{"id":140440,"date":"2026-04-22T09:25:45","date_gmt":"2026-04-22T09:25:45","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=140440"},"modified":"2026-04-22T10:09:17","modified_gmt":"2026-04-22T10:09:17","slug":"mexico-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/mexico-data-protection-cybersecurity\/","title":{"rendered":"Mexico: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-140440","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-mexico"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bello, Gallardo, Bonequi y Garc\u00eda, S.C.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/04\/LOGO-bgbg.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Bello, Gallardo, Bonequi y Garc\u00eda, S.C.<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2025\/04\/LOGO-bgbg.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Mexico<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Mexico, data protection is regulated by two separate laws, depending on whether the data is processed by a private or public controller.<\/p>\n<p>\u201cPrivate\u201d controllers are regulated by the Federal Law on the Protection of Personal Data Held by Private Parties, which was published on 20 March 2025 (hereinafter referred to as the Mexican Data Protection Law or MDPL). This new law replaced the 2010 Federal Law on the Protection of Personal Data Held by Private Parties and introduced a few changes to it.<\/p>\n<p>The MDPL is the main legal instrument that regulates the processing of personal data by natural and legal persons in all private sectors, when they act as controllers or processors. It establishes:<\/p>\n<ul>\n<li>core data processing principles (e.g., consent, lawfulness, purpose limitation, minimization, accountability, etc.),<\/li>\n<li>ARCO rights (Access, Rectification, Cancellation, and Opposition)<\/li>\n<li>security and confidentiality obligations,<\/li>\n<li>requirements for privacy notices,<\/li>\n<li>sanctions for non-compliance.<\/li>\n<\/ul>\n<p>The new General Law on the Protection of Personal Data Held by Obligated Entities, published on 20 March 2025, regulates the processing of personal data by federal, state and municipal authorities, as well as autonomous bodies, political parties, trusts and public funds. This law establishes general provisions that must be implemented by the 32 Mexican states.<\/p>\n<p>Unless otherwise indicated, the content of this Guide focuses on the provisions of the MDPL.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As part of the administrative simplification initiatives carried out by the Mexican government that started on October 2024, the autonomous authority known as the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI) was dissolved and its former data protection enforcement powers were transferred to the Ministry of Anticorruption and Good Governance (SABG), for its abbreviation in Spanish). The SABG is the new Mexican data protection authority.<\/p>\n<p>The new MDPL was published on 20 March 2025, and it is already in effect. The most substantial changes are as follows:<\/p>\n<p>1. Simplified privacy notices: the new MDPL provides that it is mandatory to provide this type of privacy notices whenever data is obtained by electronic, visual, optical or similar means, and to include the website where the comprehensive notice can be found.<\/p>\n<p>2. Public access sources: Its scope is restricted by clarifying that information of unlawful origin will not be considered as such and that these sources will be defined by a legal provision.<\/p>\n<p>3. Consent: The circumstances in which the consent of the subject will NOT be required are expanded to include:<\/p>\n<ul>\n<li>when a legal provision states it,<\/li>\n<li>to exercise a right,<\/li>\n<li>when there is a court order, resolution or justified and motivated mandate from a competent authority.<\/li>\n<\/ul>\n<p>4. Elimination of analogous purposes: It is no longer possible to process personal data for purposes that are &#8220;compatible or analogous&#8221; to those originally set out in the privacy notice.<\/p>\n<p>5. Modifications to the right to object: The right to object to the processing by artificial intelligence systems or automated means intended to review, evaluate or predict personal aspects such as professional performance, health, economic situation, reliability or behavior when such processing has undesirable legal consequences or affects the interests, rights or freedoms of the data subject is introduced.<\/p>\n<p>It is important to note that the new Regulations to the Personal Data Protection Act were supposed to have been published by June 20, 2025; however, this did not occur, and at this time there is no certainty regarding the scope of all the provisions established by the 2025 MDPL.<\/p>\n<p>On the other hand, on January 28, 2026, the SABG announced that work would begin that day to modernize Mexico\u2019s legal framework for personal data protection, including the incorporation of obligations that already exist in other countries, such as privacy by design, privacy by default, data protection impact assessments, and the role of the DPO.<\/p>\n<p>As of mid-April 2026, the new MDPL has not yet been published, although it is expected to be published this year. When the time comes, we will report on any relevant changes.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>On 17 December 2025 the General Cybersecurity Policy for the Federal Public Administration 2025\u20132030 was published. As the name states, its scope is limited to the federal government; therefore, this guide will not provide further details about this document.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201cPersonal data\u201d is defined as any information concerning an identified or identifiable individual. An individual is identifiable when their identity can be determined directly or indirectly through any information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>\u201cSensitive personal data\u201d is defined as the data that affects the most intimate sphere of the data subject, or whose improper processing may cause discrimination or harm for the subject. The definition provides also some examples such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical and moral beliefs, political opinions and sexual preferences.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ol>\n<li>The MDPL establishes the following principles for personal data processing:<\/li>\n<\/ol>\n<ul>\n<li>Lawfulness: Data must be collected and processed in compliance with the laws.<\/li>\n<li>Consent: Explicit or tacit consent from the data subject must be obtained in order to process their personal data.<\/li>\n<li>Information: Data subjects must be informed of how their data will be processed through a privacy notice.<\/li>\n<li>Accuracy: Data must be accurate, complete, and up to date to fulfill its intended purpose.<\/li>\n<li>Purpose: Data may only be processed for specific, explicit, and legitimate purposes, as outlined in the privacy notice.<\/li>\n<li>Fairness: Processing must prioritize the interests of the data subject and the reasonable expectation of privacy.<\/li>\n<li>Proportionality: Only the minimum necessary, adequate and relevant data should be collected for the intended purpose.<\/li>\n<li>Accountability: Data controllers must implement necessary measures to protect personal data and demonstrate compliance with the law.<\/li>\n<\/ul>\n<ol start=\"2\">\n<li><strong> Legal Basis for Processing<\/strong><\/li>\n<\/ol>\n<p>Mexico does not explicitly use the term &#8220;legal basis&#8221; like the GDPR, but consent is generally required to be able to process the data, unless an exception applies, such as:<\/p>\n<ul>\n<li>The data is in public records.<\/li>\n<li>The data is dissociated.<\/li>\n<li>In an emergency that could harm an individual or their property.<\/li>\n<li>When indispensable for medical care, prevention, diagnosis, healthcare services, or health management, provided that the data subject is unable to give consent. This must be done in accordance with the General Health Law and other applicable legal provisions, and the processing must be carried out by a person bound by professional secrecy or an equivalent obligation.<\/li>\n<li>It is necessary for a legal relationship between the data subject and the data controller.<\/li>\n<li>It is required by law.<\/li>\n<li>When there is a court order or resolution.<\/li>\n<\/ul>\n<ol start=\"3\">\n<li><strong> Transparency Requirements<\/strong><\/li>\n<\/ol>\n<p>Transparency is ensured mainly through the privacy notice, which must be provided before or at the time of collecting personal data. It must include:<\/p>\n<ol start=\"4\">\n<li><strong> Retention Period <\/strong><\/li>\n<\/ol>\n<p>The law requires that personal data be retained only for as long as necessary to fulfill the purpose for which it was collected. Once that purpose is achieved, data must be deleted or anonymized, unless a legal obligation requires longer retention.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In Mexico, consent is generally required for the processing of personal data with the previously mentioned exceptions.<\/p>\n<ol>\n<li><strong>Type of Consent<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Personal data: Tacit consent is allowed (i.e., if the data subject does not object after being informed through a privacy notice).<\/li>\n<li>Financial or patrimonial data: Express consent is required, often in writing or through another verifiable method.<\/li>\n<li>Sensitive personal data: Explicit (express) and written consent is required, meaning the data subject must provide a clear affirmative action, such as signing a document.<\/li>\n<\/ul>\n<ol start=\"2\">\n<li><strong> Form, Content, and Administration of Consent<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Can consent be implied?<\/li>\n<\/ul>\n<p>Yes, tacit consent is valid for personal data when the privacy notice is provided, and the data subject does not object. However, for sensitive, financial, or patrimonial data, express consent is required (e.g., written or electronic confirmation).<\/p>\n<ul>\n<li>Can consent be incorporated into broader documents (e.g., Terms of Service)?<\/li>\n<\/ul>\n<p>No, consent must be separated and explicit when required (e.g., not simply accepting Terms of Service). The privacy notice must clearly inform the data subject about data processing.<\/p>\n<ul>\n<li>Can consent be bundled for multiple processing operations?<\/li>\n<\/ul>\n<p>No, as consent must be specific it may not be bundled. An opt-out mechanism must be provided for secondary purposes at the time of requesting consent.<\/p>\n<ol start=\"3\">\n<li><strong> Consent withdrawal<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Data subjects have the right to revoke consent at any time, subject to legal or contractual limitations. The process for withdrawal must be simple and described in the privacy notice.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ol>\n<li><strong>Special Requirements for Processing Sensitive Data<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Explicit consent is mandatory. The data subject must provide express and written consent (e.g., signature).<\/li>\n<li>Heightened security measures must be implemented to protect this data.<\/li>\n<li>Processing must be strictly necessary and justified for the purpose disclosed in the privacy notice.<\/li>\n<li>Data minimization applies, meaning only essential sensitive data should be collected.<\/li>\n<\/ul>\n<ol start=\"2\">\n<li><strong>Prohibitions on Sensitive Data<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Processing is prohibited unless there is a clear legal basis or necessity.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not require data controller nor data processor to carry out privacy risk or impact assessments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Not anymore. When INAI was formally dissolved in 2025 all its guidelines and recommendations were discarded as direct sources of best practices.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, data controllers must maintain a record of processing activities. However, there are no specific requirements on what it must include, and controllers can decide how they want to keep such record.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL states that personal data must be deleted after being blocked, if applicable, and once the retention period has expired, when it is no longer necessary for the purposes set out in the corresponding privacy notice which justified its processing in accordance with applicable legal provisions.<\/p>\n<p>However, the MDPL does not set out any specific obligations relating to policies or procedures for the retention, blocking and deletion of personal data, nor does it specify any retention periods.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not require prior consultation or approval from the data protection regulator for standard data processing operations. While not legally required, it may be advisable to consult with the data protection authority in certain situations, such as when processing sensitive personal data, implementing new technologies that could impact privacy, or facing complex data protection challenges. Engaging with the regulator in these situations can help to ensure compliance with data protection principles and mitigate the risks associated with data processing activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL requires data controllers to appoint an individual or department to handle data subjects&#8217; requests. Although the MDPL does not prescribe specific qualifications for this role, it is recommended that the appointed individual or team possesses expertise in data privacy, and that they have sufficient authority and resources to implement adequate compliance measures within the organization.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>In order to comply with the accountability principle, data controllers must implement continuous employee training related to data protection. However, the current MDPL does not specify any training requirements or recommendations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL states that data subjects must be informed about processing activities via a privacy notice. The privacy notice must include, at a minimum:<\/p>\n<ul>\n<li>The identity and address of the data controller.<\/li>\n<li>The personal data to be collected, including any sensitive data.<\/li>\n<li>The purposes of processing personal data, distinguishing those that require the consent of the data subject.<\/li>\n<li>The options and means provided by the data controller to data subjects for restricting the use or disclosure of their data.<\/li>\n<li>The mechanisms, means and procedures for exercising ARCO rights in accordance with the provisions of this Law;<\/li>\n<li>Whether the controller uses artificial intelligence or other automated means for data processing.<\/li>\n<li>The procedure and means by which the data controller will notify data subjects of changes to the privacy notice in accordance with the provisions of this Law.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL distinguishes between data controllers and data processors. Data controllers decide how personal data is processed, while data processors handle personal data on their behalf. The law requires the relationship between controllers and processors to be formalised through contractual clauses or other legal instruments that outline the scope and content of the data processing activities.<\/p>\n<p>Controllers are primarily responsible for ensuring compliance with data protection principles. They must:<\/p>\n<ul>\n<li>obtain explicit consent from data subjects before collecting their personal data, especially in the case of sensitive personal data;<\/li>\n<li>inform individuals about the specific purposes for which their data is being collected and processed;<\/li>\n<li>ensure that personal data is collected and processed only for the purposes communicated to the data subject at the time of data collection;<\/li>\n<li>Implement appropriate security measures to protect personal data against damage, loss, alteration, unauthorized access or processing.<\/li>\n<li>respect and facilitate the exercise of the data subject\u2019s rights, including the rights to access, rectify, cancel and object to the processing of their personal data.<\/li>\n<\/ul>\n<p>Data processors must:<\/p>\n<ul>\n<li>Process personal data only according to the instructions of the data controller.<\/li>\n<li>Implement adequate security measures.<\/li>\n<li>Maintain confidentiality regarding the personal data subject to processing.<\/li>\n<li>Delete personal data after the legal relationship with the data controller has ended, unless the controller instructs otherwise or unless there is a legal requirement to retain the data.<\/li>\n<li>Not transfer personal data unless determined by the data controller, arising from subcontracting or required by a competent authority.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although automated decision-making and profiling are not explicitly defined in the MDPL, they are covered by the general principles of personal data protection, such as purpose limitation, proportionality and informed consent.<\/p>\n<p>While the law does not prohibit automated decisions, data controllers must ensure that data subjects are informed about these processes. Additionally:<\/p>\n<ul>\n<li>If a decision significantly affects an individual\u2019s legal situation or rights, the data subject should have the right to object to their data being processed.<\/li>\n<li>Profiling activities must align with the principle of fairness and cannot lead to discriminatory outcomes.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does not explicitly regulate the use of cookies, pixels, online tracking and\/or targeted advertising. Hower, compliance of data processing principles and in particular information, purpose and consent obligations require that:<\/p>\n<ul>\n<li>Advertisers and data controllers must inform users in their privacy notices if they process personal data for targeted or behavioral advertising purposes.<\/li>\n<li>The privacy notice should specify what data is collected, how it is used and shared, and how users can exercise their rights.<\/li>\n<li>Express consent is required if sensitive personal data is involved.<\/li>\n<li>Opt-out mechanisms must be provided at the point of data collection to allow users to reject the use of their data for advertising purposes.<\/li>\n<li>Data subjects must also be able to withdraw consent or request the deletion of their data at any time if they do not want it to be used for advertising purposes.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL does no specifically restrict nor regulate the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d. However, compliance of data processing principles and in particular information, consent and purpose principles would require data subject\u2019s consent to \u201cauthorize\u201d the \u201cselling\u201d of their data, which is not deems as a commodity under Mexican laws.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although these terms are not explicitly defined by the MDPL, their use is regulated by general rules on data processing for marketing, advertising or commercial prospecting purposes. These purposes are usually considered secondary, unless they are directly necessary for the provision of goods or services.<\/p>\n<p>Data subjects must be informed in the privacy notice of the intention to use their data for marketing purposes. Data subjects have the right to opt out at any time, and controllers must provide accessible mechanisms for them to do so.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Biometric data is not explicitly defined in the MDPL. However, the former data protection authority (INAI) described it as physical, physiological, behavioral, or personality traits that can be attributed to a single individual and are measurable.<\/p>\n<p>Although the MDPL does not explicitly categorize biometric data as \u201csensitive\u201d, the former authority&#8217;s criteria imply this classification.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although AI is not defined in the MDPL, the law does introduce specific rules for automated decision-making systems, including those based on AI or machine learning. The law grants individuals the right to:<\/p>\n<ul>\n<li>be informed when their data will be subject to automated processing that produces legal or similarly significant effects;<\/li>\n<li>object to the use of their data in purely automated decisions (without human intervention) that negatively affect their interests, rights or freedoms.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, data localization requirements only exist regarding data subjects\u2019 financial information held by financial institutions. If a financial institution seeks to store this financial information outside of Mexican territory it must obtain a prior authorization from the corresponding authority overseeing its operations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no general restrictions on international data transfers outside of Mexican territory. The general rule regarding data transfers, both national and international, is that they may be carried out either with the data subject&#8217;s consent, or if an exception to consent applies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Controllers are required to establish and maintain appropriate physical, administrative and technical security measures to protect personal data. While the law does not specify these measures, they must not be inferior to those used by the controller for handling its own confidential information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL stipulates that the level of security implemented must be proportionate to the associated risks, the sensitivity of the personal data and the potential consequences for data subjects, considering the state of technological development.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>A data breach is defined as:<\/p>\n<ol>\n<li>loss or unauthorized access to personal data.<\/li>\n<li>theft, misplacement, or unauthorized copying of personal data.<\/li>\n<li>Unauthorized use, access or processing of personal data;<\/li>\n<li>Unauthorized damage, alteration or modification of personal data.<\/li>\n<\/ol>\n<p>There is no obligation to report data breaches to the data protection authority. However, data controllers must report data breaches to data subjects when they may affect their proprietary or moral rights. In such cases, the breach must be reported &#8216;without delay&#8217; upon confirmation.<\/p>\n<p>The MDPL does not explicitly state what information must be given to data subjects in the event of a data breach.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL establishes four specific rights: access, rectification, cancellation and objection (the \u201cARCO rights\u201d).<\/p>\n<p>The ARCO rights comprise:<\/p>\n<ul>\n<li>Access to the personal data held by a controller.<\/li>\n<li>Rectification: the right to request that personal data be rectified if it is out of date or inaccurate.<\/li>\n<li>Cancellation (erasure): the right to request the deletion of personal data (this can only be carried out once the purposes of the processing have been fulfilled).<\/li>\n<li>Objection: Data subjects have the right to object, on legitimate grounds, to the processing of their personal data. This includes the right to object to processing by artificial intelligence systems or automated means intended to review, evaluate or predict personal aspects such as professional performance, health, economic situation, reliability or behavior, if this processing has undesirable legal consequences or affects the interests, rights or freedoms of the data subject.<\/li>\n<\/ul>\n<p>The MDPL also provides that data subjects have the right to limit the use and disclosure of their personal data, as well as the right to withdraw consent where legally applicable.<\/p>\n<p>These rights can be exercised by making an express request to the controller, either by the data subject or their legal representative, using the methods indicated in the privacy notice for this purpose. In the relevant request, the data subject must include the following:<\/p>\n<ol>\n<li>Their name and address or other means to communicate the response to the request.<\/li>\n<li>Proof of official identification and, if applicable, proof of the legal representative&#8217;s identity.<\/li>\n<li>A clear description of the data related to the request, except in cases where the right to access applies.<\/li>\n<li>A description of the right being exercised or the nature of the request.<\/li>\n<li>Any other information or documents that facilitate the identification of the relevant personal data.<\/li>\n<\/ol>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data subjects may file a &#8216;data protection request&#8217; with SABG if they believe that a controller has violated their rights. This mechanism enables individuals to act when:<\/p>\n<ul>\n<li>the controller does not respond within the legal timeframe (20 days, extendable to 40);<\/li>\n<li>The controller refuses to comply or delivers incomplete or incorrect data.<\/li>\n<li>the data is delivered in an incomprehensible format or not as requested.<\/li>\n<\/ul>\n<p>Data subjects must file the complaint within 15 days of receiving an unsatisfactory response or when the response deadline expires. The procedure includes submitting evidence, giving the controller an opportunity to respond, and issuing a final resolution by the authority.<\/p>\n<p>The MDPL does not regulate \u201cclass action\u201d litigation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Individuals affected by violations of the MDLP are entitled to monetary damages or compensation for actual and material damage or non-material injury. However, they must prove a direct relationship between the breach and the alleged damage or injury, and there must be a definitive decision (i.e. a decision that has been confirmed after all available appeals have been exhausted or all appeal deadlines have expired).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The MDPL is enforced by the SABG.<\/p>\n<p>To this end, SABG can initiate two different types of proceedings.<\/p>\n<ol>\n<li>Data subject\u2019s rights protection proceedings, or<\/li>\n<li>Sanctioning proceedings.<\/li>\n<\/ol>\n<p>The former is aimed at reviewing decisions made by data controllers when a data subject requests access to, rectification of, erasure of, or opposition to the processing of their data (ARCO rights). This review may include revoking a controller\u2019s previous decision, thereby allowing the data subject to access, rectify, erase, or prevent the processing of their data for specific purposes.<\/p>\n<p>Sanctioning proceedings begin with an investigation and verification process, during which the SABG can request documents and information from data controllers and\/or processors regarding alleged violations of the MDPL. These proceedings can be initiated either ex-officio or when a data subject files a complaint and may result in fines being issued to the controller who infringed the law. Please note that the MDPL does not provide fines to be issued to data processors.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Sanctions for violation of the MDPL provisions include:<\/p>\n<ul>\n<li>Formal warnings against data controllers to comply with data subject\u2019s requests regarding their ARCO rights.<\/li>\n<li>Fines during 2026, for:<\/li>\n<\/ul>\n<p>i. Serious violations (each): Minimum fine: MXN $11,731.00 (approximately USD $684.00 or EUR \u20ac580.00 or GBP \u00a3505.00) and Maximum fine: MXN $18,769,600.00 (approximately USD $1,093,700.00 or EUR \u20ac930,000.00 or GBP \u00a3809,000.00).<\/p>\n<p>ii. Very serious violations (each): Minimum fine: MXN $23,462.00 (approximately USD $1,368.00 or EUR \u20ac1,160.00 or GBP \u00a31,010.00) and Maximum fine: MXN $37,539,200.00 (approximately USD $2,187,400.00 or EUR \u20ac1,860.000 or GBP \u00a31,618,000.00).<\/p>\n<p>Violations involving sensitive data or in recidivism cases will be doubled.<\/p>\n<p>The existing rules for the calculation of such fines are set out in Article 60 of the MDPL.<\/p>\n<p>SABG shall base and justify its decisions by taking into account the following:<\/p>\n<ul>\n<li>the nature of the data involved in the infringement;<\/li>\n<li>if applicable, the manifest inadmissibility of the controller&#8217;s refusal to perform the acts requested by the data subject;<\/li>\n<li>intentionality;<\/li>\n<li>the economic capacity of the controller; and<\/li>\n<li>if applicable, recidivism.<\/li>\n<\/ul>\n<p>Jurisprudence regarding excessive or unlawful fines is also applicable when determining whether a fine has been properly imposed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes.<\/p>\n<p>Data controllers who have been fined by the SABG may appeal against the decision by initiating an indirect amparo proceeding (juicio de amparo indirecto) with a Federal District Court. If they disagree with the ruling, they may appeal it through a motion for review (recurso de revision) with an Appeals Circuit Court. The decision made following this review is final and cannot be further appealed.<\/p>\n<p>Please note that, since September 2025, amparo proceedings and the corresponding motions for review have been handled by specialised Data Protection and Telecommunications Courts.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are no federal nor state cybersecurity laws in Mexico.<\/p>\n<p>For all type of private data controllers, the MDPL provides a general \u201csecurity obligation\u201d (article 18):<\/p>\n<p><em>\u201cAll controllers must establish and maintain administrative, technical, and physical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorized use, access, or processing.<\/em><\/p>\n<p><em>Controllers shall not adopt security measures that are less stringent than those they maintain for the handling of their own information. The existing risk, the possible consequences for data subjects, the sensitivity of the data, and technological developments shall also be considered.\u201d<\/em><\/p>\n<p>Article 18 of the MDPL (and when published, its Regulations) provides the broad obligation of any controller to implement \u201cappropriate\u201d technical security measures, leaving each controller to assess and define the best an appropriate cybersecurity measures that protect the relevant processed data.<\/p>\n<p>The data protection law applicable to public data controllers includes a similar general provision (article 25), demanding the implementation of technical security measures when persona data is processed using automated systems:<\/p>\n<p><em>\u201cRegardless of the type of system in which the personal data is stored or the type of processing carried out, the controller must establish and maintain administrative, physical, and technical security measures to protect personal data against damage, loss, alteration, destruction, or unauthorized use, access, or processing, as well as to guarantee its confidentiality, integrity, and availability.\u201d<\/em><\/p>\n<p>Also, certain cybersecurity obligations are included in various regulations and general provisions, mainly applicable to financial institutions, insurance companies and telecommunications service providers.<\/p>\n<p>The general provisions that require financial institutions, insurance companies and telecommunications service providers to implement cybersecurity measures are not legislative acts, but administrative orders that their corresponding regulatory authority issues and update frequently.<\/p>\n<p>Also note that on May 2018 several financial associations and the following authorities signed the \u201c<a href=\"https:\/\/www.banxico.org.mx\/sistema-financiero\/d\/%7BD0502AA8-7721-5C2C-5C8F-05858CBB4AE7%7D.pdf\">Basis for coordination on information security between financial system authorities, the Attorney General&#8217;s Office (formerly the Office of the Prosecutor General) and trade associations<\/a>\u201d:<\/p>\n<ul>\n<li>The Ministry Of Finance And Public Credit,<\/li>\n<li>The Bank Of Mexico,<\/li>\n<li>The National Banking And Securities Commission,<\/li>\n<li>The National Commission For The Protection And Defense Of Users Of Financial Services,<\/li>\n<li>The National Commission For The Savings System For Retirement,<\/li>\n<li>The National Insurance And Surety Bond Commission, And<\/li>\n<li>The Attorney General&#8217;s Office.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico impose specific requirements regarding supply chain management.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico impose information sharing requirements.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>No federal nor state cybersecurity laws in Mexico require the appointment of a CISO (or regulatory point of contact or a person responsible for cybersecurity).<\/p>\n<p>General provisions applicable to <a href=\"https:\/\/www.cnbv.gob.mx\/Normatividad\/Disposiciones%20de%20car%C3%A1cter%20general%20aplicables%20a%20las%20instituciones%20de%20cr%C3%A9dito.pdf\">credit institutions<\/a> and <a href=\"https:\/\/www.cnbv.gob.mx\/Normatividad\/Disposiciones%20de%20car%C3%A1cter%20general%20aplicables%20a%20las%20instituciones%20de%20tecnolog%C3%ADa%20financiera.pdf\">fintech institutions and crowdfunding service providers<\/a> (the \u201cGeneral Provisions\u201d do provide that this type of organizations must appoint a chief information security officer (\u201cCISO\u201d). The CISO must:<\/p>\n<ul>\n<li>Participate in defining and verifying the implementation and ongoing compliance of the entity&#8217;s security policies and procedures.<\/li>\n<li>Develop the Master Security Plan.<\/li>\n<li>Annually verify the initiation of access profiles to the entity&#8217;s technological infrastructure.<\/li>\n<li>Annually verify, or after an information security incident, the correct assignment of access profiles to the entity&#8217;s technological infrastructure.<\/li>\n<li>Approve and ensure compliance with measures taken to address any deficiencies in access profile settings or assignments.<\/li>\n<li>Manage information security alerts issued by the National Banking and Securities Commission (\u201cCNBV\u201d) and other parties, as well as information security incidents.<\/li>\n<li>Coordinate and lead the team responsible for detecting and responding to information security incidents.<\/li>\n<li>Report any information on security incidents and the corrective measures taken to prevent future occurrences.<\/li>\n<li>Propose and coordinate training courses on information security for all employees and evaluate the effectiveness of such training.<\/li>\n<li>Submit a monthly report on information security management to the CEO.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Personal Data Security Breaches were defined as any of the following incidents, when they involve personal data (article 63 of the former Regulations to the MDPL):<\/p>\n<ol>\n<li>Unauthorized loss or destruction,<\/li>\n<li>Theft, misplacement, or unauthorized copying,<\/li>\n<li>Unauthorized use, access, or processing, or<\/li>\n<li>Unauthorized damage, alteration, or modification.<\/li>\n<\/ol>\n<p>The former Regulations to the MDPL (article 64) provided that Data Breaches that significantly affect the data subjects\u2019 legal or moral rights must notified to them as soon as the data controller confirms that the breach has occurred and the controller has taken steps to initiate a thorough review of the extent of the breach, so that the affected data subjects may take appropriate measures.<\/p>\n<p>\u201cPrivate parties\u201d (e.g. a company or a private hospital) have no obligation to notify a Data Breach to the data protection authority (currently, the SACBG).<\/p>\n<p>Credit institutions and crowdfunding service providers have obligations to notify cybersecurity incidents.<\/p>\n<p>Credit institutions must report severe security incidents to the CNBV immediately via email. A severe incident is defined as one that causes economic or information losses, disrupts financial services, may replicate in other credit institutions, affects clients or the financial system, or is assessed as severe by the institution itself. The initial notification must include the date and time of the incident, whether it is ongoing or resolved, a description, and an initial severity assessment. Within five business days, credit institutions must submit a detailed report using the ISIT (Information Security Incident Template), including additional information such as the detection date, affected locations, potential monetary losses, and compromised personal or sensitive data. Sensitive information is defined broadly and includes full names, contact information, biometric data, account numbers, passwords, and identifiers. They are also required to submit, within 15 days of the incident\u2019s resolution, an action plan detailing measures taken to eliminate the risks that caused the incident.<\/p>\n<p>If an incident results in unauthorized access, extraction, loss, deletion, or alteration of individuals\u2019 sensitive information, the credit institution must notify affected individuals within 48 hours of discovery. The notification must explain the associated risks, the mitigation measures taken, and, if needed, include the issuance of new authentication factors.<\/p>\n<p>Similarly, crowdfunding service providers must report relevant security incidents to the CNBV immediately. An incident is considered relevant if it affects the provider, clients, or other financial system actors, and involves sensitive data, identification images, or biometric information. The initial report must include similar minimum elements as required for credit institutions. A more comprehensive report using the ISIT must be submitted within five business days and includes technical and data-related details, including the affected system configurations, software versions, and compromised user data. Crowdfunding providers are also required to deliver a risk mitigation action plan within 15 days of resolving the incident. Notification to impacted individuals is required within 48 hours when sensitive data is compromised, with the obligation to explain risks and implement protective measures, such as issuing new authentication credentials.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data subjects may file a complaint with SABG if they believe that a controller has violated relevant security obligations and such violation was related to their personal data. If a data controller is fined for violating security obligations, this does not mean that the complainant will receive a compensation payment.<\/p>\n<p>Individuals affected by violations of the MDLP are entitled to monetary damages or compensation for actual and material damage or non-material injury. However, they must prove a direct relationship between the breach and the alleged damage or injury, and there must be a definitive decision (i.e. a decision that has been confirmed after all available appeals have been exhausted or all appeal deadlines have expired).<\/p>\n<p>The MDPL does not regulate \u201cclass action\u201d litigation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As there are no cybersecurity laws in Mexico, there is no direct enforcement that punishes the violation of cybersecurity obligations.<\/p>\n<p>However, public and private controllers are generally obliged to ensure the security of personal data, and failure to comply with this obligation may result in a sanction from the SABG if they have failed to adopt security measures to protect such information and this has resulted in a security breach.<\/p>\n<p>Conversely, regulatory authorities in specific sectors, such as finance or insurance, may impose penalties for failing to adopt the security measures set out in the general provisions if this failure affects the sensitive information of customers of such institutions. According to these general provisions, sensitive information is defined as personal customer information containing names, addresses, telephone numbers, email addresses, or any other data that identifies the customer in conjunction with account numbers, card numbers, and other financial data, as well as customer identifiers or authentication information.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>SABG may initiate its own investigations if it becomes aware of security breaches in databases, in order to verify whether controllers have taken appropriate security measures to protect personal data under their responsibility.<\/p>\n<p>Supervisory authorities of financial institutions may request the results of internal security audits from regulated entities at any time. These audits are required and the results must be retained.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Failure to implement security measures to protect personal data is deemed a very serious violation (each): Minimum fine (2026): MXN $23,462.00 (approximately USD $1,368.00 or EUR \u20ac1,160.00 or GBP \u00a31,010.00) and Maximum fine (2026): MXN $37,539,200.00 (approximately USD $2,187,400.00 or EUR \u20ac1,860.000 or GBP \u00a31,618,000.00).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Enforcement decisions can be appealed by initiating an indirect amparo proceeding (<em>juicio de amparo indirecto<\/em>) with a Federal District Court. If they disagree with the ruling, they may appeal it through a motion for review (<em>recurso de revision<\/em>) with an Appeals Circuit Court. The decision made following this review is final and cannot be further appealed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">7756<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/140440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}