CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

Law n. 9887 dated 10 March 2008 “On protection of personal data”.

This law shall apply to the processing of personal data, wholly or partly by automatic means and to the processing by other means of a personal data stored in a filing system, or intended to form part of a filing system. 

This law shall apply to the processing of personal data by:

  1. controllers established in the Republic of Albania;
  2. diplomatic missions or consular offices of the Albanian state;
  3. controllers who are not established in the Republic of Albania, making use of any equipment situated in the Republic of Albania; 

In circumstances stipulated in point 3, the controller designates a representative established in the territory of Albania. Stipulations of this law applying to controllers are also applicable to their representatives. This law applies also to the public authorities that process personal data.

This law is not applicable to processing of data: 

  • by a natural person for purely personal or family purposes;

only in case the information is provided about public officials or public (state) administration servants, reflecting their public, administrative activities or issues related to their duties.

  • Law No. 29733, Personal Data Protection Law (“Personal Data Protection Law”), which includes the provisions (such as principles, obligations, data bank registration and fines) applicable in Peru regarding personal data protection.
  • Supreme Decree No. 003-2013-JUS, Regulation of the Personal Data Protection Law (“Regulations”), which details with further precision the provisions established in the Law.
  • Directorial Resolution No. 019-2013-JUS/DGPDP, Guidelines on Security of Information (optional and guidance standard), which provides guidance on the conditions, requirements and technical measures to be considered in order to comply with security measures for the personal data protection.  
  • Directorial Resolution No. 02-2020-JUS/DGTAIPD, Guidelines on the processing of personal data using video-surveillance systems (optional and guidance standard), which aims to establish guidelines for the treatment of personal data that are captured through video surveillance systems for security and labour control purposes.
  • Resolution No. 0326-2020-JUS, Methodology for the Calculation of Personal Data Protection Fines, which aims to provide uniform, predictable and objective guidelines and criteria regarding the imposition of fines.
    The main provisions established in the above-mentioned data protection laws are as follows: 
  • The data protection laws apply to information relating to data subjects who are identified or identifiable (natural persons).
  • The data protection laws apply to automated and non-automated data processing operations. 
  • The party determining the purposes and means of processing personal data established in Peru (“data controller”).
  • The party processing the data on behalf of the data controller (“data processor”).
  • The party processing the data on behalf of the data processor (“data sub-processor”). 

The Personal Data Protection Law and its Regulations applies to any person, legal entity or public entity that processes personal data:

  • within national territory;
  • when carried out by a data processor, regardless of its location, in the name of a data controller established in Peru;
  • when the data controller is not established in Peru, but the Peruvian legislation is applicable by contractual or international law; and
  • when the data controller is not located in Peru but uses means located in the territory, unless such transit does not involve data processing.

Thus, the existence of special rules, even when they include regulations on personal data, does not exclude compliance with the Personal Data Protection Law.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

The Commissioner for the Right to Information and Protection of Personal Data is the independent authority in charge of supervising and monitoring the protection of personal data and the right to information by respecting and guaranteeing the fundamental human rights and freedoms in compliance with the law.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

Law no. 48/2012 "On some additions and changes to the law no. 9887, dated 10 March 2008" On the protection of personal data", dated 08 May 2012.

Law no. 120/2014 "On some additions and changes to the law no. 9887, dated 10 March 2008" On the protection of personal data", dated 18 September 2014.

There are no anticipated changes to local laws. 

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Cases of data processing in contradiction with the provisions of this law do not constitute any criminal offence and are subject to a fine. The Fines shall be imposed by the Commissioner when he finds that the obligations set forth in the law are infringed.

Administrative sanctions:

The DPA has powers to impose the following sanctions: 

  • Fines of up to approximately USD 120,500. Fines will depend on the type of infraction committed according to the Methodology for the Calculation of Personal Data Protection Fines. 
  • Corrective measures, such as the obligation to register a database, communicate the cross-border flow, delete personal data, among others.
Criminal sanctions:

The Criminal Code details certain offences in the field of personal data:

  • Illegal traffic of personal data: the person who illegitimately commercialises non-public information related to the personal and sensitive sphere, will be punished with imprisonment of not less than two nor more than five years.
  • Dissemination of images, videos or audio with sexual content: whoever reveals, disseminates or commercialises images (or audio without the person's consent) shall be punished with imprisonment of not less than two nor more than five years and with thirty to 120 days’ fine.
  • Disclosure of personal and family privacy: anyone who discloses aspects of someone personal or family lives because he/she was able to know for (i) the work he has done for the affected party or (ii) being someone of confidence shall be punished with imprisonment of nor more that on year.
  • Improper use of computer files: anyone who improperly uses any file containing data relating to political or religious beliefs and other aspects of the intimate life of one or more persons shall be liable to imprisonment for a term of not less than one year and not more than four years.   

In addition to making a complaint to the DPA, a data subject may also make a claim damages in court, which may involve material and moral damages.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

Registration and the notification must contain the following information:

  • name and address of the controller;
  • the purpose of processing personal data;
  • categories of data subjects and categories of personal data;
  • recipients and categories of recipients of personal data;
  • the proposal for international transfers that the controller intends to carry out;
  • a general description of the measures for the security of personal data (this is not part of the registration)
The responsibility to notify

Every controller shall notify the Commissioner about the processing of personal data for which he is responsible. The notification shall be made before the controller processes the data for the first time, or when a change of the processing notification status is required.

The processing of personal data the sole purpose of which is to keep a record, which in accordance with the law or sub-legal acts provides information for the public in general, is exempted from the obligation to notify the processing of data. Data that are processed for the purpose of protection of the constitutional institutions, interests of national security, foreign policy, economic or financial interests of the state, prevention or prosecution of the criminal offences are exempted from the obligation to notify. 

Other cases on which notification is not necessary are established under a decision of the Commissioner.

The Personal Data Protection Law does not require prior notification or registration to the DPA for any data processing activities.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Protection of personal data is based on: 

  • processing that is fair and lawful; 
  • a collection for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes; 
  • adequate data, which are relevant to the purpose of their processing and not excessive in relation to such purpose; 
  • accurate data, and where necessary, updated; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
  • keeping data in a form that allows the identification of data subjects for no longer than it is necessary for the purpose for which they were collected or further processed;

The controller is in charge of applying these requirements to all kinds of processing of data, be it automatically or by other means.

The personal data may be processed only if:

  • Personal data subject has given his or her consent;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject;
  • in order to protect the vital interests of the data subject;
  • to comply with a legal obligation of the controller;
  • for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to whom the data are disclosed;
  • processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject’s right to protection of personal life and privacy.

Processing of personal data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence and national security, shall be performed by official authorities as stipulated in the law. 

In the event, the controller or processor may carry out personal data processing for the purpose of offering business opportunities or services provided that the data were taken from a public list of data. 

The controller or processor cannot process any further the data specified in this paragraph, if the data subject has expressed his or her disagreement or has objected to further processing. No additional personal data may be attached to the data specified above without the consent of the data subject. 
The controller is allowed to keep the personal data in its own filing system.

Such data can only be used if the data subject gives his or her consent.

The collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his or her explicit consent.

Obligations of the Controller and Processor:

  • obligation to inform;
  • obligation to rectify and erase;
  • obligations of the Processor.
Consent requirements

Personal data can only be processed with the consent of its owner, which must be prior, informed, express and unequivocal.

Consent may be obtained through written or verbal means. In the case of sensitive data, consent must be given in written form.

Information requirements

The data controller must comply with the following information on the data subjects: (i) the identity and address of the data controller and data processor, if applicable, (ii) the purpose of the personal data processing, (iii) who the recipients may be (national or international transfers), (iv) the existence of the data bank where the information will be stored, (v) the mandatory or optional nature of the proposed questionnaire, (vi) any consequences of providing personal data and any refusal to do so, (vii) transfer of personal data, (viii) time holding personal data, and (ix) means and possibility of exercising rights of access, rectification, opposition and cancellation.

General obligations

The data controller and the data processor, when applicable, must comply with the following obligations:

  • Not to collect personal data by fraudulent, unfair or illegal means;
  • Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
  • Not to use personal data for any means other than the those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
  • Store personal data in such a manner that allows data subjects to enforce their rights;
  • Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
  • Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
  • Provide the information that the DPA requests.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

  • The right to access;
  • right to request blocking, rectification and erasure;
  • automated decision;
  • right of the data subject to refuse;
  • right to complain;
  • compensation for damage.

The following are the rights granted to data subjects:

  • Right to request information;
  • Right of access to personal data;
  • Right to update, include or rectify personal data;
  • Right to delete personal data;
  • Right to prevent the supply of personal data;
  • Right to oppose to the processing of personal data;
  • Right of objective processing;
  • Right to claim protection; and
  • Right to be indemnified.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

Processing by third parties is not allowed.

In general, the data processor must comply with the following obligations:

  • It is prohibited to transfer personal data for the provision of processing services to third parties, unless authorised by the data controller and the personal data subject has given his or her consent;
  • To carry out the processing of personal data according to the instructions of the data controller and exclusively for the purpose established in the agreement between the two;
  • In order to contract a data sub-processor, the data processor must have the data controller’s authorisation; 
  • The data processor may keep the data for a maximum of two years from the end of the last assignment;
  • The data sub-processor assumes the same obligations as the data controller and data processor in accordance with the Personal Data Protection Law and its Regulation;
  • Deploy the technical, organisational and legal measures that guarantee the security of personal data processing;
  • To maintain confidentiality regarding the personal data processing ordered by the data controller.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.
International transfer 

The international transfer of personal data is allowed for recipients from states which have an adequate level of personal data protection. The level of personal data protection for a state is established by assessing all circumstances related to nature, purpose and duration of the processing, country of origin and final destination, legal provisions and security standards in force in the recipient state. States that have an adequate level of data protection are assessed under a decision by the Commissioner. International transfer of personal data with a state that does not have an adequate level of personal data protection may be carried out when: 

  • it is authorised by international acts ratified by the Republic of Albania and are directly applicable; 
  • the data subject has given his or her consent for the international transfer; 
  • the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken in addressing the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract between the controller and a third party, in the interest of the data subject;
  • it is a legal obligation of the controller; 
  • it is necessary for protecting vital interests of the data subject; 
  • it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal right;
  • transfer is done from a register that is open for consultation and provides information to the general public. 

Exchange of personal data to the diplomatic representations of foreign governments or international institutions in the Republic of Albania shall be considered an international transfer of data. 

International transfer of data that need to be authorized 

In cases other than those provided herein, the international transfer of personal data with a state that does not have an adequate level of data protection, shall be carried out upon an authorisation from the Commissioner, if adequate safeguards are foreseen with respect to the protection of the privacy and fundamental human rights and freedoms, as well as regarding the exercise of the corresponding rights. 

The Commissioner, after making an assessment, under the specification provided herein may give authorisation to transfer personal data to the recipient State by defining conditions and obligations. 

The Commissioner issues instructions in order to allow certain categories of personal data international transfer to a state that does not have an adequate level of personal data protection. In these cases, the controller is exempted from the authorisation request. 

The controller shall submit a request for authorisation to the Commissioner prior to the data transfer. In the authorisation request, the controller shall guarantee the observance of the interests of the data subject to protection of confidentiality outside the Republic of Albania.

General rules

Two rules may apply to the data transfer outside the country: 

  • Personal data can be transferred to other countries whose protection level is adequate, according to the Peruvian Data Protection Law and its Regulation; and 
  • If the destination country does not have an adequate protection level, the recipient shall guarantee that the data processing will be carried out in accordance with the Peruvian Data Protection Law and its Regulation.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The Commissioner.

There is no legal requirement to have a Data Protection Officer.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

The controller or the processor shall take appropriate organisational and technical measures in order to protect personal data from unlawful or accidental destruction, accidental loss, from access or disclosure to unauthorised persons, especially when the processing of data takes place in a network, as well as from any other unlawful form of processing. 

The controller shall take the following special security measures: 

  • defines the functions of the organisational units and those of the operators as regards the use of data;
  • data shall be used with the order of authorised organizational units or operators; 
  • instructs all operators concerning their obligations, in conformity with this law and the internal regulations on data protection, including the regulations on data security;
  • Prohibits access of unauthorised persons to the working facilities of the data controller or processors;
  • data and programmes shall be accessed only by authorised persons;
  • Prohibits access to the filing system and their use by unauthorised persons; 
  • Operation of the data processing equipment shall be carried out upon authorisation and every device shall be secured with preventive measures against unauthorised operation;
  • records and documents the alteration, rectification, erasure, transfer, etc. 

The controller is obliged to document the technical and organisational measures adjusted and implemented to ensure protection of personal data in compliance with the law and other legal regulations. 

The data recorded shall not be used for different purposes which are not compliant with the purpose of collection. Acquaintance with or processing of the data registered in files for a purpose other than the right to enter the data shall be prohibited. In case data are used to guarantee national security, public security, for prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any infringement of ethics for the regulated professions, it is exempted from this rule. Documentation of the data shall be kept for as long as it is necessary for the purpose for which they were collected.

The security level shall be in compliance with the nature of personal data processing. Detailed rules on data security shall be specified by decision of the Commissioner. Procedures for the administration of the data registration, data entry, their processing and disclosure shall be regulated by a decision of the Commissioner.

Controllers, processors and persons who come to know the content of the processed data while exercising their duty, shall remain under obligation of confidentiality and credibility even after termination of their functions. These data shall not be disclosed save when otherwise provided by law. Everyone acting under the authority of the controller or the processor shall not process the personal data to which he or she has access, without the authorisation of the controller, unless it is mandatory by law.

The data controller and the data processor must deploy organisational, technical, and legal measures to protect personal data against damage, loss, alteration or unauthorised access or processing. Personal data should be stored in databases that meet the following conditions:

  • Access control and management;
  • Management of privileges and their periodic verification;
  • Identification and authentication procedures;
  • Preservation, back-up and recovery of personal data;
  • Implementation of security measures for the storage of non-authentic documents;
  • Authorisation of reproduction or copying;
  • Access to records limited to authorised personnel; 
  • Generate a record of logical data interactions, including access information, time of login and logout; and
  • Apply security measures when personal data are transferred.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.


In the field of personal data, there is currently no obligation to report a data breach to the Data Protection Authority applicable to private persons. This might change upon the passing of the Digital Confidence Law Regulations. 

However, in the cases of public entities, they must report any data breach involving personal data before the Data Protection Authority within 48 hours of becoming aware of the data breach. 

The Guidelines on Security of Information suggest keeping a record of incidents and actions taken that is documented, including notification to the data subject affected.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Collection of personal data that is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his explicit consent.

The data subject has the right to ask the controller not to start processing, or if processing has started, to stop the processing of personal data related to him or her for the purposes of direct marketing and to be informed in advance before personal data are disclosed for first time for such purpose.

  • The Data Protection Law and its Regulations apply to all marketing and advertising activities involving personal data. Personal data means any information relating to an identified or identifiable natural person.
  • Article 58.1 of the Consumer Code (Law No. 29571) prohibits the use of aggressive or deceptive communication commercial practices without the data subject’s consent. In this regard, it is prohibited to use call centres, telephone call systems, sending text messages to cell phones or mass emails to promote products and services, as well as to provide telemarketing services to all those telephone numbers and email addresses of consumers who have not provided their prior, informed, express and unequivocal consent. In case of non-compliance, a fine of up to USD 600,000 can be imposed.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.


Cookies, adtech and online marketing are not regulated directly by the Personal Data Protection Law. However, the Personal Data Protection Law and its Regulations will apply if personal identifiable information is collected and processed through cookies, adtech and online marketing. 

15. Risk scale





1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Law n. 2/2017 “For Cyber Security”, dated 09.02.2017

The Emergency Decree No. 007-2020, Digital Confidence Law (“DCL”) aims to establish the necessary measures to ensure trust with digital services, including digital security.

The Supreme Decree No. 029-2021-PCM, Digital Government Law Regulations (“DGL”) regulates the management of new technologies in public entities during the provision of digital services to citizens, which includes the Digital Security Incident Response management. 

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There are no anticipated changes to local laws.

The passage of the DCL Regulations is pending. It is expected that this regulation will detail the process that obligated subjects must follow to report data breaches. The regulation is expected to be issued in 2021.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

This law is applied to communication networks and information systems, the violation or destruction of which would affect the health, safety, wealth of citizens and the effective functioning of the economy in the Republic of Albania.

Excluded from the application of this law are electronic communications networks and information systems that are subject to legal regulations in force for electronic signature, electronic identification and trusted services, electronic communications networks and information systems that process, archive or transmit classified information of the state, as well as electronic communications networks and information systems, as far as it is provided in the legislation on electronic communications in the Republic of Albania.

In accordance with the DCL, the obligations regarding Digital Security apply to the following:

  • Public entities;
  • Providers of digital services from: 
    • Financial sector;
    • Basic services (electricity, water and gas);
    • Health; and 
    • Passenger transport,
  • Internet service providers;
  • Critical service providers; and
  • Educational providers.

The obligations detailed in the DGL only apply to public entities.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

The National Computer Security Agency (ALCIRT) is the central authority for identifying, anticipating and taking measures to protect against computer threats and attacks, in accordance with applicable law.

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

The responsible authority has the following competencies in the field of cyber security:

  • to determine cybersecurity measures;
  • to act as a central point of contact at the national level for the responsible operators in the field of cybersecurity and to coordinate the work to solve cybersecurity issues;
  • to manage incident reports in the cybersecurity sector and ensure their storage and registration;
  • to provide methodological assistance and support to the responsible operators in the field of cybersecurity;
  • to analyse for weaknesses in the field of internet security;
  • to perform awareness and education activities in the field of cybersecurity;
  • to act in the capacity of the national CSIRT.

The Authority coordinates its activities with security and defence institutions and cooperates with sectoral CSIRTs and international authorities in the cybersecurity sector, through joint agreements, in accordance with applicable law.


The obligations related to Digital Security are the following: 

  • Report every data breach to the National Centre for Digital Security;
  • Deploy physical, technical, organisational and legal security measures to guarantee the confidentiality of messages, content and information transmitted through its communications services;
  • Manage digital security risks in the organisation in order to establish controls to protect the confidentiality, integrity and availability of information;
  • Set up mechanisms to verify the identity of persons accessing a digital service in accordance with the risk level involved and current regulations on personal data protection;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA);
  • Keep a secure, scaleable and interoperable infrastructure.  

The public entities must comply with the following obligations: 

  • Report every data breach to the National Centre for Digital Security;
  • Implement an Information Security Management System, which requires that the public entity develop a set of cybersecurity policies, guidelines, procedures and resources to protect its information assets against information security and digital security risks and incidents;
  • Adopt measures for the management of digital security risks and incidents affecting the entity's assets;
  • Spread early warnings, alerts and information about digital security risks and incidents in their entity;
  • Ensure effective, efficient and secure research and cooperation with the National Centre for Digital Security;
  • Provide the necessary resources and measures to ensure the effective management of digital security incidents;
  • Require its software development suppliers to comply with standards, technical rules and security best practices;
  • In the event of a digital security incident that has affected personal data, the public entity must notify the Data Protection Authority (DPA) within 48 hours of becoming aware of the security breach. 

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

  • Corrective measures;
  • Administrative offences;
  • Administrative sanctions.

The DCL regulation is expected to detail infringements and penalties for non-compliance with Digital Security provisions.

According with the obligations detailed in the DGL, in the event of non-compliance, the person in charge of executing the obligation may receive a (i) verbal or written warning, (ii) suspension without pay for up to 12 months, or (iii) dismissal.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.


The DCL provides that the National Centre for Digital Security is responsible for identifying, protecting, detecting, responding to, retrieving and collecting information on digital security incidents. 

Likewise, the DCL and the DGL incorporate the National Digital Security Incident Response Team responsible for: (i) managing the response and/or recovery to digital security incidents in the country and (ii) coordinating and articulating actions with other teams of a similar nature at the national and international level to deal with digital security incidents. 

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Computer Security Incident Response Teams (CSIRTs) comprise computer security specialists at each operator that manages critical information infrastructure.

There is not a National cybersecurity incident management structure yet. 

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

With NATO membership and progress towards EU membership, Albania is increasingly participating in European cybersecurity initiatives and programmes.

Initiatives in the Field of Information Society in SNSHI (Intersectoral Strategy for the Information Society), are as follows:

  • Keeping children safe online and encouraging and coordinating the process for codes of conduct
  • Establishment of the National Agency for Computer Security (ALCIRT)
  • Establishment of PKI (public key government infrastructure) infrastructure and provision of secure services
  • On 1 February 2019, Peru joined the Budapest Agreement known as the Budapest Convention, which is the first international treaty to address computer and internet crime.
  • Through the publication of Supreme Decree No. 050-2018-PCM, which defines the term ‘digital security’ as the state of confidence in the digital environment resulting from the management and implementation of proactive and reactive measures against risks that affect the security of people.
Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Evis Zaja
Evis Zaja
Local Partner
Portrait of Merseda Aliaj
Merseda Aliaj
Portrait of Cecilia Kahn
Cecilia Kahn
Ana Lucia Taboada
Maria Alejandra Ortiz