CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

The principal data protection legislation is Law 19.628 “on protection of private life” (also known as the Chilean Data Protection Law or “CDPL”). 

There are also two other legal provisions that regulate some aspects of personal data processing:

  • The Chilean Constitution, in its article 19 No. 4 and No. 5, which enshrine the right to privacy, as well as the protection of personal data, and also;
  • Law 19.496 (Consumer Protection Law) that establishes the regulation regarding unsolicited commercial marketing communications for consumers.

The UAE has a multi-layered legal system, with legislation issued at Federal and Emirate level. In addition, the UAE contains numerous special economic zones (Free Zones) that can pass their own legislation. In this paper, the UAE outside the Free Zones is referred to as Onshore. Where a Free Zone has not legislated for data protection, the relevant Onshore law will apply in this regard. All Onshore criminal law continues to apply in the Free Zones (whether such zones have a data protection law or not).

There are no general data protection laws which apply to all processing of personal data Onshore, however there are several sector or activity-specific laws with data protection aspects.

The two special financial Free Zones – the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM) – each have a recently updated data protection law modelled largely on the GDPR. In addition, Dubai Healthcare City (DHC) has a data protection regulation that applies to patient medical information and is founded on similar principles.

Principal laws Onshore

Currently, there is no unified comprehensive data protection legislation applying Onshore in the UAE. However, an individual's right to privacy is protected under several Onshore laws. Namely:

  • the UAE Constitution – this recognises a general concept of privacy for UAE citizens (i.e. Emirati nationals), in line with Shariah principles that recognise a right to privacy. UAE citizens only comprise a very small portion of the UAE population (less than 15% at the time of preparing this response).
  • Federal Law No. 3 of 1987 as amended (the Penal Code) - Article 379 provides that it is a criminal offence for a person to disclose secret information relating to another person for his or her own gain without a lawful basis for doing so. A lawful basis can be understood to refer to a specific legal responsibility (such as responding to an official request) or to the consent of the data subject in question. The concept of “secret” is not defined and there is no system of binding precedent in UAE Onshore courts. This Article is likely intended to protect specific relationships of confidentiality (such as doctor/patient) and is more concerned with respect for an individual’s private life and circumstances than with broader concepts relating to how data is collected and processed, nevertheless, entities collecting and disclosing personal data onshore are well-advised to consider obtaining clear consent to mitigate their risks. The Penal Code also criminalises illegal interception of correspondence and, under Article 378, it is an offence to intercept or eavesdrop on a private conversation or to capture or transmit images obtained of a person in a private place, in each case without the consent of the data subject.
  • Federal Decree-Law No. 5 of 2012 on Combatting Cybercrimes (Cybercrime Law)the law criminalises typical cybercrime acts such as hacking, unauthorised access to computer systems and information, amongst other things. The law also criminalises, under Article 21, the use of IT equipment or systems to invade the privacy of a person through publishing pictures, news or other information or by eavesdropping or intercepting their communications. If the consent of the individual has been obtained then this should be a defence to any complaint. Under Article 20 of the law it is an offence to use a computer network or IT system to insult a person or accuse them or a matter which shall cause them to be held in contempt. In practice, this law has been used to prosecute people for acts such as uploading content to social media without the permission of the subject in question or posting offensive remarks on social media about a person.
  • Federal Law No 2 of 2019 on the use of Information Technology in the Healthcare Sector – this law requires all patient information relating to medical procedures carried out in the UAE to be kept secure and treated in accordance with good data protection principles.  The law provides for the establishment of a centralised healthcare data system and for mandatory minimum retention periods of 25 years. Significantly, the law also prohibits the transfer of any such patient data outside the UAE without special permission from the relevant Emirate health regulator. In addition, the Abu Dhabi Department of Health has published detailed data standards under the law which are comprehensive and mandate a number of organisational and technical compliance steps to be undertaken (the law itself is rather high-level). It is likely that other Emirate health authorities will publish similar standards in due course.
  • Federal Law No 15 of 2020 on Consumer Protection (Consumer Protection Law) is new UAE consumer protection legislation that was issued on 10 November 2020. The Consumer Protection Law establishes a right for consumers to have the privacy and security of their data protected and the right not to have it used for promotional and marketing purposes, however no detail in relation to how this right is exercised or managed in practice has been included. Please note that when a new Federal law is issued in the UAE this generally sets out broad principles of how the law will apply and is subsequently supplemented by implementing regulations either at Emirate level or by the relevant competent authority. The implementing regulations for the Consumer Protection Law are yet to be published, so the specifics of how this law will apply are not yet known. Businesses have a one-year transition period (ie until November 2021) to ensure that they are complying with this legislation, which should provide sufficient time for the implementing regulations to be published and businesses to make any necessary changes.  
  • Federal Law by Decree 3 of 2003 as amended (Telecoms Law) includes the following implementing regulations/policies (Policies):
    • Privacy of Consumer Information Policy (PCIP)
    • Consumer Complaint and Dispute Resolution Procedures
    • Consumer Complaint and Dispute Resolution Policy
    • Unsolicited Electronic Communications Regulatory Policy (Anti-SPAM Policy)
    • IoT Regulatory Policy (IoT Policy)
    • The Telecommunications Law, including the PCIP, places an obligation on all telecommunications licensees to take measures to prevent the unauthorised use or disclosure of customer information stored electronically. The Anti-SPAM Policy requires Licensees to implement anti-spam measures and to block organisations sending excess unsolicited messages. The IoT Policy requires operators of IoT systems in the UAE to obtain appropriate licences from the TRA, to keep data processed by the system secure and not to transfer it outside the UAE. IoT Service Providers must adhere to the principles of purpose limitation, data minimisation and storage limitation.
  • Federal Regulatory Framework for Stored Values and Electronic Payment Systems of 2017 – digital payment service providers are required to keep personal data secure.
Principal Free Zone laws
  • DIFC and ADGM - Both the DIFC and ADGM have recently enacted updated data protection laws/regulations to bring their legislation more closely into harmony with the GDPR. The DIFC issued Law No. 5 of 2020, the Data Protection Law (DPL), and accompanying Data Protection Regulations 2020, which was effective from 1 July 2020. The ADGM has issued Data Protection Regulations 2021 (DPR), which have recently come into effect. Both laws closely follow the principles of the GDPR and are based on concepts such as “data controller”, “data processor”, “personal data” etc. which are largely analogous to their GDPR equivalents. The bases on which personal data can be lawfully processed are also very similar to those found in the GDPR and data subjects are afforded very similar rights.
    • Unlike Onshore UAE, the DIFC and the ADGM both have specialist data protection regulators responsible for maintaining registers of controllers, proactively enforcing the law, providing guidance and consultation and liaising with other international data protection authorities.
  • Dubai Healthcare City is a Free Zone focussed on healthcare services, which has its own regulations pertaining to the treatment of patient data by organisations licensed within the zone (DHA Health Data Protection Regulation, 2013) (DHCR). The regulations are based on similar principles and concepts to those found in the GDPR.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Chile does not have a Data Protection Authority.

UAE Onshore – There is no data protection authority or regulator that is responsible for administering data protection law Onshore in the UAE. Responsibility for managing and enforcing sector-specific laws typically rests with the relevant ministry or authority and where the law is a general criminal law, with the police. Where the police are responsible for enforcement, they will investigate alleged breaches and determine whether the case should be referred to the public prosecutor office which, in turn, will determine whether charges should be brought and whether a trial should commence.

DIFC – Commissioner of Data Protection.

ADGM – Data Protection Office.

Dubai Healthcare City  The Dubai Healthcare City Authority is responsible for implementing and enforcing all the Free Zone’s laws and regulations. A Customer Protection Unit has been established by the authority and is responsible for dealing with complaints, and complaints made in relation to the DHCR are within its scope.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

Congress is discussing a new law that will replace the current one and raise the protection standards.

Anticipated changes:

  • A new legal definition: The objective will be to update and expand it, in accordance with international standards;
  • Legitimate Basis for Processing: A more robust basis for processing has been incorporated;
  • The creation of a Data Protection Authority: A National Directorate for Personal Data Protection with the obligation to register databases;
  • Cross-Border Data Transfer: It will be regulated for the first time. According to the current law, there is no statement that controls cross-border data transfers.
  • A new set of infringements;
  • A complaint procedure: This procedure will consist of three steps. First, a direct claim to the data processor. Secondly, an administrative claim before the new National Directorate for Personal Data Protection, and finally, a judicial claim that disputes the decision of the National Directorate for Personal Data Protection.

As mentioned above, the new Consumer Protection Law establishes a right for consumers to have the privacy and security of their data protected and the right not to have it used for promotional and marketing purposes. We are anticipating that implementing regulations providing more detail on how this law will apply will be issued shortly.

We also expect health authorities, such as the Dubai Health Authority, to follow a similar approach to that taken by the Abu Dhabi Department of Health and issue detailed patient data protection standards.

A Federal data protection law has been mooted at various times over years and is very likely to be enacted at some point, however it is impossible to say with certainty when or precisely what form such a law may take. Laws are often promulgated in the UAE without prior public discussion or notice.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Since there is no Data Protection Authority, sanctions can only be imposed by a judge (in a civil procedure). To this end, Law 19.628 establishes a special procedure called “habeas data”. However, it is common practice to also use the “Remedy for the Protection of Constitutional Rights”, a constitutional action, to protect the fundamental rights affected by an illegal or arbitrary treatment of personal data.

Administrative sanctions:

Onshore – most of the relevant laws are criminal laws but under Federal Law No 2 of 2019, violation can lead to a fine and/or suspension of access to the central health database. Violation of the TRA IoT Regulatory Policy is treated as a violation of the UAE’s Telecommunications Law and could lead to administrative fines or the suspension of licences to carry on commercial activity.

DIFC – the maximum administrative fine that can be issued by the Commissioner of Data Protection for breach of the DPL or for breach of a direction issued by the Commissioner is USD 100,000. In addition, public reprimands may be issued. The Commissioner of Data Protection has the right to issue higher fines, without a specified limit for breaches of a serious non-administrative nature. Any person who receives an administrative penalty or direction has the right to seek judicial review in the courts of the DIFC.

ADGM – the maximum fine that can be issued by the Commissioner of Data Protection (the head of the Office of Data Protection) for breach of the DPR or for breach of a direction issued by the Commissioner is USD 28m. Any person who receives a fine or direction has the right to seek judicial review in the courts of the ADGM.

Dubai Healthcare City – the DHCR is not specific on the sanctions for breach but provides the authority with the ability to publish a list of penalties. This list does not seem to be readily publicly available and may have been issued privately to licensees as a circular.

Criminal sanctions:

Violation of the Penal Code and the Anti-Cybercrimes Law can result in imprisonment for significant periods (for example, a prison sentence of at least six months for violating Article 21 of the Cybercrimes Law) or significant fines. Whilst it is not clear how such laws would be applied to any particular individuals in relation to infringement at a systemic corporate level, employers are advised to ensure their staff are aware of the dangers of infringing a person’s privacy or harming a person’s reputation by disclosing their personal information or publishing content relating to them on social media.

The Consumer Protection Law provides for criminal sanctions in relation to certain breaches but is silent on the sanction for infringement of the provisions relating to use of customer data. The impending implementing regulations may clarify the position on such sanctions.


Under the DIFC and ADGM data protection laws, individuals have the right to seek damages if they suffer material or non-material harm as a result of an infringement.

Under the Onshore legal regime, an individual may have a tortious right to seek damages for harm suffered, in addition to filing a criminal complaint if applicable. The DHCR does not provide individuals with an express right to seek damages but does provide a right to raise a complaint and an individual may also be able to bring a tortious claim.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There is no registration or notification obligation since there is no data protection authority in Chile and the law does not establish this requirement.

All business in the UAE are required to obtain an appropriate trade licence, either from the government when Onshore or the relevant free zone authority when in a free zone. There is no specific data processing registration, notification or authorisation requirement Onshore.

In DIFC and ADGM, entities subject to the data protection laws must register certain particulars relating to their processing activities.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Data processing: 

According to the CDLP the processing of all data shall be carried out:

  • In a manner consistent with the law;
  • For the purposes permitted by the legal system; and
  • With attention to the full exercise of the fundamental rights of the data subject.

Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.

Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.

Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.

Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:

  • The law authorises it;
  • The data subject expressly accepts said processing;
  • Such data is necessary to establish or grant health benefits that pertain to the respective data subject.

Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.

Onshore - Entities handling medical patient data, ecommerce businesses, consumer businesses, central-bank licensees and telecoms licensees (including providers of IoT services) are subject to various requirements to keep data secured and confidential but these are largely high-level requirements without associated demonstrable compliance obligations; the exception to the above is that businesses handling medical data in relation to Abu Dhabi-licensed medical procedures must comply with the detailed patient health data standard issued by the Department of Health, which contains a comprehensive list of compliance obligations, similar in many respects to those found in the GDPR. Strict localisation requirements apply to medical personal data.

In general, due to the risk of criminal complaint for invasion of privacy, businesses operating onshore wishing to adopt a prudent approach are well-advised to implement a process for obtaining documented consent in relation to disclosure of personal information or any intrusive activity.

DIFC and ADGM – The principal data processing obligations are similar to GDPR, including that entities must: have a lawful basis for processing data; must process in accordance with principles such as purpose limitation; must provide information to data subjects when data is collected; must employ appropriate technical and organisational measures to protect data; must maintain a processing record; must be able to demonstrate compliance; must ensure processors are engaged under appropriate contractual terms; must respect data subject rights.

Dubai Healthcare City – the principles of the DHCR are similar to those found in the European Data Protection Directive, which predated the GDPR. Licensees must provide information to patients on the purposes for which their data are collected, must only use the data for such purposes, must keep it secure and must respect certain rights of the data subject.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

Access to data

The rights pertaining to all data subjects to demand from the person responsible for any public or private data bank, any information that pertains to them, its source, the purpose for collecting, the legality of the data processing and the name of the individuals or entities to which the data is regularly transmitted. 

Correction and deletion

Correction or modification: The right of all data subjects to request the modification of inaccurate, incomplete, misleading or outdated data that concerns them.


The right of all data subjects to demand the destruction or cancellation of personal data when the purpose of its storage has no legal basis or when it has expired.
Data subjects have the right to request the cancellation of data, if the data storage is not authorised by law or if the authorisation has expired. The data subject is also entitled to exercise this right even if this data has been voluntarily provided or is being used for commercial communications, and he no longer wishes to appear in such records, temporarily or permanently.

Marketing objection

The Consumer Protection Law regulates unsolicited commercial or marketing communications sent by email to consumers. That communication must obtain a valid email address to which the recipient may request the suspension of future communications.

Onshore – data subjects are generally not afforded specified exercisable rights over and above the general protections provided for in the laws, other than the right to bring a complaint in relation to a suspected violation of the law. People receiving unwanted spam messages can inform their telecom service provider; telecom licensees have an obligation to put in place measures to prevent unwanted spam and to block senders.

The Consumer Protection Law expresses that consumers have the right to have the privacy and security of their personal data protected and to not have their data used for promotional and marketing purposes, but there is insufficient detail at this stage to determine what this means in practice.

DIFC and ADGM – data subjects have very similar rights to those afforded under the GDPR, such as the right to access their personal data, the right to object to certain processing, the right to portability in certain circumstances, the right not to be subject to automated decision making or profiling in certain circumstances, and the right to erasure in certain circumstances.

Dubai Healthcare City – under the DHCR, a patient has the right to confirmation as to the processing of his/her personal data, a right of access to the data and the right to have erroneous data corrected.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

The laws do not regulate processing by third parties. According to Article 8 of the CDLP:
If the processing of personal data is carried out by virtue of a mandate, the general rules will apply. Also, the mandate must be granted in writing, regulating the conditions of use of the data.

Onshore – there are no specific rules relating to the use of third-party processors, however disclosure of “secret” information to a processor could fall foul of the restriction on disclosure in the Penal Code. Therefore, building a consent mechanism that includes disclosure to processors into data collection processes is advisable.

DIFC and ADGM – any controller which engages a processor must ensure a written contract is in place that reflects various requirements of the data protection laws, similar to the GDPR.

Dubai Healthcare City – the DHCR does not prescribe specific controls or contractual requirements for third-party processors but makes it clear that the controller remains responsible for the data whilst it is processed by third parties. It is therefore incumbent on the controller to ensure appropriate contractual flow-downs.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

The law does not establish specific requirements or restrictions on transfers of personal data abroad.

However, the law contains rules for the automated transmission of data. Article 5 of the law prescribes that the person responsible for the database can establish an automated system for the transmission of personal data, provided that it adequately ensures the rights or interests of the parties involved and such transmission is strictly related to the duties and objectives of the participating entities.

In the case of a request for the transmission of personal data through an electronic network, the following shall be recorded:

  • Identification of the requesting party;
  • Reason and purpose of the request;
  • Type of data transmitted.

The law does not restrict transfers of personal data to third countries.

Since there are no data transfer restrictions, foreign companies mostly rely on standard clauses to binding corporate rules established by EU legislation. 

The transfer of personal data does not require registration/notification or prior approval from the relevant data protection authority or entity (given the fact that this body does not exist)

Onshore – Federal Law No 2 of 2019 prohibits the transfer of patient medical data out of the UAE without permission having been obtained from the relevant health authority.

The TRA IoT Regulatory Policy requires data processed in the context of IoT Services to be classified as Secret, Sensitive, Confidential or Open. All government data other than Open data must remain within the UAE. All Secret, Sensitive and Confidential data for individuals and businesses must be primarily kept within the UAE but may be transferred out of the UAE if the destination territory meets or exceeds the security and consumer protection standards upheld in the UAE (no further detail on which territories are considered adequate is provided). All personal data is considered “Secret” for these purposes.

Entities which are licensed by the UAE Central Bank are required to ensure that a copy of their banking data is retained in the UAE.

Government bodies will generally have a policy to keep data within the UAE, which may be more or less well codified from body to body.

DIFC and ADGM - Data flows from the DIFC and ADGM are controlled in a similar way to the GDPR, with certain territories considered to be adequate. Broadly, each of the zones recognises the other, plus the territories of the EEA and those that the EEA deems adequate, including the UK. It is important to note that Onshore UAE is not considered adequate. Transfers to non-adequate territories can be conducted provided additional safeguards or circumstances apply (such safeguards and circumstances being similar to those found in the GDPR).

Dubai Healthcare City – patient data can only be transferred out of DHC to a third party if an adequate level of protection for that patient data is ensured by the laws and regulations that are applicable to the third party and the transfer is either authorised by the patient or necessary for the ongoing provision of healthcare services to the patient. The DHCR provides that jurisdictions deemed adequate under the previous DIFC data protection law of 2007 are deemed adequate for the purposes of the DHCR. We are not aware of the DHCR having been updated in light of the new DPL 2020 in the DIFC but it seems likely that the list of adequate territories would be considered to match those deemed adequate by the DIFC from time to time, without the need for formal amendment.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

There is no legal requirement for the appointment of a Data Protection Officer.

Onshore – entities that handle personal data are advised to ensure there is someone with senior status responsible for overseeing their data handling activities, however there is no formal requirement to nominate or register a data protection officer.

DIFC – the DIFC Data Protection Law 2020 includes the concept of High Risk Processing Activities. Any entity which performs High Risk Processing Activities systematically or regularly must appoint a Data Protection Officer (DPO), as must official DIFC bodies, other than the DIFC courts. The  law defines the required competency and status of the DPO. Details of the DPO must be provided to the Commissioner of Data Protection as part of the annual notification process (or sooner if the details are updated). The DPO should be based in the UAE, unless the entity is part of a broader group which has a group DPO capable of fulfilling the role and responsibilities. The DPO does not need to be an employee and can be engaged under a service contract.

ADGM – under the DPR, a DPO must be appointed by any public authority (other than the ADGM courts). Any other controller or processor subject to the law must appoint a DPO if their core activities consist of processing operations which require regular and systematic large scale monitoring of data subjects or consist of processing of special categories of personal data on a large scale. The DPR defines the position and tasks of the DPO. The DPO does not need to be based in the ADGM or the UAE. The identity of the DPO must be notified to the Commissioner of Data Protection. There is an exemption to the requirement to appoint a DPO if the entity in question has fewer than five employees, unless it is carrying out High Risk Processing Activities (as defined in the DPR, which is not directly equivalent to the same defined term in the DPL).

Dubai Healthcare City – the DHCR require each licensee to have an individual responsible for monitoring and ensuring compliance with the DHCR and dealing with requests made under the DHCR.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There are no legal requirements to take appropriate technical and security measures to protect personal data, but the data processor will always be liable for the damages caused by the leaking of information.

Onshore – no general security standards are mandated.  A number of operational controls and security standards are specified in the Abu Dhabi Department of Health Patient Data Standard and Internet of Medical Things Security Standard. The TRA can mandate encryption standards that providers of Internet of Things services must adhere to.

DIFC and ADGM – there are obligations to keep personal data secure, which mandate a risk-based approach taking into account what is proportional and appropriate, similar to the GDPR.

Dubai Healthcare City – licensees must review and assess the security of their information systems and networks and make appropriate modifications to security policies, practices, measures and procedures on a regular basis and must periodically disclose security incidents to the DHCA’s Consumer Protection Unit. Licensees must incorporate security as an essential element of information systems and networks.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

There is no legal obligation to notify to the authority data breach events.

Onshore – there are no specific breach notification requirements.

DIFC and ADGM – the data protection regulator should be notified of breaches as soon as practicable within the circumstances. Where the breach presents a high risk to the data subjects, the data subjects must also be notified, however there are some exceptions in the DPR that may apply to permit Controllers not to notify data subjects.

Dubai Healthcare City - the Consumer Protection Unit should be notified of security incidents.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Direct marketing is regulated by the Consumer Protection Law. This Law regulates unsolicited commercial marketing communications sent by email to consumers, specifying, among other things, that such communications must contain a valid email address to which the recipient may request the suspension of further communications, also known as an opt-out system. From the moment the recipient requests the suspension of sending further emails, any communication or unsolicited email is prohibited by law.

Onshore – The Consumer Protection Law says that suppliers should not use consumer data for direct marketing. We suspect that a blanket ban on direct marketing (which is widely used in the UAE) is not intended and that direct marketing will be possible, provided data subject consent has been obtained. Telecommunications licenses are required to seek to prevent spam phone calls and SMS messages and to block senders of excess spam.

DIFC and ADGM – direct marketing is not specifically regulated as an activity by the DPL or the DPR, although if data is to be used for direct marketing purposes then this must be specified in the processing information provided to data subjects. It is therefore up to the entity conducting the marketing to determine whether they have a lawful basis under the law to conduct the activity (for example, legitimate interests or consent). Data subjects have the right to object to their data being used for direct marketing purposes, and such objection should be respected.

Dubai Healthcare City – the DHCR does not expressly regulate direct marketing but provides that patient data should not be used for purposes contrary to the purpose of its collection, unless the patient has agreed to such use. Consent is therefore recommended if direct marketing to patients is to be carried out.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

The CDPL does not directly regulate the use of cookies or similar technologies. 

Not specifically regulated Onshore or in the Free Zones (although social media advertising for medical purposes is regulated and all advertisements in any medium are subject to restrictions on content in line with the UAE’s publication laws).

15. Risk scale





1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Chile does not have a specific law to regulate cybersecurity. However, many laws regulate some aspects of cybersecurity, for example:

  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity on critical and emergency conditions of the public telecommunications system
  • Ley N°20.285/2008 - Law on access to public information
  • Ley N°17.336/2004 - Intellectual Property Law
  • Ley N°19.927/2004 - Law amending criminal codes regarding child pornography crimes
  • Ley N°19.880/2003 - Law that establishes the bases of the administrative procedures that govern the acts of State administration bodies
  • Ley N°19.799/2002 - Law on electronic documents, electronic signature and certification services of said signature
  • Ley N°19.223/1993 - Law on criminal figures related to computing
  • Ley N°20.478/2010 - Law on recovery and continuity of critical and emergency conditions of the public telecommunications system
Federal Law 
  • UAE Law combating Cyber Crimes (Federal Law 5 of 2012) (‘Cybercrime Law’
  • UAE Cabinet Resolution No. 21 of 2013 regarding Information Security Regulation in Government Entities (‘Information Security Resolution’) 
  • UAE Federal Decree No. 11 of 2008 concerning the Human Resources in the Federal Government (‘HR Law’
  • UAE Penal Code (Federal Law 3 of 1987) (‘Penal Code’)  
  • UAE Electronic Transactions & E-Commerce Law (Federal Law 1 of 2006) (‘E-Commerce Law’
  • UAE Telecommunications Regulatory Authority Privacy of Consumer Information Policy (‘PCIP’) 
  • Federal Decree Number 3 of 2012 (‘Decree’
Emirate-level Law  


  • Dubai Law No. 2 of 2002 on Electronic Transactions and Commerce (‘Dubai E-Commerce Law’) 

Abu Dhabi  

  • Abu Dhabi Government Information Security Standards Version 2.0 (‘Abu Dhabi Standards’)  
  • Abu Dhabi Government IT Architecture & Standards Framework (‘Abu Dhabi Framework’) 
  • Abu Dhabi Department of Health Patient Data Standard (‘Patient Data Standard’).

Government standards

There are also various government standards and policies which relate to data classification, data handling and storage, intra-governmental data sharing etc. and which apply only to government entities.

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

On October 2018, a bill was introduced to the Senate to strengthen the cybercrime law, thus adapting the current regulation to the Budapest Convention standards. One of the amendments proposed in the bill is the inclusion of any cybercrime as a cause for a legal entity criminal liability under law No. 20,393. 

Thereby, if the amendment is approved, legal entities must prevent any cybercrimes from being carried out by their owners, controllers, executives, representatives or managers. The failure to maintain reasonable preventive measures shall cause the legal entity to be subject to criminal liability and therefore the following sanctions:

  • Fines from UTM 400 (an indexed unit of account) to UTM 300,000;
  • Partial or total loss of benefits or absolute prohibition of receiving them for a specified period;
  • Temporary or permanent prohibition to execute contracts with the State of Chile; and
  • Dissolution of the legal entity.

This bill was approved by the Senate and now has moved to the second constitutional procedure. It is likely to be approved in 2021.

New laws are passed frequently in the UAE without public consultation or warning, so it is difficult to form a view as to the content of new laws that may be in the pipeline.

In November 2020, the UAE Cabinet agreed to establish the UAE Cybersecurity Council with the aim of developing a comprehensive cybersecurity strategy and creating a safe and strong cyber infrastructure in the UAE.

The council will be chaired by the Head of Cyber Security for the UAE Government and will contribute to creating a legal and regulatory framework that covers all types of cybercrimes, securing existing and emerging technologies and establishing a robust ‘National Cyber Incident Response Plan’ to enable swift and coordinated response to cyber incidents in the country.

We would expect, at some point, increasing documentation and definition of cybersecurity standards in sectors such as healthcare, critical infrastructure, banking and potentially cloud computing, although it is impossible to say with confidence when such laws may come into effect.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.


Information Security Resolution and the HR Law apply to UAE government entities only. 

PCIP applies only to telecommunications licensees in the UAE, of which there are currently only two, both of which are owned by the UAE government. 

Cybercrime Law, E-Commerce Law and Penal Code apply to anyone living or doing business in the UAE. 

Dubai E-Commerce Law applies to anyone living or doing business in Dubai. 

Abu Dhabi Government Standards apply to government entities in Abu Dhabi. 

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 


Ministry of Justice: Criminal sanctions under the Cybercrime Law, Penal Code and E-Commerce Law are applied after the public prosecution process has completed, so are ultimately enforced by the Ministry of Justice.

Federal Governmental Human Resources Authority: The Federal Governmental Human Resources Authority is responsible for enforcement of the HR Law. 

Telecommunications Regulatory Authority (TRA): The TRA is responsible for enforcement of the PCIP.

Ministry of Justice and the Dubai Technology, Electronic Commerce and Media Free Zone Authority: Both the Ministry of Justice and the Dubai Technology, Electronic Commerce and Media Free Zone Authority are responsible for enforcement under the Dubai E-Commerce Law.

Chief Information Security Officers: The Abu Dhabi Security Standards are enforced by the Chief Information Security Officer in each Abu Dhabi government entity.  

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.


Federal Law 

Cybercrime Law creates the criminal offences of accessing data without permission and transferring or disclosing confidential information without permission through an electronic system or IT tool. Although the Penal Code is not a cybersecurity mandate, it is the foundation for the idea in the UAE that personal information (to the extent it relates to an individual’s private or family life) cannot be disclosed without the consent of the individual concerned.  

Information Security Resolution establishes information security standards for all UAE federal entities and the employees working within them. It includes standards for email usage (including email usage on mobile phones), password creation, internet usage, anti-virus controls, information asset usage, desktop and laptop usage, encoding, back-up and copy control, WiFi security and data storage controls. It also classifies confidential information into different categories according to importance and/or sensitivity.  

HR Law confers an obligation on federal entities to protect electronic confidential information relating to their employees and also imposes an obligation on civil servants to return all electronic files containing Ministry information at the end of their employment.  

The Penal Code criminalises the use of a device to intercept or eavesdrop on a private communication.

E-Commerce Law incentivises the use of security authentication procedures. It states that all records, documents and signatures relating to electronic transactions and commerce that are subject to a secure authentication procedure (to verify the identity of the sender) are deemed to create a secure electronic record of that transaction or communication.  

PCIP places an obligation on all telecommunications licensees to take measures to prevent the unauthorised use or disclosure of customer information stored electronically. The PCIP does not specify the relevant measures that have to be taken. However, best practice would be to take appropriate technical security measures against unauthorised or unlawful processing of, and against accidental disclosure of, personal data. The measures taken must ensure a level of security that is sufficiently adequate to minimise the risk of liability arising out of a claim for breach of privacy made by a data subject.  

Federal Decree Number 3 of 2012 establishes a federal body for cybersecurity called the National Electronic Security Authority. In accordance with Article 5 of the Decree, the Authority is responsible for the design, national coordination and enforcement of the UAE's cybersecurity policies and legislation. The creation of a national electronic security authority demonstrates the growing importance of cybersecurity in the UAE.  

Emirate-level Law  


  • Dubai E-Commerce Law reiterates the federal E-Commerce Law, but at an Emirate government level.  

Abu Dhabi  

  • Abu Dhabi Standards impose security standards on all Abu Dhabi Government personnel and contractors, as well as third parties handling Abu Dhabi Government data. The standards relate to 51 control objectives that serve to identify the unique targets states for each of the 14 policies. These objectives constitute the major initiatives of the Information Security Programme, and the standards are aligned with ISO 27002.  
  • Abu Dhabi Framework contains security principles for IT architecture established for and by the Abu Dhabi Government, including considering security at all levels of IT architecture and controlling access. 
  • The Patient Data Standard imposes a number of operational security requirements on entities licensed to carry out medical services in Abu Dhabi (which such entities must also ensure their suppliers and other contractors comply with). The standard is issued pursuant to Federal Law No 2 of 2019, which imposes obligations of security on patient data in high-level terms, including an obligation for all patient personal data to be kept within the UAE.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 


Cyber Crimes Law and Penal Code

The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the cybercrime law and related offences.  The cybercrime unit in the Emirate where the offender resides or where the disclosure occurred will have jurisdiction over a data subject's complaint. 

The cybercrime unit would investigate the case and decide whether to refer it to the Public Prosecutor in the same Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be brought against the suspect and heard in the courts.

Punishments under the Cyber Crime Law range from temporary detention, a minimum prison sentence of between six months or one year and/or a fine between AED 150,000 and AED 1m (Articles 2, 3, 7, 21 and 22 of the Cyber Crime Law).  If found guilty of an attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the full crime (Article 40).

The Penal Code would also be enforced in the same manner described above and, depending on the nature of the complaint, a specialist police unit may be involved in investigating the alleged offence.

Telecommunications Law

The TRA is responsible for overseeing the enforcement of the PCIP (and all telecommunications regulation in the UAE). Where a licensed telecommunications service provider has breached the Law, the subscriber/data subject generally needs to complain first to the service provider about the breach (Clause 3.1 Consumer Complaint and Dispute Procedure), though a direct approach to the TRA may be possible (Clause 4.1 of the Consumer Complaint and Dispute Resolution Policy). The subscriber may complain to the TRA if the breach is not satisfactorily resolved within thirty days as of the date of the complaint (Clause 2.2.1 Consumer Complaint and Dispute Procedure) or a longer period if the service provider notifies the subscriber of this extended period (Clause 2.2.1 Consumer Complaint and Dispute Procedure).

The subscriber's complaint needs to be submitted to the TRA within three months of the date when the service provider last took action (Clause 3.2 Consumer Complaint and Dispute Procedure). This three-month requirement may be waived subject to the discretion of the TRA (Clause 3.3 Consumer Complaint and Dispute Procedure). 

After examining the complaint, the TRA may direct the service provider "to undertake any remedy deemed appropriate".

Federal Law No 2 of 2019 – Healthcare

Sanctions for failing to handle patient medical data in accordance with the law include a fine of up to AED 1m and the possible blocking of access to the central healthcare information system. Loss of such access could render it virtually impossible for a healthcare provider to carry on their business lawfully, so is a very serious sanction.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

The National Cybersecurity Centre (which is part of GCHQ) does not regulate the NIS Regulations but has a role in providing technical support and guidance by the following:

  • a Single Point of Contact (SPOC) – for engagement with EU partners, coordinating requests and submitting annual incident statistics;
  • a Computer Security Incident Response Team (CSIRT) to provide advice and support where reported incidents are identified or suspected of having a cybersecurity aspect;
  • being a Technical Authority on Cyber Security – to support OESs and CAs with advice and guidance, and to act as a source of technical expertise. For example, it provides:
    • a set of 14 NIS Security Principles for securing essential services;
    • a collection of supporting guidance for each principle;
    • a Cyber Assessment Framework (CAF) incorporating indicators of good practice; and implementation of guidance and support to CAs.

No – but this is a stated aim of the creation of the UAE Cybersecurity Council in November 2020

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Yes, see above.

No – but this is a stated aim of the creation of the UAE Cybersecurity Council in November 2020

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 


As noted above, the UAE Cybersecurity Council was created in November 2020, so we expect various initiatives to be implemented over the short and medium term.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Diego Rodríguez
Diego Rodríguez, LL.M.
Portrait of Ben Gibson
Ben Gibson
Legal Director
Portrait of Victoria Noto
Victoria Noto