CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

  • General Data Protection Regulation n° 2016/679 (GDPR);
  • Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (Privacy Act) and implementing decrees;
  • Law of 5 September 2018 establishing the Information Security Committee and amending various laws concerning the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
  • Law of 21 March 2018 on the use of surveillance cameras (the new Camera Act);
  • Law of 3 December 2017 on the creation of a Data Protection Authority (DPA);
  • Law of 13 June 2005 on electronic communications (on cookies);
  • Book VI and Book XII Belgian Economic Code (on direct marketing and cookies);
  • Royal Decree of 3 February 2019 on the implementation of the Law of 25 December 2016 on the processing of passenger data, including the obligations for bus carriers;
  • Royal Decree of 3 February 2019 on the implementation of the law of 25 December 2016 on the processing of passenger data, including the obligations for HST (High Speed Train) carriers and HST ticket machines;
  • Royal Decree of 6 December 2018 determining the places where the controller can direct his surveillance cameras towards the perimeter directly surrounding the site, keep the images of the surveillance cameras for three months and give real-time access to the images to the police services;
  • Royal Decree of 8 May 2018 on declarations of installation and use of surveillance cameras and on the register of activities for the processing of images from surveillance cameras;
  • Royal decree of 4 April 2003 regulating advertising by electronic mail;

To consult these laws, see hyperlinks below.

Law of 3 December 2017:

Law of 5 September 2018:

Privacy Act:

The Privacy Act (Articles 2 and 4) applies when:

  • the processing is carried out wholly or partly by automatic means or otherwise forms part of or is intended to form part of a filing system
  • AND
  • the processing is carried out in the context of the effective and actual activities of a permanent establishment of the controller or processor on Belgian territory or a place where Belgian law applies by virtue of private international law; or
  • the processing of personal data of data subjects on Belgian territory or a place where Belgian law applies by virtue of private international law is carried out by a controller or processor not established in Belgium/a place where Belgian law applies by virtue of private international law where the processing activities are related to:
    • the offering of goods and services to such data subjects; or
    • the monitoring of their behaviour as far as their behaviour takes place in Belgium or a place where Belgian law applies by virtue of private international law.

Book VI and Book XII of the Belgian Economic Code apply to all processing/marketing activities on Belgian territory.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Data Protection Authority:

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Administrative sanctions:

The Belgian Supervisory Authority has investigative and enforcement powers, meaning that it can, among others, conduct investigations and impose administrative fines on companies (as provided for in Article 83 GDPR, and Articles 221-230 Privacy Act).

Criminal sanctions:

The Privacy Act also provides for criminal sanctions (which can only be imposed by court order): with a maximum criminal fine of EUR 30,000 (to be multiplied by the factor applying to criminal fines i.e. eight at the time of the last update of this document); confiscation of any carriers containing personal data to which the breach relates; court order to erase such personal data; court order to publish all or part of the court decision.

Failure to comply with the obligations in the Belgian Economic Code/Royal Decree of 4 April 2003 may result in a criminal fine of up to EUR 200,000.


A data subject may (in addition to making a complaint to the Data Protection Authority) also make a claim to the courts for compensation for material or non-material damage (which may include distress). There is the potential for class actions to be brought.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

Data Protection Officers must be registered with the Data Protection Authority (Article 63, Privacy Act). For more information, see:

As from 25 May 2018, surveillance cameras must be registered with police authorities (instead of the Data Protection Authority). For more information, see:

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

In a nutshell, the Privacy Act:

  • sets the age of children to validly consent to information society services at 13 (Article 7, Privacy Act);
  • provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest” (Article 8(1), Privacy Act);
  • requires that the controller, when processing genetic data, biometric data and data concerning health, lists the categories of persons having access to those personal data (Article 9, Privacy Act);
  • specifies a limitative list of cases where the processing of data relating to criminal convictions and offences is authorised (Article 10, Privacy Act);
  • enunciates some of the derogations and exemptions to the rights of data subjects as authorised under Article 23, GDPR (Articles 11-17, Privacy Act);
  • provides derogations and exemptions for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 24, Privacy Act);
  • introduces the possibility to seek an injunction (“action en cessation”; “vordering tot staking”) (under summary proceedings) before the president of the Court of First Instance in case of a violation of the GDPR or the Privacy Act (Article 209, Privacy Act);
  • provides administrative fines (except on public sector entities) and criminal sanctions for violations of the GDPR or the Privacy Act (Articles 221-230, Privacy Act)

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

The Privacy Act provides for some limitations to these rights, e.g. in the context of processing of personal data by state intelligence services (Articles 11-17, Privacy Act).

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

There are no derogations from the GDPR.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

There are no derogations from the GDPR.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There are no derogations from the GDPR.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no derogations from the GDPR.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There are no derogations from the GDPR.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

If by email: need to obtain consent, unless you can rely on (i) the soft opt-in exemption (customers, own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication) or (ii) the B2B exemption (if the phone number/email address is of an impersonal nature).

If by regular mail: opt-out regime.

If by (manual) call: opt-out regime (you can freely call consumers unless they have subscribed to a do-not-call-me list or otherwise indicated that they do not want you to contact them for marketing purposes).

In February 2020, the DPA published new detailed guidelines on direct marketing (see our Law Now for more information).

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

Need to obtain prior informed, freely given, specific and unambiguous consent, unless cookies are used for the sole purpose of carrying out a transmission of a communication over an electronic communications network or if strictly necessary to provide a service explicitly requested by the user. Data subjects should be allowed to withdraw consent at any time, free of charge, and without prejudice.

In December 2019, the DPA imposed a EUR 15,000 fine on a website for unlawful use of cookies (decision available in Dutch and in French).

In April 2020, the DPA published new guidelines on the implementation of cookies (see link below).  

15. Risk scale



Template record of processing activities:

Law of 3 December 2017: 

Law of 5 September 2018:

Privacy Act:

Guidance on the need to conduct a Data Protection Impact Assessment (DPIA) and non-exhaustive list of processing operations requiring a DPIA to be carried out:

List of processing operations requiring a DPIA:

Guidelines on the implementation of cookies:

To notify a data breach to the Data Protection Authority, you must fill in the e-form available here:


1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Law of 1 July 2011 on the security and protection of critical infrastructure (Critical Infrastructures Act)

  • Law of 11 December 1998 on classification, security clearances, security certificates and security advice (Classification Act)
  • Law of 7 April 2019 establishing a framework for the security of networks and information systems in the general interest of public security (Belgian NIS Act)
  • Royal Decree of 12 July 2019 implementing the Act of 7 April 2019 establishing a framework for the security of network and information systems of general interest for public safety, and the Act of 1 July 2011 on the security and protection of critical infrastructure (NIS Royal Decree)

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There are no anticipated changes to local laws.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy, transport, financial and electronic communications sector

Classification Act: covers the main processes to evaluate which information should be classified, and determining which individuals may be granted a security access level.

Belgian NIS Act: covers a number of obligations imposed on operators of essential services and digital service providers to take technical and organisational security measures to prevent incidents or limit their impact on and ensure the continuity of (essential) services. It also includes the notification of incidents, supervision and sanctions.

NIS Royal Decree: implements the Belgian NIS Act on topics such as the NIS notification Platform, the notification, processing of the incident, voluntary notifications and institutions for the conformity assessment.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

  • Centre for Cybersecurity Belgium (CCB);
  • The National Crisis Centre (NCCN);
  • The sectoral government and/or its sectoral CSIRT

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

  • Critical Infrastructures Act
    • Appoint a security officer and establish a security plan
    • Mandatory reporting obligation of all incidents threatening the security of critical infrastructure
  • Classification Act
    • Requires data that may cause a threat to national security or the national interest of Belgium to be classified
    • Maps security practices to assigned classification levels
  • Belgian NIS Act
    • Need to appoint a DPO, a single contact point and establish an Information Security Policy (ISP)
    • Implement the appropriate and proportionate technical and organisational security measures described in the ISP

Mandatory reporting obligation of all incidents threatening significantly affecting the availability, confidentiality, integrity or authenticity of the network and information systems on which the essential service(s) it provides depend.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Please provide your answers under the following headings:

Administrative sanctions:
  • Belgian NIS Act
    • Administrative fine up to EUR 200,000
Criminal sanctions:
  • Belgian NIS Act
    • Imprisonment of up to three years
    • Criminal fine of up to EUR 75,000
  • Critical Infrastructures Act
    • Imprisonment of up to one year
    • Criminal fine of up to EUR 80,000
  • Classification Act
    • Imprisonment of up to five years
    • Criminal fine of up to EUR 40,000
  • Belgian NIS Act
  • Two types of audits and checks by the inspectorate

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

  • is the federal cyber emergency team that assists companies with: (i) coordination in the event of cyber incidents; (ii) advice on finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.
  • is part of the CCB
  • The Centre for Cybersecurity Belgium (CCB) is the national CSIRT.
  • Sectoral CSIRTs are possible to support the national CSIRT.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

The notification must be made via the NIS notification platform:

The CCB is responsible for replying to cybersecurity incidents targeting strategically important institutions.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 


Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Tom De Cordier
Tom De Cordier
Portrait of Thomas Dubuisson
Thomas Dubuisson
Senior Associate
Portrait of Janick Van Daele
Janick Van Daele
Portrait of Deven Dobbelaere
Deven Dobbelaere