CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Administrative sanctions:

The GDPR applies. In case of other violations of the provisions of the PDPA, which are not provided for under the GDPR, the Commission/Inspectorate can impose a sanction up to BGN 5,000 (EUR 2,500). In case of a repeated violation, there will be a double sanction.

According to the PDPA, the Commission can impose fines and administrative measures, but it does not have enforcement powers. Enforcement of the sanctions is done by way of a separate administrative procedure under the Bulgarian Administrative Infringement and Penalties Act.

Criminal sanctions:

A person who creates, obtains for himself/herself or for someone else, imports or otherwise distributes computer programmes, passwords, codes, or other similar data for access to an information system or part thereof in order to commit certain crimes under the Bulgarian Criminal Code (Art. 171 (3), Art. 319a, Art. 319b, Art. 319c or Art. 319d), faces a punishment of imprisonment of up to two years. When personal data, classified information or another secret protected by law is disclosed, and the breach does not constitute a graver offence, the punishment is imprisonment of up to three years.


Third parties that suffer damage as a result of an infringement of the relevant legislation may bring compensation claims.  

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

The requirement for registration of data controllers is abolished in compliance with the GDPR and such registration is no longer required. 

The Commission maintains the following registers:

  • public register of the controllers and processors that have appointed DPOs;
  • public register of the accredited certifying bodies;
  • public register of codes of conduct under Art. 40 of the GDPR;
  • internal register for breaches of the GDPR and the Act and the measures implemented under Art.58, §2 of the GDPR;
  • internal register for the notifications of a personal data breach under Art. 33 and Art. 67 of the GDPR.

The Inspectorate also maintains the last two types of registers.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

There are no derogations from the GDPR.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

There are no derogations from the GDPR.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

There are no derogations from the GDPR.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

There are no derogations from the GDPR.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There are no derogations from the GDPR.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no derogations from the GDPR.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There are no derogations from the GDPR.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

While under the GDPR, direct marketing can be provided based on the legitimate interest of the controller, there are provisions under Bulgarian law which require the consent of the data subject.  The development based on the ePrivacy Regulation is yet to be seen. 

Under the Electronic Communications Act, the establishment of calls, messages, or electronic mail for the purposes of direct marketing and advertising shall be allowed only in respect of consumers who have given their prior consent. The consent may be withdrawn at any time.  

The same principle applies under the Electronic Commerce Act in respect of unsolicited commercial communication by providers of information services to consumers.  The Commission for Consumer Protection shall keep an electronic register of the email addresses of the legal persons that do not wish to receive unwanted commercial communication, following a procedure established in a regulation adopted by the Council of Ministers. Sending unwanted commercial communication to consumers without their preliminary consent is not allowed.

However, any person who, in the context of a commercial transaction for the provision of products or services, has obtained data through which electronic contact can be established with the consumer, may use the said data for the dispatch of a marketing messages and advertising for its own similar products or services provided that the said person gives each consumer the opportunity, free of charge and in an easy manner:

  • to object at the time of conclusion of the transaction;
  • to refuse to receive such communications in future in case the consumer has not done so at the time of conclusion of the transaction. 

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

The data subjects must be informed about the use of cookies.  Bulgarian legislation provides for opt-out (pre-consent is not required, the consumer has the opportunity to opt out).

In the future, the rules on cookies may change under the ePrivacy Regulation referred to above.

15. Risk scale




1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

The Cybersecurity Act is the main piece of legislation dealing with cybersecurity and transposing the NIS Directive in Bulgaria. 

Other relevant provisions are distributed in various legal acts, including:

  • The Act on the Management and Functioning of the System for National Security Protection– The National Security Protection Act;
  • The Classified Information Protection Act – The Classified Information Act;
  • The Electronic Government Act– The E-Government Act;
  • The Criminal Code – The Criminal Code;
  • The Ordinance on the minimum requirements for network and information security- The NIS Ordinance;
  • The Regulations on the organization and the activity of the Cybersecurity Council – The Cybersecurity Council’ Regulations;
  • The Regulations on the activity, structure and organization of the State Agency “Electronic Government” - The E-Government Agency’ Regulations

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

No anticipated changes to local laws in the short term. 

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

  • The Cybersecurity Act – regulates (i) the organisation, management and control activities regarding cybersecurity, including any cyber defence and cybercrime combatting activities; (ii) the designation of national and specialised responsible authorities in the field of cybersecurity, as well as their powers and functions; (iii) the security and notification requirements for operators of essential services,  digital service providers and competent administrative bodies; and (iv) the appropriate actions to achieve a high common network and information security level;
  • The National Security Protection Act – regulates the government authorities and structures comprising the system of national security protection and their basic functions;
  • The Classified Information Act – regulates the public relations arising in connection with the generation, the processing, and the storing of classified information, and lays down the conditions and procedure for the release thereof and the access thereto. The classified information is any information which is a state secret or an official secret, and any foreign classified information. Access to classified information is allowed only to those having an appropriate clearance in keeping with the "need-to-know" principle. The principle is the restriction of access to particular classified information to such persons whose official duties, or a special assignment, require such access; 
  • The E-Government Act – (i) regulates the public relations between administrative authorities in relation to working with electronic documents and provision of administrative services by electronic means, as well as the interchange of electronic documents among the administrative authorities; (ii) applies also in relation to the activities of the persons performing public functions (such as notaries public) and organisations providing public services (such as schools, utility companies etc.);
  • The Criminal Code – determines which acts dangerous to society constitute crimes and what punishments shall be imposed for them. There are chapters in the Criminal Code specifically dealing with computer crimes (Chapter 9A) and crimes against information classified as state secret and international classified information (Chapter 12);  
  • The NIS Ordinance – regulates (i) the requirements for minimum network and information security measures; (ii) the recommended measures for network and information security; (iii) the rules for carrying out checks regarding compliance with the requirements with the Ordinance and (iv) the order for keeping, storing and accessing the register of essential services in compliance with the Cybersecurity Act;
  • The Cybersecurity Council Regulations – regulates the organisation and the activity of the Cybersecurity Council;
  • The E-Government Agency’ Regulations – regulates the activity, functions, structure, number of employees and organisation of work of the E-Government Agency and its administrative units.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

  • Under the Bulgarian Cybersecurity Act, OESs, Digital Services Providers (DSPs), competent administrative bodies, persons responsible for performing public functions and organisations providing online administrative services are obliged to:
    • ensure that adequate technical and organisational measures are in place to respond to any risks or threats to the security of network and information systems;
    • notify the respective SCSIRT within two hours of becoming aware of a cybersecurity incident. Full information about the incident shall be provided within five working days; and
    • provide any and all information requested by the competent authorities. 

Upon justified assumption that the reported incident can be classified as a computer-related crime, the sector team shall notify the General Directorate for Combatting Organised Crime with the Ministry of Interior.  

  • The Cybersecurity Act provides for an obligation for all organisations affected by security incidents to cooperate, particularly in terms of notifying incidents and providing relevant information to the sector specific teams. 
  • The NIS Ordinance provides an obligation for each employee or the unit for network and information security of the respective administration to notify the respective SCSIRT in case of incident.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:
  • The Cybersecurity Act provides for administrative fines in case of violations of any of the responsible bodies, agencies or natural persons/officials relating incidents reporting obligations, failure to provide certain information and evidence or failure to comply with mandatory instructions. For individuals, fines ranging from EUR 500 to EUR 5,000, and for legal entities and administrative bodies, pecuniary sanction ranging from EUR 750 to EUR 7,500 can be imposed. In the case of repeated violations, the amount increases and shall range from EUR 1,000 to EUR 10,000 for the fines and from EUR 2,500 to EUR 12,500 for the pecuniary sanction;
  • The Cybersecurity Act also provides for a fine if an official commits a violation or allows a violation to be committed. The fine shall vary between EUR 500 and EUR 5,000, unless the act constitutes a crime. In case of repeated violations, the fine shall range between EUR 700 and EUR 7,500.
  • The Classified Information Act provides for fines or pecuniary sanctions in the range of EUR 25 to EUR 10,000, depending on the type of violation and whether the perpetrator is an official, a natural person or a legal entity.
  • The E-Government Act also provides for fines or pecuniary sanctions in the range of EUR 250 to EUR 12,500, depending on the type of violation and whether the perpetrator is an official, natural person or legal entity.
  • See “Data Protection” section above.  
Criminal sanctions:
  • Cybercrimes: Imprisonment of up to eight years for cybercrimes, depending on the type of crime committed; and/or a fine of up to EUR 5,000, depending on the type of crime committed. 
  • Crimes against information classified as a state secret or international classified information: imprisonment of up to 15 years, depending on the type of crime committed.

Third parties that suffer damage as a result of an infringement of the relevant legislation may bring compensation claims.  

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

Yes. ( is the National Computer Security Incidents Response Team.  

The Centre helps its users to: 

  1. reduce the risks of information security incidents; 
  2. resolve already occurred incidents.

The centre maintains a centralised database of information related to ensuring secure information environment.

There is also a national Computer Security Incident Response Team (NCSIRT), and sector-level Computer Security Incident Response Teams (SCSRITs) established by the E-Government Agency. The SCSIRTs are set up within competent local authorities in the various sectors (i.e. energy, transport, banking, financial market infrastructure, health, and digital) in compliance with the instructions of European Union Cybersecurity Agency (ENISA). They coordinate their activities with the national CERT.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

The Cybersecurity Act establishes this structure. The core structure comprises a National Single Point of Contact, National cybersecurity coordinator, and computer security incident response teams on a national and sector level.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

There will soon be a Monitoring and Response Centre for incidents that have significant damaging impact on the communication and information systems at strategic locations and activities of significance for national security within the National Security State Agency. Effective on 1 January 2022, this centre will:

  1. monitor and gather information on events and incidents related to the security of communication and information systems at strategic locations and activities of significance for national security;
  2. submit alerts on cyberthreats and information on cyberincidents at strategic locations and activities of significance for national security;
  3. provide methodological assistance in the cyberincident management process;
  4. provide a comprehensive analysis of incoming information and an assessment of information protection at strategic locations and activities of significance for national security;
  5. perform tasks related to some of the functions of the National Security State Agency.  
Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Gentscho Pavlov
Gentscho Pavlov
Portrait of Nevena Radlova
Nevena Radlova