CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

  • Law dated 1 August 2018, reference A686, on the organisation of the National Data Protection Commission (CNPD) and the general data protection framework. This law has implemented Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing the law dated 2 August 2002 on the protection of individuals with regard to the processing of personal data and on the free movement of such data);
  • Law dated 1 August 2018, reference A689, on the protection of individuals with regard to the processing of personal data in criminal and national security matters. This law has implemented Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA;
  • Law dated 1 August 2018 on the processing of passenger name record data in the context of the prevention and repression of terrorism and serious crime and amending the Act of 5 July 2016 on the reorganisation of the State Intelligence Service;
  • Amended law dated 30 May 2005 concerning the processing of personal data and the protection of privacy in the electronic communications sector. This law has implemented Directive 2002/58/EC;
  • Article L. 261-1(1) of the Luxembourg Labour Code provides specific regulations concerning monitoring and surveillance at work by the employer.

The Personal Data Protection Act 2012 (PDPA) is the data protection law that governs the collection, use, disclosure and handling of personal data. It recognises both the rights of individuals to protect their personal data, including rights of access and correction, and the needs of organisations to collect, use or disclose personal data for legitimate and reasonable purposes.

The PDPA also provides for the establishment of a national Do Not Call (DNC) Registry. The DNC Registry allows individuals to register their Singapore telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.

Some key subsidiary legislation that operates alongside the PDPA include the Personal Data Protection Regulations 2021, Personal Data Protection (Notification of Data Breaches) Regulations 2021 and Personal Data Protection (Do Not Call Registry) Regulations 2013.

Personal Data Protection Act 2012: 

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

The Personal Data Protection Commission (PDPC) 

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes.

The following changes to the PDPA have been passed by Singapore’s Parliament, however they have not yet come into effect:

  • Data portability – mandatory obligation for organisations to provide an individual’s data, at the individual’s request, to another organisation in a commonly used machine-readable format; 
  • provisions which exempt organisations from the proposed data portability obligation and the obligations to provide an individual with access to or to correct personal data at the individual’s request in respect of “derived personal data” (i.e. new data that is created through the processing of other data by applying business-specific logic or rules); and
  • Higher penalties – an increase in the financial penalties that may be imposed on organisations: in the case of a breach of the data protection provisions, 10% of its annual turnover in Singapore or SGD 1m, whichever is higher; and in the case of a breach of the prohibitions on the use of dictionary attacks and address-harvesting software, 5% of its annual turnover in Singapore or SGD 1m, whichever is higher. 

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

Administrative sanctions:

The CNPD may impose administrative fines pursuant to Article 83 of the General Data Protection Regulation (EU) 2016/679 (GDPR), in addition to - or instead of - other corrective measures, depending on the circumstances of each individual case.

The CNPD may also impose on the controller or processor a penalty of up to 5% of its average daily turnover in the previous financial year, respectively during the last financial year closed, as long as such controller or processor does not communicate information requested by the CNPD pursuant to Article 58(1)(a) GDPR, or as long as such controller or processor does not abide by a corrective measure adopted by the CNPD pursuant to Article 58(2)(c)-(j) GDPR.

Criminal sanctions:

The CNPD may impose criminal sanctions (an imprisonment of eight days or a fine of between EUR 251 and EUR 125,000) against anyone who knowingly prevents or hinders the performance of the CNPD's missions.


In the context of its tasks set out in the law dated 1 August 2018, reference A686, article 8, the CNPD has the following powers:

  • to obtain from controllers and/or processors access to all personal data processed and all information necessary for the performance of its tasks;
  • to issue warnings to a controller or a processor that planned data processing operations are likely to infringe provisions adopted pursuant to the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to order the controller or processor to bring processing operations into compliance with the provisions adopted pursuant to the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters, where appropriate, in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data or restriction on processing in accordance with Article 15 of the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to impose a temporary or definitive limitation, including a ban, on processing;
  • to advise the controller in accordance with the prior consultation procedure referred to in Article 27 of the law dated 1 August 2018 on the protection of natural persons with regard to the processing of personal data in criminal and national security matters;
  • to issue, on its own initiative or on request, opinions to the Chamber of Deputies (Chambre des Députés) and its Government or other institutions and organisations as well as the public, on any question relating to personal data processing.
Administrative sanctions:
  • In relation to the enforcement of the data protection provisions, the PDPC may issue fines of up to SGD 1m for each breach.
  • In relation to the enforcement of the DNC Registry provisions and the prohibition on use of dictionary attacks and address-harvesting software, the PDPC may issue a fine up to an amount not exceeding SGD 200,000 in the case of an individual, and up to SGD 1m in any other case.
  • The PDPC may also issue directions for non-compliance, which includes directions to stop collection, use or disclosure of personal data, and to destroy personal data collected. 
Criminal sanctions:
  • Imprisonment for a term not exceeding: 
    • Two years – for knowing or reckless unauthorised disclosure of personal data; knowing or reckless unauthorised use of personal data for a gain or to cause a harm or loss to another person; or knowing or reckless unauthorised re-identification of anonymised information;
    • 12 months – for unauthorised request to access or correct personal data about another individual; obstructing or hindering the PDPC in the exercise of its powers or duties; knowing or reckless false statement made to the PDPC; or knowing attempts to mislead the PDPC; or
    • Six months – for neglect or refusal to provide any information or produce any document to the PDPC or attend before the PDPC without reasonable excuse; or unauthorised use of a symbol or representation identical to or which resembles that of the PDPC. 
  • Criminal fines may also be imposed and varies depending on the specific offence, although in general not exceeding SGD 10,000 in the case of individuals, and SGD 100,000 in the case of organisations.
  • Individuals have a private right of action and may seek relief by way of injunction, declaration or damages for damages or losses suffered directly as a result of a contravention of the PDPA.     

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

There is no general requirement to register with or notify the CNPD when a business processes personal data.

There is no requirement for organisations to register with the PDPC. However, voluntary registration of the Data Protection Officer is encouraged. 

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy. When personal data are processed, the following principles must be respected:

  • Principles of lawfulness, fairness and transparency;
  • Purpose limitation principle;
  • Principle of data minimisation;
  • Principle of accuracy;
  • Principle of retention limitation;
  • Principle of integrity and confidentiality;
  • Principle of accountability.

Organisations, wherever located, that process personal data of individuals in Singapore are required to comply with the PDPA.

The PDPA sets out ten main data protection obligations which are to be complied with when processing personal data.

Under the PDPA, to collect and process personal data lawfully, organisations must comply with the following obligations:

  1. Consent Obligation – to obtain the consent of the individual; 
  2. Purpose Limitation Obligation – to collect, use or disclose personal data about an individual for the purposes that a reasonable person would consider appropriate in the circumstances and for which the individual has given consent;
  3. Notification Obligation – to notify individuals of the purposes for which the organisation is intending to collect, use or disclose their personal data on or before such collection, use or disclosure of personal data;
  4. Access and Correction Obligation – upon request, provide information in which the individual’s personal data has been or may have been used or disclosed and to correct any error or omission in an individual’s personal data;
  5. Accuracy Obligation – make reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete;
  6. Protection Obligation – make reasonable security arrangements to protect the personal data that the organisation possesses or controls;
  7. Retention Limitation Obligation – cease retention of personal data or remove the means by which the personal data can be associated with particular individuals when it is no longer necessary for any business or legal purpose;
  8. Transfer Limitation Obligation – ensure that the standard of protection provided to the personal data transferred to another country will be comparable to the protection under the PDPA; 
  9. Data Breach Notification Obligation – assess whether a data breach is notifiable and notify the affected individuals and/or PDPC where it is assessed to be notifiable; and
  10. Accountability Obligation – implement policies and procedures to meet its obligations under the PDPA, and make information about its policies and practices publicly available and to appoint a data protection officer.

Organisations that have contracted to process personal data on behalf of another organisation may be considered a “data intermediary”. 

A data intermediary that processes personal data pursuant to a written contract will only be responsible for the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation – protecting the personal data in its care, ensuring that the personal data is not retained by the data intermediary when there is no longer a business or legal need to do so, and notifying the organisation or public agency for which it is processing personal data on behalf of where the data intermediary discovers that a data breach has occurred.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

The data subjects are granted with the following rights:

  • Right to information;
  • Right of access;
  • Right to erasure (“right to be forgotten”)
  • Right to data portability;
  • Right to restriction of processing;
  • Right to contest a decision based solely on automated processing, including profiling;
  • Right to rectification;
  • Right to delisting;
  • Right to object.

Under the PDPA, individuals have the following rights:

  • private right of action for direct loss or damage suffered directly as a result of the contravention of the PDPA; 
  • right to ask the organisation to provide the contact of a person who can answer, on behalf of the organisation, their questions about the collection, use or disclosure of the personal data;
  • right to withdraw their consent for the collection, use or disclosure of their personal data by an organisation at any time, with reasonable notice;
  • right to request access to their personal data that an organisation possesses or controls, including to be provided with information about the ways in which such personal data has or may have been used or disclosed within the year before the request;
  • right to request an organisation to correct an error or omission in their personal data; and
  • right to file a complaint.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

There is a need to enter into a data processing agreement in which the processor agrees to act only on behalf of the controller, to take appropriate technical and organisational security measures to protect the personal data, and to be bound by the same data protection obligations as to which the controller is bound. Such agreement should also contain clear provisions on liability between the controller and processor in the event of a breach of privacy.

An organisation must observe the same obligations under the PDPA in respect of personal data processed on its behalf by a data intermediary as if the personal data were processed by the organisation itself.

Data intermediaries that process personal data on behalf of and for the purposes of another organisation pursuant to a written contract will only be subject to the Protection Obligation, the Retention Obligation and the Data Breach Notification Obligation.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

It is not possible to transfer personal data outside the EEA to a non-adequate country without the necessary safeguards in place (e.g. EU model clauses, ad hoc data transfer agreement, Privacy Shield certification) or with consent of data subject.

There is a limitation on transfers of personal data outside Singapore unless conditions are met. The transfers of personal data outside of Singapore requires the recipient of the personal data to provide safeguards equivalent to or greater than the requirements under the PDPA. The PDPA does not provide a white-list of countries that are deemed to have equivalent protection.

As such, organisations may transfer personal data overseas if they have taken appropriate steps to comply with the data protection provisions in respect of the transferred personal data while such personal data remains in their possession or control. When the personal data is transferred to a recipient outside of Singapore, organisations need to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA. Such legally enforceable obligations include obligations imposed under law, any contract or binding corporate rules. In addition, organisations and data intermediaries that are certified under the Asia-Pacific Economic Cooperation Cross Border Privacy Rules System are deemed to be bound by legally enforceable obligations for the purpose of transfers of personal data outside Singapore. 

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The Data Protection Officer (DPO) has an important role in the legal framework created by the GDPR. Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO.

Organisations are required to designate at least one individual, known as the Data Protection Officer (DPO), to oversee the data protection responsibilities within the organisation and ensure compliance with the PDPA. 

The business contact information of the DPO must be made available to the public. Although not a legal requirement, in practice, the PDPC does request for the information of the DPO to be registered with it.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

There is a need to take appropriate technical and security measures to protect personal data.

Organisations must protect personal data in their possession or under their control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, and the loss of any storage medium or device on which personal data is stored.

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

Two types of data breaches must be notified to the CNPD:

Data breaches under the GDPR. Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of it if it is likely to result in a risk to the rights and freedoms of natural persons. In case of a high risk, the controller shall also communicate the personal data breach to the data subject without undue delay.

Data breaches in the electronic communications sector. In accordance with the European Commission regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers, must notify the CNPD within 24 hours after the detection of a personal data breach and inform their subscribers if the incident is likely to adversely affect their privacy and data protection.

Organisations are required to assess whether a data breach is notifiable, and to notify the affected individual(s) (where required) and/or the PDPC where the data breach is assessed to be notifiable. A data breach is assessed to be notifiable where: 

  • the scale of the data breach is of a significant scale, i.e. where it involves the personal data of 500 or more individuals; or 
  • the data breach causes significant harm to affected individual(s) where the compromised personal data relates to: 
    • the individual’s full name or alias or identification, in combination with: (a) financial information that is not publicly disclosed; (b) identification of vulnerable individuals; (c) life, accident and health insurance information that is not publicly disclosed; (d) specified medical information; or (e) information related to adoption matters; or (f) private key used to authenticate or sign an electronic record or transaction; or 
    • individual’s account identifier and data for access into the account.

Organisations must notify the PDPC as soon as practicable, but no later than 72 hours after it makes the assessment that a data breach is notifiable. Where required to notify the affected individual(s), the notification by organisations must be as soon as practicable (at the same time or after notifying the PDPC). 

In addition, data intermediaries that process personal data on behalf of and for the purposes of another organisation or a public agency are not required to assess whether the breach is notifiable or to notify the PDPC, but are required to notify that other organisation or public agency when a potential or actual data breach is detected without undue delay. 

Sector specific regulation, such as the Notices and Guidelines on Technology Risk Management issued by the Monetary Authority of Singapore, may also require breach notification under different timelines. 

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

Need to obtain consent (exemption for B2B).

The DNC provisions of the PDPA generally prohibit organisations from sending marketing messages (in the form of voice calls, text or fax messages) of a commercial nature to Singapore telephone numbers, including mobile, fixed-line, residential and business numbers, registered with the DNC Registry, unless the consumer has provided their clear and unambiguous consent in written or other accessible form for sending the marketing message to the Singapore telephone number.

The organisation may still send a direct marketing message where the sole purpose of the message is: 

  • to facilitate, complete or confirm an earlier transaction between the sender and recipient; 
  • to provide warranty information, product recall information, or safety or security information with respect to a product/service purchased by the recipient;
  • to deliver goods or services that the recipient is entitled to receive under an existing transaction; or 
  • related to the subject matter of an ongoing relationship between the sender and the recipient. 

Individuals may subsequently opt out of receiving direct marketing messages. Upon receiving an individual’s opt-out request, the organisation must stop sending such messages to that individual's telephone number 21 days after the opt-out.

Under the PDPA, organisations are not permitted to send, cause to be sent or authorise to send any message with a Singapore link to telephone numbers generated or obtained through the use of a dictionary attack or address harvesting software. This prohibition also applies with respect to electronic messages generated or obtained through the use of a dictionary attack or address harvesting software under the Spam Control Act. 

In addition, under the Spam Control Act, organisations are prohibited to send, cause to be sent or authorise to send any unsolicited commercial electronic messages in bulk if they do not comply with the statutory conditions (e.g. the message needs to include an email address to which the recipient may submit an unsubscribe request).

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

No specific local provisions in the applicable law.

The PDPA applies to the collection, use or disclosure of personal data using cookies.

However, consent is not required for cookies that:

  • do not collect personal data; and
  • for internet activities clearly requested by the user where the individual is aware of the purposes of such collection, use and disclosure and has voluntarily provided his personal data for such purposes.

If the individual configures his browser to accept certain cookies but rejects other, he may be found to have consented to the collection, use and disclosure of his personal data by the cookies he has chosen to accept. In such a circumstance, the PDPC has confirmed that consent can be implied. However, the failure of an individual to actively manage his browser settings does not imply that he has consented to the collection, use and disclosure of his personal data.

15. Risk scale



*mature data protection regime with heavy sanctions for non-compliance, but with passive regulator OR mature data protection regime with low sanctions for non-compliance, but with repressive regulator



1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

Grand Ducal Regulation dated 12 March 2012 implementing the Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (Critical Infrastructures Act).

The Cybersecurity Act 2018 governs the prevention, management and response to cybersecurity threats and incidents, and regulates owners of critical information infrastructure and cybersecurity service providers. The provisions generally apply to any critical information infrastructure, computer and computer system located wholly or partly in Singapore. The provisions also apply to the Singapore Government, except that the Singapore Government will not be liable to prosecution for an offence. 

The related regulations and code of practice that operate alongside the Cybersecurity Act 2018 are the Cybersecurity (Critical Information Infrastructure) Regulations 2018, Cybersecurity (Confidential Treatment of Information) Regulations 2018 and the Cybersecurity Code of Practice for Critical Information Infrastructure. 

The Computer Misuse Act (CMA) is the principal legislation on cybercrimes. The CMA applies to any person regardless of nationality and citizenship, outside as well as within Singapore, where the accused, computer program or data was in Singapore at the material time of the offence or the offence causes or creates a significant risk of serious harm in Singapore.  

Local cybersecurity laws also include sector-specific rules, such as guidelines and notices issued by the Monetary Authority of Singapore for the financial sector (MAS rules). 

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

There are no anticipated changes to local laws.

Cybersecurity Act 2018: Provisions relating to the licensing of cybersecurity service providers are not yet in effect. The Cyber Security Agency of Singapore has stated that the implementation of the licensing framework will be communicated at a later date.

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

Critical Infrastructures Act: sets out security obligations for European and national critical infrastructure in the energy and transport sectors.

  • Cybersecurity Act 2018: The Cybersecurity Act 2018 requires and authorises the taking of measures to prevent, manage and respond to cybersecurity threats and incidents; regulates owners of critical information infrastructures (CIIs); establishes the framework for the sharing of cybersecurity information; and regulates cybersecurity service providers. It also provides the regulator with the power to investigate cybersecurity threats or incidents in order to determine their impact, prevent further harm and future incidents. These investigative powers can be delegated to authorised persons, and can be exercised in respect of any computer or computer system in Singapore; not only CIIs. The level of intrusiveness of such powers that can be exercised will depend on the severity of the situation.
  • CMA: The CMA makes provision for securing computer material against unauthorised access or modification, and to require or authorise the taking of measures to ensure cybersecurity. In particular, the CMA criminalises cybercrime such as ecommerce scams and hacking, and also makes it illegal for: (a) any person to provide or receive personal information which he suspects was obtained through unauthorised means; and (b) any person to deal with items designed for, adapted to and used to commit computer crimes, including hardware and software (e.g. computer programmes, passwords or access codes).
  • MAS Rules: The MAS Rules, amongst other things, require regulated entities to: (a) conduct system and penetration testing; (b) continuously monitor and detect network and other types of cyber intrusions; and (c) require the board and senior management of the regulated entities to effectively implement that entity’s cyber resilience programme.

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

The High Commission for National Protection (Haut-commissariat à la Protection nationale, HCPN) is a body that falls under the responsibility of the Prime Minister and Minister of State. Its main mission is to ensure that the nation is always, and in all circumstances, protected against threats that could seriously infringe upon its sovereignty and independence, the free functioning of its institutions, the safeguarding of its national interests and the safety of the population. The National Agency for the Security of Information Systems (ANSSI) is under the responsibility of the HCPN. The role of the HCPN has been consolidated by the law dated 23 July 2016 (Consolidation Act) and modified by the law dated 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union.

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

Critical Infrastructure Acts: need to appoint a security officer and establish a security plan.

Cybersecurity Act 2018:
  • Owners of critical information infrastructure must: (a) comply with codes and directions; (b) conduct audits and risk assessments; (c) report cybersecurity incidents; and (d) participate in cybersecurity exercises; and
  • Certain cybersecurity service providers will need to be licensed.
  • The following activities are prohibited: (a) unauthorised access or modification of computer material; (b) unauthorised use or intercept of computer services; (c) obstructing the use of computers; (d) unauthorised disclosure of computer access codes; (e) providing, receiving or supplying personal information which the person knows or suspects was obtained through unauthorised means; and (f) dealing with items designed for, adapted to and used to commit computer crimes. 
MAS Rules:
  • Establish methodologies for system testing, conduct penetration testing and source code review, and enable recovery measures and user access controls;
  • Board and senior management of regulated entities are to: (a) ensure appropriate accountability structure and organisational risk culture is in place, and (b) be trained in technology risk and cybersecurity;
  • Notify the MAS of breaches of security and confidentiality of financial institutions’ customer information (MAS Notices and Guidelines on Technology Risk Management and the MAS Guidelines on Outsourcing); and
  • Implement cybersecurity measures to protect IT systems, and prevent and mitigate against cyberattacks (MAS Notices on Cyber Hygiene).   

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:


Criminal sanctions:

Law dated 28 May 2019 transposing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to be taken to ensure a high level of network and information security in the Union:

  • Fine of up to EUR 125,000.  


Administrative sanctions:

Cybersecurity Act 2018: 

  • Fines not exceeding SGD 10,000 for each contravention or non-compliance which is not an offence, but not exceeding SGD 50,000 in aggregate.
Criminal sanctions:

Cybersecurity Act 2018:

  • Varies depending on the specific offence, although in general a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding two to ten years or both.


  • A criminal fine not exceeding SGD 50,000 or imprisonment for a term not exceeding ten years or both; and
  • In respect of protected computers, a criminal fine not exceeding SGD 100,000 or imprisonment for a term not exceeding 20 years or both.


  • Compensation for damage caused to computer, programme or data. 

MAS Rules:

  • Varies depending on the type of regulatory instrument that set out the specific rules (e.g. directives, guidelines, notices or circulars). For example, the contravention of guidelines is not a criminal offence and does not attract civil penalties but may have an impact on the regulator's overall risk assessment of that entity and renewal of licences issued by the regulator. Circulars, on the other hand, are documents sent for the relevant entities’ information have no legal effect. Notices primarily impose legally binding requirements on a specified class of financial institutions or persons. 

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.


Computer Incident Response Center Luxembourg (CIRCL) is the cyber emergency team and acts as the CERT for the private sector, communes and non-governmental entities in Luxembourg that assists companies with: (i) the coordination of the event in cyber incidents; (ii) advice about finding a solution when cyber incidents arise; and (iii) support to prevent these security incidents occurring.

The Computer Emergency Response Team of the Government of the Grand-Duchy of Luxembourg (GOVCERT.LU) is the Luxembourg Computer Security Incident Response Team (CSIRT). The services oversee the management of cyber-security incidents compromising Luxembourg, its citizens or its economy and is responsible for receiving, reviewing and responding to report of such.

GOVCERT.LU is the single point of contact dedicated to the treatment of all computer-related incidents that could jeopardise the information systems of the government and defined critical infrastructure operators operating in Luxembourg, whether they are public or private.
Incidents that are not related to GOVCERT.LU’s constituency are forwarded to other appropriate CSIRTs.

Yes, the Singapore Computer Emergency Response Team (SingCERT) responds to cybersecurity incidents for its Singapore constituents. It was set up to facilitate the detection, resolution and prevention of cybersecurity related incidents on the Internet.

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

The national management structure for responding to cybersecurity incidents is GOVCERT.LU

According to Singapore’s Cybersecurity Strategy, the National Cyber Security Centre (part of the CSA) will coordinate with sector regulators to provide a national level response and facilitate quick alerts to cross-sector threats.

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

SMILE “Security Made In Lëtzebuerg” GIE, operator of the CERT “CIRCL”, is also the host organisation for CASES and BEE SECURE. 

Singapore’s Cybersecurity Strategy sets out Singapore’s vision, goals and priorities for cybersecurity. It engenders coordinated action and facilitates international partnerships for a resilient and trusted cyber environment - see more here.

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Vivian Walry
Vivian Walry
Partner | Avocat à la Cour
Portrait of Gilles Bropsom
Gilles Bropsom
Senior Associate
Sheena Jacob