considered a \u201ctransfer\u201d under the law and it is restricted and conditioned upon lawful basis and transparency. Unlawful transfers may result in sanctions, especially if they involve sensitive personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the law does not explicitly define those terms, it does regulate their use through general rules on data processing for marketing, advertising, or commercial prospecting purposes. These are typically considered secondary purposes, unless directly necessary for the provision of goods or services. Data subjects must be informed in the privacy notice about the intention to use their data for marketing. They have the right to opt out at any time, and the controller must provide accessible mechanisms to do so.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric data is not explicitly defined in the MDPL. However, the former data protection authority described it as physical, physiological, behavioral, or personality traits that can be attributed to a single individual and are measurable. Additionally, while the MDPL does not specifically categorize biometric data as sensitive, the former authority&#8217;s criteria implied this classification.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>While AI is not defined in the MDPL, it does introduce specific rules for automated decision-making, including systems based on AI or machine learning. The law grants subjects the right to:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Be informed when their data will be subject to automated processing that produces legal or similarly significant effects.<\/li>\n<li>Object to the use of their data in purely automated decisions (without human intervention) when they are negatively affected or impacted in their interests, rights or freedom.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no general restrictions on international data transfers outside Mexican territory. The general rule regarding data transfers\u2014both national and international\u2014is that they may be carried out if the data subject has consented to the transfer, or if an exception to consent applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers are required to establish and maintain appropriate physical, administrative, and technical security measures to protect personal data. Although the law does not mandate specific measures, they must not be inferior to those used by the controller for handling its own confidential information. The MDPL also requires that the level of security implemented be proportionate to the risk associated with the processing, the sensitivity of the personal data, the potential consequences for data subjects, and the state of technological development.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data breaches are defined as:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Loss or unauthorized access to personal data;<\/li>\n<li>Theft, misplacement or unauthorized copying of personal data;<\/li>\n<li>Unauthorized use, access or processing of personal data, and<\/li>\n<li>Unauthorized damage, alteration or modification of personal data.<\/li>\n<\/ol>\n<p>There are no obligations to report data breaches to the data protection authority. However, controllers must report data breaches to data subjects when it may affect their proprietary or moral rights. In such cases, the breach must be reported &#8220;without delay&#8221; upon its confirmation.<\/p>\n<p>The report must include the following minimum information:<\/p>\n<ol style=\"padding-left: 0\">\n<li>The nature of the breach.<\/li>\n<li>The personal data compromised.<\/li>\n<li>Recommendations to the data subject regarding measures that the latter can adopt to protect their interests.<\/li>\n<li>Corrective actions implemented by the controller, and<\/li>\n<li>The means by which the data subject may obtain more information regarding the breach.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL establishes four specific rights: access, rectification, cancellation and objection (previously referred to as the &#8220;ARCO rights&#8221;).<\/p>\n<p>The ARCO rights comprise:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Access: to the personal data held by a controller.<\/li>\n<li>Rectification: right to request that the personal data be rectified if it is out of date or inaccurate.<\/li>\n<li>Cancellation (erasure): the right to request the deletion of personal data (it can only be carried out if the purposes of the processing have been fulfilled).<\/li>\n<li>Opposition: Data subjects have the right to object, on legitimate grounds, to the processing of their personal data. It includes the possibility of objecting the processing by artificial intelligence systems or automated means intended to review, evaluate or predict personal aspects such as professional performance, health, economic situation, reliability or behavior when they cause undesired legal effects or affect the interests, rights or freedoms of the data subject.<\/li>\n<\/ul>\n<p>The MDPL also provides that data subjects have the right to limit the use and disclosure of their personal data and to withdraw their consent (when legally applicable).<\/p>\n<p>The rights shall be exercised by means of an express request to the controller by the data subject or their legal representative through the means indicated for such purposes in the privacy notice. In the relevant request, the data subject must include the following:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Their name and address or other means to communicate the response to the request.<\/li>\n<li>Proof of an official ID and, if applicable, the ID of their legal representative.<\/li>\n<li>A clear description of the data related to the request, except in the right to access.<\/li>\n<li>A description of the right being exercised or of their request.<\/li>\n<li>Any other element or document that facilitates locating the personal data.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data subjects may file a \u201cdata protection request\u201d before the SABG when they believe that a controller has violated their rights. This mechanism allows subjects to take action when:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The controller does not respond within the legal timeframe (20 days, extendable to 40).<\/li>\n<li>The controller refuses to comply or delivers incomplete or incorrect data.<\/li>\n<li>The data is delivered in an incomprehensible format or not as requested.<\/li>\n<\/ul>\n<p>Data subjects must file the complaint within 15 days after receiving an unsatisfactory response (or when the response deadline expires). The procedure includes evidence submission, an opportunity for the controller to respond, and a final resolution issued by the authority.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals are entitled to monetary damages or compensations if they are affected by breaches to the MDLP, both for actual and material damage or non-material injuries. However, a direct relationship between the breach and the alleged damage or injury must be proven and a definitive decision must exist (that is, a decision confirmed after all available appeals or after all the deadlines for filing appeals have expired).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL is enforced by the SACBG.<\/p>\n<p>To enforce the MDPL, the SACBG can initiate two different proceedings.<\/p>\n<ul>\n<li>Data subject\u2019s rights protection proceeding,<\/li>\n<li>Sanctioning proceeding.<\/li>\n<\/ul>\n<p>The data subject\u2019s rights protection proceeding is aimed at reviewing the decisions that data controllers adopt when an individual request access, rectification, erasure or opposition to the processing of their data (ARCO rights); this review may include revoking previous controller\u2019s decision so allowing the data subject to access, rectify, erase or prevent the processing of their data for specific processing purposes.<\/p>\n<p>Sanctioning proceedings initiate with previous investigation and verification proceedings, where the SACBG can request documents and information to data controllers and\/or processors regarding alleged violations of the MDPL. These proceedings can initiate ex officio or when a data subject files a complaint and may result in fines against the controller who infringed the law (the MDLP does not provide fines against data processors).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sanctions for violation of the MDPL provisions include:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Warnings against data controllers to comply with data subject\u2019s requests regarding their ARCO rights.<\/li>\n<li>Fines for:\n<ul style=\"padding-left: 5\">\n<li><strong>Serious violations (each)<\/strong>: Minimum fine (during 2025): MXN $11,314.00 (approximately USD $565.00 or EUR \u20ac505.00 or GBP \u00a3433.00); maximum fine (during 2025): MXN $18,102,400.00 (approximately USD $918,000.00 or EUR \u20ac807,000.00 or GBP \u00a3692,000.00).<\/li>\n<li><strong>Very serious violations (each)<\/strong>: Minimum fine (during 2025): MXN $22,628.00 (approximately USD $1,130.00 or EUR \u20ac1,010.00 or GBP \u00a3866.00); maximum fine (during 2025): MXN $36,204,800.00 (approximately USD $1,836,000.00 or EUR \u20ac1,614.000 or GBP \u00a31,384,000.00).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Violations involving sensitive data or in recidivism cases will be doubled.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The existing rules are those provided by article 60 of the MDPL:<\/p>\n<p>SACBG shall base and justify its decisions, taking into account:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The nature of the data involved in the infringement,<\/li>\n<li>If applicable, the manifest inadmissibility of the controller&#8217;s refusal to perform the acts requested by the data subject,<\/li>\n<li>Intentionality<\/li>\n<li>The economic capacity of the controller, and, if applicable,<\/li>\n<li>Recidivism.<\/li>\n<\/ul>\n<p>Jurisprudence regarding excessive or unlawful fines is also applicable when defining if a fine was duly imposed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Enforcement decisions can be challenged by means of an amparo lawsuit (or constitutional lawsuit) before a Federal District Court; the Court\u2019s ruling can be appealed before an Appeals Circuit Court.<\/p>\n<p>When filing an amparo lawsuit to challenge an enforcement decision, the complainant can request an injunction to prevent the collection of any imposed fine until a final decision is issued regarding the lawfulness of the fine or the sanctioning proceeding itself.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Because the new MDPL entered into force on March 21, 2025, there is no recent information to define the enforcement priorities of the new enforcement authority (SACBG).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no federal nor state cybersecurity laws in Mexico.<\/p>\n<p>For all type of private data controllers, the MDPL provides a general \u201csecurity obligation\u201d (article 18):<\/p>\n<p style=\"padding-left: 20px\"><em>\u201cAll controllers must establish and maintain administrative, technical, and physical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorized use, access, or processing.<\/em><\/p>\n<p style=\"padding-left: 20px\"><em>Controllers shall not adopt security measures that are less stringent than those they maintain for the handling of their own information. The existing risk, the possible consequences for data subjects, the sensitivity of the data, and technological developments shall also be considered.\u201d<\/em><\/p>\n<p>Article 18 of the MDPL (and when published, its Regulations) provides the broad obligation of any controller to implement \u201cappropriate\u201d technical security measures, leaving each controller to assess and define the best an appropriate cybersecurity measures that protect the relevant processed data.<\/p>\n<p>The data protection law applicable to public data controllers includes a similar general provision (article 25), demanding the implementation of technical security measures when persona data is processed using automated systems:<\/p>\n<p style=\"padding-left: 20px\"><em>\u201cRegardless of the type of system in which the personal data is stored or the type of processing carried out, the controller must establish and maintain administrative, physical, and technical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorized use, access, or processing, as well as to guarantee its confidentiality, integrity, and availability.\u201d<\/em><\/p>\n<p>Also, certain cybersecurity obligations are included in various regulations and general provisions, mainly applicable to financial institutions, insurance companies and telecommunications service providers.<\/p>\n<p>The general provisions that require financial institutions, insurance companies and telecommunications service providers to implement cybersecurity measures are not legislative acts, but administrative orders that their corresponding regulatory authority issues and update frequently.<\/p>\n<p>Also note that on May 2018 several financial associations and the following authorities signed the \u201c<a href=\"https:\/\/www.banxico.org.mx\/sistema-financiero\/d\/%7BD0502AA8-7721-5C2C-5C8F-05858CBB4AE7%7D.pdf\">Basis for coordination on information security between financial system authorities, the Attorney General&#8217;s Office (formerly the Office of the Prosecutor General) and trade associations<\/a>\u201d:<\/p>\n<ul style=\"padding-left: 0\">\n<li>THE MINISTRY OF FINANCE AND PUBLIC CREDIT,<\/li>\n<li>THE BANK OF MEXICO,<\/li>\n<li>THE NATIONAL BANKING AND SECURITIES COMMISSION,<\/li>\n<li>THE NATIONAL COMMISSION FOR THE PROTECTION AND DEFENSE OF USERS OF FINANCIAL SERVICES,<\/li>\n<li>THE NATIONAL COMMISSION FOR THE SAVINGS SYSTEM FOR RETIREMENT,<\/li>\n<li>THE NATIONAL INSURANCE AND SURETY BOND COMMISSION, and<\/li>\n<li>THE ATTORNEY GENERAL&#8217;S OFFICE.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico impose specific requirements regarding supply chain management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico impose information sharing requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico require the appointment of a CISO (or regulatory point of contact or a person responsible for cybersecurity).<\/p>\n<p>General provisions applicable to <a href=\"https:\/\/www.cnbv.gob.mx\/Normatividad\/Disposiciones%20de%20car%C3%A1cter%20general%20aplicables%20a%20las%20instituciones%20de%20cr%C3%A9dito.pdf\">credit institutions<\/a> and <a href=\"https:\/\/www.cnbv.gob.mx\/Normatividad\/Disposiciones%20de%20car%C3%A1cter%20general%20aplicables%20a%20las%20instituciones%20de%20tecnolog%C3%ADa%20financiera.pdf\">fintech institutions and crowdfunding service providers<\/a> (the \u201cGeneral Provisions\u201d do provide that this type of organizations must appoint a chief information security officer (\u201cCISO\u201d). The CISO must:<\/p>\n<ul style=\"padding-left: 0\">\n<li>Participate in defining and verifying the implementation and ongoing compliance of the entity&#8217;s security policies and procedures.<\/li>\n<li>Develop the Master Security Plan.<\/li>\n<li>Annually verify the initiation of access profiles to the entity&#8217;s technological infrastructure.<\/li>\n<li>Annually verify, or after an information security incident, the correct assignment of access profiles to the entity&#8217;s technological infrastructure.<\/li>\n<li>Approve and ensure compliance with measures taken to address any deficiencies in access profile settings or assignments.<\/li>\n<li>Manage information security alerts issued by the National Banking and Securities Commission (\u201cCNBV\u201d) and other parties, as well as information security incidents.<\/li>\n<li>Coordinate and lead the team responsible for detecting and responding to information security incidents.<\/li>\n<li>Report any information on security incidents and the corrective measures taken to prevent future occurrences.<\/li>\n<li>Propose and coordinate training courses on information security for all employees and evaluate the effectiveness of such training.<\/li>\n<li>Submit a monthly report on information security management to the CEO.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Please see the previous comments, where we have provided information on cybersecurity regulation for different industries.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>International cybersecurity standards have a relative impact on local laws and regulations.<\/p>\n<p>They were used as a direct source for the General Provisions, and they are recognized as a source of certain Guidelines of the former INAI (e.g. <a href=\"https:\/\/home.inai.org.mx\/wp-content\/documentos\/DocumentosSectorPrivado\/Gu%C3%ADa_Implementaci%C3%B3n_SGSDP(Junio2015).pdf\">Guidelines for implementing a Personal Data Security Management System<\/a> and<a href=\"https:\/\/home.inai.org.mx\/wp-content\/documentos\/DocumentosSectorPrivado\/Guia_Borrado_Seguro_DP.pdf\"> Guidelines for Secure Deletion of Personal Data<\/a>.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Personal Data Security Breaches (\u201cData Breach(es\u201d) are defined (article 63 of the Regulations to the MDPL) as any of the following incidents, when they involve personal data:<\/p>\n<ol style=\"padding-left: 0\">\n<li>Unauthorized loss or destruction,<\/li>\n<li>Theft, misplacement, or unauthorized copying,<\/li>\n<li>Unauthorized use, access, or processing, or<\/li>\n<li>Unauthorized damage, alteration, or modification.<\/li>\n<\/ol>\n<p>The Regulations to the MDPL (article 64) provided that Data Breaches that significantly affect the data subjects\u2019 legal or moral rights must notified to them as soon as the data controller confirms that the breach has occurred and the controller has taken steps to initiate a thorough review of the extent of the breach, so that the affected data subjects may take appropriate measures.<\/p>\n<p>\u201cPrivate parties\u201d (e.g. a company or a private hospital) have no obligation to notify a Data Breach to the data protection authority (currently, the SACBG).<\/p>\n<p>Credit institutions and crowdfunding service providers have obligations to notify cybersecurity incidents.<\/p>\n<p>Credit institutions must report severe security incidents to the CNBV immediately via email. A severe incident is defined as one that causes economic or information losses, disrupts financial services, may replicate in other credit institutions, affects clients or the financial system, or is assessed as severe by the institution itself. The initial notification must include the date and time of the incident, whether it is ongoing or resolved, a description, and an initial severity assessment. Within five business days, credit institutions must submit a detailed report using the ISIT (Information Security Incident Template), including additional information such as the detection date, affected locations, potential monetary losses, and compromised personal or sensitive data. Sensitive information is defined broadly and includes full names, contact information, biometric data, account numbers, passwords, and identifiers. They are also required to submit, within 15 days of the incident\u2019s resolution, an action plan detailing measures taken to eliminate the risks that caused the incident.<\/p>\n<p>If an incident results in unauthorized access, extraction, loss, deletion, or alteration of individuals\u2019 sensitive information, the credit institution must notify affected individuals within 48 hours of discovery. The notification must explain the associated risks, the mitigation measures taken, and, if needed, include the issuance of new authentication factors.<\/p>\n<p>Similarly, crowdfunding service providers must report relevant security incidents to the CNBV immediately. An incident is considered relevant if it affects the provider, clients, or other financial system actors, and involves sensitive data, identification images, or biometric information. The initial report must include similar minimum elements as required for credit institutions. A more comprehensive report using the ISIT must be submitted within five business days and includes technical and data-related details, including the affected system configurations, software versions, and compromised user data. Crowdfunding providers are also required to deliver a risk mitigation action plan within 15 days of resolving the incident. Notification to impacted individuals is required within 48 hours when sensitive data is compromised, with the obligation to explain risks and implement protective measures, such as issuing new authentication credentials.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Given that there are no cybersecurity laws in Mexico, there is no enforcement per se that punishes the violation of cybersecurity obligations.<\/p>\n<p>However, there is a general obligation for public and private controllers to ensure the security of personal data, and failure to comply with this obligation may be sanctioned by the SACBG if they have failed to adopt security measures to protect such information and such failure has resulted in a security breach.<\/p>\n<p>On the other hand, regulatory authorities in specific sectors such as finance or insurance may impose penalties for failure to adopt security measures provided for in general provisions, if the failure affects sensitive information of the customers of such institutions (within the framework of such general provisions, sensitive information is considered to be personal information of Customers containing names, addresses, telephone numbers, email addresses, or any other data that identifies the customer, in conjunction with account numbers, card numbers, and other financial data, as well as customer identifiers or authentication information).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>SACBG may initiate investigations on its own initiative if it becomes aware of security breaches in databases in order to verify whether the controllers have taken appropriate security measures to protect the personal data under their responsibility.<\/p>\n<p>The supervisory authorities of financial institutions may at any time request the regulated entities to provide them with the results of the internal security audits they are required to carry out and retain.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Failure to implement security measures to protect personal data is deemed as a very serious violations (each): Minimum fine (during 2025): MXN $22,628.00 (approximately USD $1,130.00 or EUR \u20ac1,010.00 or GBP \u00a3866.00); maximum fine (during 2025): MXN $36,204,800.00 (approximately USD $1,836,000.00 or EUR \u20ac1,614.000 or GBP \u00a31,384,000.00).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The existing rules are those provided by article 60 of the MDPL:<\/p>\n<p>SACBG shall base and justify its decisions, taking into account:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The nature of the data involved in the infringement,<\/li>\n<li>If applicable, the manifest inadmissibility of the controller&#8217;s refusal to perform the acts requested by the data subject,<\/li>\n<li>Intentionality<\/li>\n<li>The economic capacity of the controller, and, if applicable,<\/li>\n<li>Recidivism.<\/li>\n<\/ul>\n<p>Jurisprudence regarding excessive or unlawful fines is also applicable when defining if a fine was duly imposed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Enforcement decisions can be challenged by means of an amparo lawsuit (or constitutional lawsuit) before a Federal District Court; the Court\u2019s ruling can be appealed before an Appeals Circuit Court.<\/p>\n<p>When filing an amparo lawsuit to challenge an enforcement decision, the complainant can request an injunction to prevent the collection of any imposed fine until a final decision is issued regarding the lawfulness of the fine or the sanctioning proceeding itself.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Regarding cybersecurity, Mexico relies on a 2017 <a href=\"https:\/\/www.gob.mx\/cms\/uploads\/attachment\/file\/271884\/Estrategia_Nacional_Ciberseguridad.pdf\">Nacional Strategy<\/a>.<\/p>\n<p>Over the past five years, various cybersecurity bills have been introduced before Mexico&#8217;s federal legislature, but to date none of them have been passed, and the country still lacks specific legislation on the matter and a renewed national strategy.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">7633<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/105506","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=105506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}