CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

Data processing operations are governed by the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) of 30 June 2017, as last amended by Article 12 of the Second Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 of 20 November 2019 (Zweites Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU – 2. DSAnpUG-EU)). Unless sector-specific data protection laws take precedence over the BSDG, the BDSG applies to: 

  • data processing by federal public authorities or public authorities of the German federal states, if the data protection laws of the German federal states do not apply and; 
  • data processing by private bodies. 

Each German federal state has its own data protection law for the processing of personal data by the authorities of the German federal states (Landesdatenschutzgesetz – LDSG).

Many data protection provisions are included in sector-specific legislation, including social security laws (Sozialgesetzbuch I-X – SGB I-X). The Telemedia Act of 26 February 2007 (Telemediengesetz - TMG) and the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG) will be combined in a future Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz – TTDSG), which is currently in preparation.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

Each German federal state has a data protection authority that is responsible for the enforcement of data protection laws and regulates data controllers established in the respective state. In addition, there is also a Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit - BfDI), which is responsible for the enforcement of the BDSG. 

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

  • Consolidation of the data protection provisions in the Telemedia Act (Telemediengesetz – TMG) and the Telecommunications Act (Telekommunikationsgesetz – TKG) into a new Telecommunications Telemedia Data Protection Act (Telekommunikations-Telemedien-Datenschutzgesetz – TTDSG);
  • Intended application of telecommunications secrecy also for so-called "over-the-top" telecommunications services.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Administrative sanctions:

In addition to the administrative fines under the GDPR, the BDSG provides for fines (up to EUR 50,000) for violations of § 30 BDSG – e.g. for anyone who fails to handle an information request appropriately in the context of consumer loans (§ 43 BDSG). The BDSG determines that the provisions of the Act on Regulatory Offences (Gesetz über Ordnungswidrigkeiten – OwiG) apply accordingly to the local enforcement of violations of the GDPR.

Criminal sanctions:

The BDSG stipulates criminal sanctions for particular violations of the GDPR (§ 42 BDSG), in the event that:

  • personal data of a large number of people which are not publicly accessible are deliberately
    • transferred to a third party, or
    • otherwise made accessible
    • for commercial purposes without authorisation (imprisonment up to three years); or
  • personal data which are not publicly accessible are
    • processed without authorisation, or
    • acquired fraudulently   

in return for payment or with the intention of enriching oneself or someone else or harming someone (imprisonment up to two years).

Others: 

No specific regulations.

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There is no obligation to register or notify an authority under German data protection law.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

There are some derogations from the GDPR under national law for:

  • Public video surveillance (§ 4 BDSG);
  • Processing of special categories of data (Article 9 (4) GDPR; § 22 BDSG);
  • Processing for other purposes (Article 6 (4) GDPR, § 24 BDSG);
  • Processing for employment-related purposes (Article 88 GDPR; § 26 BDSG);
  • Processing for purposes of scientific or historical research and for statistical purposes; processing for archiving purposes in the public interest (Article 89 GDPR; §§ 27 et seqq. BDSG);
  • Obligations of secrecy (Article 90 GDPR; § 29 BDSG);
  • Credit information and scoring (§§ 30 et seq. BDSG);
  • Profiling (Article 22 (2) GDPR, § 37 BDSG);
  • Designation of data protection officers (Article 37 (4) GDPR, § 38 BDSG).

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

There are some derogations from Art. 12 et seq. GDPR:

  • Rights of data subjects in case of secrecy obligations (§ 29 BDSG): in certain cases, the BDSG exempts the data controller from its obligation to inform as far as information would be disclosed which by its nature must be kept secret; in particular because of overriding legitimate interests of a third party;
  • Obligation to notify the individual (§ 32 BDSG): in certain cases, the BDSG exempts the data controller from its obligation to inform the individual of their rights, e.g. if the information would interfere with the establishment, exercise or defence of legal claims (provided that there are no overriding interests of the individual in the provision of the information);
  • The right to access data (§ 34 BDSG): the BDSG contains certain exemptions from the right to access, e.g. if such data were recorded only because they may not be erased due to legal or statutory provisions on retention;
  • The right to erasure (§ 35 BDSG): the BDSG exempts the controller from its obligation to erasure under certain conditions, e.g. if the erasure would involve a disproportionate effort due to the specific mode of storage.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.

Subcontracting

Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

There are no derogations from the GDPR

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

Art. 44 et seq. GDPR apply. There are no derogations from the GDPR

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

In addition to Article 37 GDPR, a data protection officer must be designated if:

  • As a rule, at least twenty persons constantly deal with the automated processing of personal data; or
  • the business is subject to a data protection impact assessment (Article 35 GDPR) or commercially processes personal data for the purpose of transfer or anonymised transfer, or for purposes of market or opinion research – in this case the controller has to designate a data protection officer regardless of the number of employees involved in the processing. 

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

Art. 32 GDPR applies in general. § 22 (2) BDSG provides for some additional obligations when processing special types of personal data. In addition, § 13 (7) TMG applies for telemedia services.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

Art. 33 et seq. GDPR apply in general. § 29 BDSG stipulates derogations in case of secrecy obligations.

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

The Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb – UWG) requires the recipient's prior express consent before sending marketing emails. An exception applies (cumulative requirements) when:

  • the recipient's email address has been acquired in connection with the sale of goods or services;
  • the marketer uses the address for direct advertising of their own similar goods or services;
  • the recipient has not objected to this use; and
  • the recipient was clearly and unequivocally advised when the address was collected, and each time it is used can object to its use at any time, without costs arising other than transmission costs pursuant to the basic rates.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

  • The German authorities hold that tracking mechanisms such as cookies, in particular for advertising purposes, require the data subject's explicit consent pursuant to Article 6 (1) lit. a), Article 7 GDPR. It is no longer sufficient to offer an opt-out mechanism pursuant to § 15 (3) TMG (cf. opinions of the German data protection conference (Datenschutzkonferenz – DSK) of  April 2018 and March 2019);
  • The ECJ (Planet49 – Case C 673/17) has held that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically necessary for use, i.e. in particular with regard to cookies used for advertising purposes. According to the decision, pre-ticked boxes or similar methods are not sufficient;
  • Finally, there is a new ruling by the Rostock Regional Court of September 2020 on so-called "nudging", i.e. designing cookie banners in such a way that users are manipulated to consent to cookies by hiding the "decline" button either visually (e.g. greyed out) or in (complicated) sub-menus. According to the court, nudging leads to the fact that the declaration of consent to the use of cookies is invalid.

15. Risk scale

Moderate

Severe

Cybersecurity

1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

  • EU Cybersecurity Act (Regulation (EU) 2019/881 of 17 April 2019).
  • Act of 14 August 2009 on the Federal Office for Information Security (Gesetz über das Bundesamt für Sicherheit in der Informationstechnik – BSIG), amended on 23 June 2017 by the implementation act of directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016.
  • Regulation of 22 April 2016 on the determination of critical infrastructures according to the BSIG (Verordnung zur Bestimmung Kritischer Infrastrukturen nach dem BSIG – BSI-KritisV).
  • General Data Protection Regulation, GDPR (Regulation (EU) 2016/679 of 27 April 2016), supplemented by the Federal Data Protection Act of 30 June 2017 (Bundesdatenschutzgesetz – BDSG), and the data protection laws of the federal states.
  • eIDAS Regulation (Regulation (EU) 910/2014 of 23 July 2014), supplemented by the German Trust Service Act of 18 July 2017 (Vertrauensdienstegesetz – VDG), and the German Trust Service Ordinance of 15 February 2019 (Vertrauensdiensteverordnung – VDV).
  • Radio Equipment Act of 27 June 2017 (Funkanlagengesetz – FuAG).
  • Sector-specific laws with provisions on IT security, including: 
    • the Telemedia Act of 26 February 2007 (Telemediengesetz – TMG)
    • the Telecommunications Act of 22 June 2004 (Telekommunikationsgesetz – TKG)
    • the Energy Industry Act of 7 July 2005 (Energiewirtschaftsgesetz – EnWG)
    • the Act on the peaceful use of nuclear energy and protection against its dangers of 15 July 1985 (Atomgesetz – AtG)
    • the Banking Act of 9 September 1998 (Kreditwesengesetz – KWG)

Others: Trade Secret Act of 18 April 2019 (Gesetz zum Schutz von Geschäftsgeheimnissen – GeschGehG).

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There is currently a draft of a second law to increase the security of information technology systems (IT-Sicherheitsgesetz 2.0); among other things, to strengthen the rights of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and to improve consumer protection:

Rights of the BSI:

The BSI will be given extended monitoring and auditing powers vis-à-vis the federal administration and will be more closely involved in the federal government's digitisation projects. The BSI will also be empowered to detect security vulnerabilities through so-called portscans and honeypots.

Consumer protection:

A uniform IT security label will be introduced to make the level of cybersecurity of products more transparent. To this end, manufacturers will be required to provide information about their products.

Other obligations:

Operators of critical infrastructure will be required to use systems to detect attacks (e.g. so-called intrusion detection systems). An amendment to the Electricity and Gas Supply Act extends this obligation to operators of energy supply networks and energy plants. In addition, cybersecurity notification obligations will also apply to companies that are of particular public interest, such as companies in the defence industry.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

EU Cybersecurity Act

The EU Cybersecurity Act establishes an EU certification framework for ICT digital products, services and processes and enables the creation of tailored and risk-based EU certification schemes.

BSIG/BSI-KritisV

The BSIG and the BSI-KritisV, which widely implement the NIS Directive 2016/1148 in Germany set out security obligations for:

  • critical infrastructure sectors: energy, IT and telecommunications, transport and traffic, health, water, food, finance and insurance;
  • digital service providers: online marketplaces, online search engines, cloud computing services; and
  • federal authorities  
GDPR

The GDPR stipulates cybersecurity requirements for the processing of personal data.

eIDAS, VDG and VDV

The eIDAS Regulation creates a uniform framework for the cross-border use of electronic identification schemes and trust services. It provides a regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities (including security requirements for electronic identification schemes and electronic trust services).

FuAG

The FuAG, which transposes the Radio Equipment Directive 2014/53/EU in Germany, sets out security requirements for radio equipment (e.g. electrical devices with Wi-Fi or Bluetooth functionality). 

TMG

The TMG stipulates security obligations for providers of digital services (e.g. provision of websites, apps etc.).

TKG

The TKG stipulates security obligations for operators of electronic communication networks and providers of electronic communications services (e.g. internet access providers).

EnWG

The EnWG sets forth obligations for operators of energy networks and plants to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the energy networks and plants.

AtG

The AtG stipulates notification obligations for licence holders under the AtG in case of impairments of their information technology systems, components or processes which could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

The KWG provides a regulatory framework for credit and financial services institutions, stipulating obligations to implement appropriate risk management structures, which also covers IT-security related risk management and requirements.

GeschGehG

The GeschGehG, which implements the Trade Secret Directive 2016/943 in Germany, stipulates that the only information that is subject to appropriate confidentiality measures (which includes cybersecurity measures) is to be qualified as a trade secret.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

European Union Agency for Cybersecurity (ENISA): https://enisa.europa.eu

Federal Office for Information Security / Bundesamt für Sicherheit in der Informationstechnik (BSI): https://www.bsi.bund.de

European Data Protection Board (edpb): https://edpb.europa.eu 

Data protection authorities and state media authorities

Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway / Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen (BNetzA): https://www.bundesnetzagentur.de

Market surveillance authorities

Federal Financial Supervisory Authority / Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin): https://bafin.de

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

BSIG/BSI-KritisV

Operators of critical infrastructure must implement appropriate, state-of-the-art organisational and technical measures to avoid security incidents with their IT systems which could affect the functioning of the infrastructure/service (minimum security requirements). They must prove that these measures fulfil the requirements at least every two years. The BSI can approve sector-specific security standards. 

Digital service providers must implement appropriate, state-of-the-art organisational and technical measures to avoid risks to the security of the network and information systems they use to provide the services. These measures will be further defined by the European Commission according to Article 16 para 8 of EU directive (EU) 2016/1148.

Operators of critical infrastructure must provide the BSI with a contact point.

Operators of critical infrastructure and digital service providers must notify the BSI in the event of significant cybersecurity incidents.

GDPR

Controllers and processors are obliged to implement appropriate, state-of-the-art technical and organisational measures to ensure a level of security appropriate to the risk, including (inter alia) pseudonymisation and encryption.

eIDAS, VDG and VDV

The eIDAS Regulation stipulates security requirements for electronic identification schemes (including interoperability requirements), (qualified) trust services, (advanced and qualified) electronic signatures and seals, electronic time stamps, electronic registered delivery services and website authentication.
For instance, the assurance level (low, substantial and/or high) of notified electronic identification schemes depends on whether certain security criteria are fulfilled or not.

(Qualified) trust service providers are obliged to take appropriate, state-of-the-art organisational and technical measures to manage the risks posed to the security of the trust service they provide and to notify the supervisory body and other relevant bodies in the event of significant security incidents. In case the security breach is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider is also obliged to notify the natural or legal person of the breach of security. 

Qualified trust service providers are additionally subject to recurring inspection by conformity assessment bodies and information obligations.

FuAG

Manufacturers that place radio equipment on the German market shall design and manufacture such device in a way that it does not harm the network or its functioning or misuse network resources, and that it incorporates safeguards to ensure that the personal data and privacy of the user are protected.

TMG

Providers of digital services must implement reasonable, state-of-the-art organisational and technical measures, especially including the use of encryption, that:

  • guard against unauthorised access to the technical systems they use to provide their digital services;
  • ensure that their technical systems are protected against unauthorised access to personal data; and
  • prevent malfunctions, including any caused by external attacks.    
TKG

The TKG sets forth cybersecurity related obligations of operators of electronic communications networks and providers of electronic communications services.

Operators of publicly available telecommunications networks are particularly obliged to: 

  • implement technical and organisational measures to protect the network against disruptions;
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA immediately after commencing network operation); and
  • notify the BNetzA and the BSI without delay of any impairments to telecommunications networks and services which (can) lead to significant security breaches.

The measures to be taken are specified in a catalogue of security measures, issued by the BSI and the BNetzA.

Providers of publicly available electronic communication services are in particular obliged to:

  • implement technical and organisational measures to protect the secrecy of telecommunications and other personal data as well as to protect the underlying network against disruptions;
  • appoint a security officer and draw up a security concept (which needs to be submitted to the BNetzA upon request);
  • immediately notify the BNetzA and the BSI of any impairments to telecommunications networks and services which (can) lead to significant security breaches;
  • immediately notify the BNetzA and the Federal Commissioner for Data Protection (and, where applicable, additionally the persons concerned) of any violation of the protection of personal data;
  • keep a register of violations of the protection of personal data; and
  • immediately inform customers in case of malfunctions caused by customer data processing systems.  

The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

EnWG

Operators of energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems that are necessary for secure network operation. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

Operators of energy plants classified as critical infrastructure and connected to energy supply networks are obliged to implement adequate protections against threats to telecommunications and electronic data processing systems which are necessary for secure operation of the plant. The measures to be taken are specified in a catalogue of security measures issued by the BSI and the BNetzA.

Operators of energy supply networks and energy plants classified as critical infrastructure must notify the BSI in the event of significant cybersecurity incidents.

AtG

Licence holders under the AtG are obliged to notify the BSI in case of impairments of their information technology systems, components or processes that could lead to a threat to or interference with the nuclear safety of the nuclear installation or activity concerned.

KWG

Credit and financial services institutions are obliged to implement appropriate risk management structures, including IT-security related structures and measures. The respective minimum requirements are specified in the BaFin Circular 10/2017 (BA) as amended on 14 September 2018 (Banking supervisory requirements for IT (Bankaufsichtliche Anforderungen an die IT (BAIT)). In addition, credit and financial services institutions as well as financial holding companies are required to implement internal security measures to prevent criminal offences that could endanger the institution's assets.

GeschGehG

Holders of trade secrets are required to implement appropriate confidentiality measures to ensure that their trade secrets are subject to the (legal) protections of the GeschGehG.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:
  • BSIG/BSI-KritisV: Fines of up to EUR 50,000
  • GDPR: Fines of up to EUR 10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year (in case of an undertaking)
  • eIDAS Regulation and VDG: Fines of up to EUR 100,000
  • FuAG: Fines of up to EUR 100,000
  • TMG: Fines of up to EUR 50,000
  • TKG: Fines of up to EUR 100,000
  • EnWG: Fines of up to EUR 100,000
  • KWG: Fines/Order of additional capital requirements
Criminal sanctions:
  • Possible criminal sanctions for data protection violations according to § 42 BDSG.
  • Possible criminal sanctions for violations of the Telecommunications Act according to § 148 TKG.
Others: 
  • FuAG: Possible market ban
  • TKG: Possible operating ban

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

Yes. The CERT-Bund, which:

  • creates and publishes recommendations for preventive measures;
  • points out vulnerabilities in hardware and software products;
  • proposes measures to address known vulnerabilities
  • supports public agencies’ efforts to respond to IT security incidents;
  • recommends various mitigation measures.

For other services – such as incident analysis – it mainly assists federal institutions.

The Bürger-CERT provides information on cybersecurity to private persons.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

The BSI has an IT analysis and operations centre that continuously monitors, assesses and reports on the cybersecurity situation and provides incident response support. If necessary, it acts as an IT crisis centre to coordinate fast responses to significant incidents.

There is also an inter-agency, - the National Cyber-Defence Centre, which coordinates the operations of the security authorities (i.e. the police and intelligence services).

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

Alliance for Cybersecurity (Allianz für Cybersicherheit) is a cooperation platform for the exchange of information between the BSI, industry and science and research.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Christian Runte
Christian Runte
Partner
Munich
Portrait of Rene Sandor
Dr. Rene Sandor, LL.M. (King's College London)
Senior Associate
Munich
Portrait of Michael Biendl
Dr. Michael Biendl
Senior Associate
Munich