CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The main data protection legislation is the Federal Law on the Protection of Personal Data held by Private Parties (the “Data Protection Law”) and its supplementary regulation (the “Data Protection Regulations”), together the “Data Protection Legislation”. The Data Protection Law came into force in July 2010 and the Data Protection Regulation came into force in December 2011. Other relevant legislation containing data protection provisions includes:

  • Articles 6 to 16 of the Mexican Constitution;
  • The Privacy Notice Guidelines, which govern the content of data privacy notices and obtaining consent for processing personal data;
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects governs personal data held by public bodies; and
  • The Federal Consumer Protection Law governs certain aspects concerning marketing activities.    

Additionally, Mexico is a signatory of international agreements on Data Protection, like the Convention for the Protection of the People Regarding the Automated Treatment of Personal Information. Mexico is also a member or the Inter American Network of Data Protection.

2. Data protection authority

The Federal Institute for Access to Information and Data Protection (Instituto Nacional de Acceso a la Información y Protección de Datos Personales or "INAI"), is responsible for overseeing the Data Protection Legislation. Its aim is to encourage access to all public information about governmental activities, and budgets, as well as seeking the protection of personal data and the right to privacy.
The INAI, if requested by a data subject, may carry out an investigation to ensure compliance with the Data Protection Legislation of a specific undertaking and sanction those found to be in breach the Data Protection Legislation.

3. Anticipated changes to local laws

There are no anticipated changes. Notwithstanding, the President of Mexico suggested in January that the INAI would be replaced by a State-controlled body. No additional details or timelines have been provided.

There are no anticipated changes.

4. Sanctions & non-compliance

The INAI has the has the authority to impose the following administrative fines:

  • 100 to 160,000 units of measure 1 1 unit of measure = MXN 86.88 (Mexican Pesos)  for:
    • Acting negligently or fraudulently in processing and responding to requests for personal data access, rectification, cancellation or objection;
    • Fraudulently declaring the inexistence of personal data where such exists in whole or in part in the databases of the Data Controller;
    • Processing personal data in violation of the principles established in the Data Protection Law;
    • Omitting from the Privacy Notice any or all of the information it requires;
    • Maintaining inaccurate personal data when such action is attributable to the Data Controller, or failing to perform legally due rectifications or cancellations where the data subject’s rights are affected; and
    • Failure to comply with the notice warnings issued by the INAI.
  • 200 to 320,000 units of measure 2 1 unit of measure = MXN 86.88 (Mexican Pesos) for:
    • Breaching the duty of confidentiality set out in the Data Protection Law;
    • Materially changing the original data processing purpose in contravention of the Data Protection Law;
    • Transferring data to third parties without providing them with the Privacy Notice containing the limitations to which the data subject has conditioned data disclosure;
    • Compromising the security of databases, sites, programmes or equipment;
    • Carrying out the transfer or assignment of personal data outside of the cases where it is permitted under the Data Protection Law;
    • Collecting or transferring personal data without the express consent of the data subject where required;
    • Obstructing verification actions of the INAI;
    • Collecting data in a deceptive and fraudulent manner;
    • Continuing with the illegitimate use of personal data when the INAI or the data subjects have requested such use be ended;
    • Processing personal data in a way that affects or impedes the exercise of the rights of access, rectification, cancellation and objection set;
    • Creating special data databases in violation of the Data Protection Law.   

In the event that the infractions mentioned in the preceding paragraphs persist, an additional fine of 100 to 320,000 units of measure 3 1 unit of measure = MXN 86.88 (Mexican Pesos)  can be imposed.

Sanctions may be doubled for any of the above infractions committed in the treatment of sensitive data.

The DPL with the Turkish Criminal Law No. 5237 contains details regarding enforcement.

Administrative sanctions:

The DPA has powers to impose fines of up to the greater of:

  • TRY 9,834 to TRY 196,686 (EUR 1160 to EUR 23,267) in the case of non-compliance with information obligations;
  • TRY 29,503 to TRY 1,966,862 (EUR 3,490 to EUR 232,675) in the case of non-compliance with the data security obligations;
  • TRY 49,172 to TRY 1,966,862 (EUR 5,816 to EUR 232,675) in the case of non-compliance with the decisions of the Board; and
  • TRY 39,337 to TRY 1,966,862 (EUR 4,653 to EUR 232,675) in the case of non-compliance with the requirements regarding the registration with the Registry.
Criminal sanctions:

There are various criminal offenses under the DPL and the Turkish Criminal Law No. 5237 including: 

  • Illegal recording of personal data;
  • Illegal recording of special categories of personal data;
  • Illegal transfer or acquisition of personal data or making personal data available to the public;
  • If the illegal transfer, acquisition, or public disclosure is related to the statements or photos/videos of minors who have committed crimes as described in the Turkish Criminal Procedure Law No. 5271;
  • Not deleting the data when necessary;
  • Not deleting the data as per the provisions of the Turkish Criminal Procedural Law No. 5271;
  • Impairing or preventing the due functioning of an IT system;
  • Corrupting, destructing, amending data in an IT system or making the same inaccessible, placing data on an IT system, sending existing data to other mediums; and
  • Where the actions in the preceding paragraph have been taken with respect to the IT systems of a bank, credit institution, or a public authority.

In addition to the data controller facing the monetary penalties indicated in our responses above, individual company directors and representatives can face criminal liability, and imprisonment sanction varies between six months to eight years.


According to article 14 of the DPL, data subjects are entitled to claim to the courts for compensation for material or non-material damage in the event of a data breach. 

5. Registration / notification / authorisation

The Data Protection Legislation does not require prior notification or registration for any data processing activities.

Unless they benefit from an exemption as outlined under the DPL and the secondary legislation, all data controllers (foreign or residing in Turkey) engaged in data processing in Turkey are obliged to sign up to the Registry.

6. Main obligations and processing requirements

The Data Protection Law recognises two parties who deal with personal data:

  1. Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
  2. Data Controller: the subject or legal entity that decides on the processing of personal data.

Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.

According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:

  1. Legitimacy: Personal data must be collected and processed in a lawful manner;
  2. Consent: The data subject must give its consent for the processing of its personal data;
  3. Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
  4. Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
  5. Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
  6. Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
  7. Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.

Additionally, the following legal requirements should be taken into account when processing personal data:

  1. Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
  2. Personal data must not be obtained through deceptive or fraudulent means;
  3. In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
  4. Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.   

The DPL requires data controllers to either obtain the explicit consent of the data subject for data processing or rely on one of the legal bases below:

  • Such processing is explicitly allowed under the relevant legislation;
  • Such processing is necessary to protect the vital interests or the bodily integrity of the data subject or of any other person who is physically or legally incapable of giving explicit consent;
  • It is necessary to process the personal data of persons party to a contract where such processing is necessary to enter into the said contract or fulfil its terms;
  • The processing of the personal data is necessary for the data controller to fulfil a legal obligation;
  • The personal data has been made public by the data subject;
  • The processing of the personal data is necessary to establish, use or preserve a right; or
  • The processing of the personal data is necessary for the legitimate interests of the data controller on the condition that such processing does not infringe upon the fundamental rights and freedoms of the data subject.

Besides, personal data, in general, may only be processed in accordance with the relevant procedures and principles set out under the DPL and the relevant pieces of legislation. 

Further distinctions with respect to the procedures and principles applicable to the processing of sensitive personal data (özel nitelikli kişisel veri) are also applicable under the DPL.

Penalties for breaches of the DPL

See our responses to “Sanctions & non-compliance” above.

7. Data subject rights

All data subjects are entitled to exercise rights of access, rectification, cancellation and objection regarding their personal data (collectively known as ARCO rights). These rights are not mutually exclusive.

Right of Access

The data subject is entitled to access its personal data held by the Data Controller, as well as information regarding the conditions and generalities of the processing.

Right of Rectification

Data subjects may request, at any time, that Data Controllers rectify personal data if it is inaccurate or incomplete.

Right of Cancellation

Data subjects have the right to cancel (i.e. seek erasure of) its personal data. There are certain situations where Data Controllers have the right to object to such erasure (e.g. if required by applicable law or public interest).

Right of Objection

Data Subjects may, at any time, oppose the processing of their personal data for legitimate purposes.

The data subject must be granted the following rights:

  • The right to learn whether his/her personal data has been processed and if so, demand information about such processing/transfer;
  • The right to learn the purpose of such data processing and whether the use of his/her personal data is in line with the intended purpose of processing/transfer;
  • The right to learn about the third parties to whom the data subject’s personal data has been transferred (in Turkey or abroad);
  • The right to demand correction in the event that the personal data has been processed in a deficient or wrongful manner;
  • The right to demand deletion, disposal, or anonymisation of the personal data in accordance with the provisions of the DPL or if the grounds for the processing of the personal data are no longer applicable, notify the third parties to whom the data subject’s personal data was transferred about the said correction, deletion, disposal, and anonymisation procedures;
  • The right to object to the results if the personal data has been analysed by automated systems and this has produced results that are unfavourable for the data subject; and 
  • The right to demand compensation if the processing of the personal data in violation of the DPL has resulted in damages for the data subject.

8. Processing by third parties

According to the Data Protection Law, if the Data Controllers intend to transfer personal data to third parties, it must provide them with a Privacy Notice and the purposes to which the data subject has limited data processing. The data subject must consent to such transfer via the Privacy Notice.


Data Processors must obtain permission from Data Controllers if subcontracting may involve the subcontractor processing personal data. Once consent is obtained, the Data Processor must enter into a contract with the subcontractor.

The subcontractor will assume the same obligations required for Data Processors under the Data Protection Legislation and other applicable law.

The Data Processor’s right to subcontract processing activities should be outlined in the contract between the Data Controller and Data Processor. If this right is not covered in that contract, the Data Processor must seek specific consent from the Data Controller in order to subcontract processing activities.

Under the DPL, a data processor (veri işleyen) is considered as the natural or legal person who processes personal data on behalf of the data controller upon the authorisation of such data controller.

Where this third party is to receive the personal data to be processed from the actual data controller, the rules regarding the domestic transfer of personal data would become applicable. Accordingly, a data controller would be able to transfer such personal data to a data processor if: 

  • Explicit consent is obtained from the data subject;  
  • This data transfer is explicitly allowed under the relevant legislation;
  • The data transfer is necessary to protect the vital interests or the bodily integrity of the data subject or of another person and the data subject is physically or legally incapable of giving his/her consent;
  • The transfer of the personal data of the parties of a contract is necessary, on the condition that the processing is directly related to the execution or performance of such contract;
  • The data transfer is mandatory for the data controller to fulfil its obligations;
  • The data to be transferred has been made public by the data subject;
  • The transfer is necessary for the establishment, exercise, or defence of a legal claim; or
  • The data transfer is necessary for the legitimate interests of the data controller on the condition that such processing does not infringe upon the fundamental rights and freedoms of the person in question. 

Please note that the DPL indicates that special categories of personal data, except for those relating to the sexual life and the personal health of the data subject may be transferred based on explicit consent or if such processing is allowed under the relevant pieces of Turkish legislation and the necessary precautions have been taken for the protection of the data in question.

Whereas any personal data relating to the sexual life and the personal health of an individual may only be transferred based on explicit consent or, on the condition that the necessary precautions have been taken for the protection of the data in question and the data is transferred by and for the purposes of:

  • Persons who are bound by the confidentiality obligation for the purposes of protecting public health, preventive medicine, medical diagnosis, planning, managing, and financing of treatment and medical care services; or
  • Authorised entities and institutions that hold the purposes indicated in the preceding paragraph.

9. Transfers out of country

International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:

  1. pursuant to a Law or Treaty to which Mexico is party;
  2. necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
  3. made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
  4. necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
  5. necessary or legally required to safeguard public interest or for the administration of justice;
  6. necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
  7. necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.

In principle, the DPL requires either the explicit consent of the data subject for the transfer of his/her personal data to foreign jurisdictions or relying on another legal basis for such transfer.

In the latter (ie where the transfer is based on a legal basis other than consent), personal data may be sent to a foreign jurisdiction only if:

  • There is sufficient protection of personal data in that jurisdiction. The Board decides and announces which countries have sufficient protection, or
  • If the related jurisdiction does not provide sufficient protection, the authorisation of the Board is required upon written assurances (in the form of model clauses of or Binding Corporate Rules, where multiple group companies are in question) by the data controllers both in Turkey and in the foreign country where personal data is transferred.

10. Data Protection Officer

Data Controllers must appoint a Data Protection Officer (or equivalent role) to deal with data subjects’ requests and promote data protection compliance within the Data Controller’s organisation.

The Data Protection Officer concept is not recognised under the DPL. 

However, all data controllers that are obliged to register with VERBIS must appoint either a “data controller’s representative” and a contact person if they are resident in a foreign jurisdiction or only a “contact person”, if they are resident in Turkey.

In each case, the related individual should have no liability for the data controllers’ failure to comply with its statutory obligations, but merely acts as an intermediary between the data controller and the DPA.

11. Security

Data Controllers and Data Processors are required to establish and maintain administrative and physical, security and, if applicable, technical measures for the protection of personal data.

In developing security measures, the data controller should take at least the following into account:

  1. the inherent risk given the type of personal data;
  2. the sensitivity of the personal data;
  3. technological developments;
  4. the potential consequences of a breach for data subjects;
  5. the number of data subjects;
  6. prior vulnerabilities in the processing systems;
  7. value of the data for an unauthorised third party; and
  8. other factors that may impact the level of risk or that result from other applicable laws and regulations.

The Data Protection Regulation also sets out actions that Data Controllers can take in order to comply with the security requirements:

  1. prepare an inventory of personal data;
  2. determine the functions and obligations of the person(s) who will process personal data;
  3. conduct a risk analysis of personal data consisting of identifying dangers and estimating the risks;
  4. establish the necessary security measures;
  5. identify gaps between existing security measures and those required for each type of data and each processing system;
  6. prepare a work plan based on the gap analysis in (v) above;
  7. carry out revisions and/or audits;
  8. train personnel who process personal data; and
  9. keep a record of the methods of processing personal data.

A specific list of technical and administrative measures to be implemented is not available under the Turkish data protection legislation. 

However, the Board has made one decision whereby it obliges any entities/persons processing special categories of personal data to take additional protective measures for the protection of any sensitive personal data processed by them (decision dated 31 January 2018 numbered 2018/10).

12. Breach notification

There are no requirements for Data Controllers to notify the INAI in the event of a data breach (other than Data Controllers which are government entities). However, Data Controllers must notify data subjects if their personal data is subject to a breach with at least the following information:

  1. nature of the breach;
  2. the personal data compromised;
  3. recommendations of actions that may be taken by the data subject to protect its interests;
  4. immediate measures being taken by the data controller; and
  5. any means by which the individual can find further information regarding the matter.

Under the DPL, the data controllers are required to notify the DPA within 72 hours of becoming aware of a breach. Where the data controller fails to inform the DPA accordingly, it must also inform the DPA of the causes in the delay of its notification.

Further, the data controller must also notify the data subjects who have been affected by the said breach. 

13. Direct marketing

Personal data can be processed for advertising and marketing purposes in accordance with the Data Protection Legislation, provided that these purposes are made clear in the Privacy Notice and in any other medium required for communicating the processing purposes.

B2C direct marketing is regulated under the Turkish Law on the Regulation E-Commerce No. 6563, which prohibits unsolicited electronic communications for direct marketing purposes without prior consent from the data subjects, unless:

  • The data subject has provided his/her contact information to the service provider to receive the electronic communications related to the change, use, and maintenance of the goods or services already obtained.
  • Electronic communication does not promote new goods or services; and it solely relates to the collection of a debt, the information update, or similar actions concerning an ongoing subscription, membership, or partnership.
  • The electronic communication solely contains information on intermediary activities of the message sender regulated by the capital market legislation. 

Please also note that although this matter is not specifically regulated under the DPL, as use of personal data for marketing would be considered as data processing, such marketing activity would also be subject to the general principles of the DPL as indicated above.

14. Cookies and adtech

When the Data Controller uses remote or local mechanisms for electronic, optical or other forms of technological communication which allow collection of personal data automatically and simultaneously to the time the data subject has contact with such communications mechanisms, the data subject must be informed about the use of these technologies, at the time the data subject makes contact with the technology and must be informed of the obtention of personal data as well as the way in which the cookies can be disabled.

Cookies are subjected to the general principles of the DPL as indicated above.

15. Risk scale




1. Local cybersecurity laws and scope

There is currently no specific federal cybersecurity law in force in Mexico.

Cybersecurity is regulated in the Federal Criminal Code, the Data Protection Legislation and other sector-specific legislation applicable to entities operating within those sectors (e.g. the Fintech Law). Specific cybersecurity measures are normally regulated through tertiary regulatory instruments such as manuals, official operating parameters and guides.

The decisive applicable laws and regulations related to cybersecurity matters are the following:

Please also note that other pieces of legislation related to cybersecurity, usually enacted on a sector-specific basis, are also in effect but have not specifically been mentioned as these are not of a general nature but concern specific sectors (eg banking, e-commerce).

2. Anticipated changes to local laws

A National Cybersecurity Strategy document was published in 2017, but since the change in government in December 2018, there has not been much progress in terms of actual regulation.

In February 2020, a Mexican Senator submitted a bill proposing amendments to the Data Protection Law (the “DP Bill”).

The DP Bill proposed implementing best practices with respect to cybersecurity but made no specific recommendations.

There have been no developments regarding the DP Bill since it was announced in February 2020.

Amendments to the cybersecurity legislation of Turkey and related changes are expected to be enacted based on the National Cyber Security Strategic Action Plans, which have been published by the Ministry of Transportation and Infrastructure (“Ministry”) since 2013 and each of which have covered a period of several years. 

The latest Strategic Action Plan was published in 2020 for the period of 2020-2023. Strategic objectives were the protection of critical infrastructure and increasing their resilience, enhancement of national capacity, the development of an organic cybersecurity network, ensuring the security of new generation technology, fighting against cybercrimes, the development of national technology, the integration of cybersecurity into national security and improving international cooperation. As such, the aim is to reduce and deter cybercrime, apply general international standards of information security in public and private sectors, and establish a national certification mechanism. 

Since the 2017 announcement by the Minister of Transportation, Maritime Affairs and Communication that a draft for the Cyber Security Law had been prepared, no further developments have been publicly communicated. 

3. Application 

There is no indication of when (or if) the DP Bill will be passed into law or if the National Cybersecurity Strategy will be progressed.

Law No. 5809

The Law No. 5809, implemented in Turkey on 5 November 2008, applies to the provision of electronic communication services, the operation of communication infrastructure and networks, the production, import, sale, establishment of electronic communication equipment and systems of any kind and regulation, inspection, and the authorisation of these aspects.
To this effect, the Law No. 5809 regulates the duties and authorities of the Ministry, Information and Communication Technologies Authority (“Authority”) and finally the Cyber Security Council (“Council”) alongside the rights and obligations of operators and consumers. 

Law No. 5651

Law No. 5651 regulates the obligations and the liabilities of the content providers, access providers and collective usage providers and the procedure and principles regarding fighting against certain crimes committed via the use of services provided by content providers, access providers and hosting services providers. It also grants powers to the Authority regarding detection and prevention of cyberattacks, ensuring coordination between content providers, access providers and hosting service providers regarding this matter and for taking the necessary measures in this respect.

Law No. 5237

Turkish Criminal Code No. 5237 is the key piece of legislation setting out all criminal law related matters in Turkey and has a specific section on cybersecurity. This section regulates and defines crimes such as the penetration into an information system, hampering and breaking an information system, destroying, or changing data within such systems, as well as the related penalties applicable to such crimes. 

Decree No. 2012/3841

Decree No. 2012/3841 determines the duties of the Council, specifically determining the measures related to cybersecurity matters and approving the related plans, programmes, reports, procedures, principles, and standards. The related duties of the Ministry are also determined with Decree No. 2012/3841, which include preparing, executing, and managing national cybersecurity policies, strategies, and action plans. 

The Regulation

This Regulation regulates the procedure and principles that must be complied by operators to ensure the security of network and information. The Regulation has been enacted based on the Law No. 5809

4. Authority

The primary authority in charge of responding to any issue regarding cybersecurity is the National Guard (previously Federal Police, now formally though not materially fully integrated into the National Guard) and the Ministry of Public Security. Additional to this, there are other local authorities in some regions, such as the Police for the Prevention of Cybercrimes in Mexico City.

The INAI is responsible for overseeing data security breaches in general.

There are other authorities that could have jurisdiction regarding sector-specific cybersecurity breaches e.g. the Mexican Securities and Exchange Commission or Mexico’s Central Bank in case of cybersecurity breaches in the banking and financial sector. 

  • Ministry of Transportation and Infrastructure, General Directorate of Communications (Cyber Security Council):
  • Information and Communication Technologies Authority
  • Computer Emergency Response Team (National Centre for Intervention to Cyber Incidents):

5. Key obligations 

Given there is no legislation specifically regulating cybersecurity, companies operating in sectors that do not have their own cybersecurity requirements are not subject to any particular obligations. Similarly, there is no obligation to report cyber incidents to the authorities. However, gaining access or trying to access a protected system is considered a crime in Mexico and therefore the offended party has the capacity to report the crime to Federal Prosecutors. 

With respect to personal data, under the Data Protection Legislation, every organisation must implement corrective and preventive measures to improve security and avoid the violation personal data rights.

Obligations Arising from Law No. 5809 and Related Regulation

  • The Ministry must determine national cybersecurity policies, strategies, aims, procedures, and principles to ensure cybersecurity for real and legal persons, prepare action plans and facilitate the coordination of related operations.
  • The Authority must take every necessary measure to protect public institutions, real and legal persons against cyberattacks and ensure deterrence of any such attacks. 
  • The Council must take any necessary decisions for the nationwide application of policies, strategies, and action plans regarding cybersecurity, resolve proposals on determining critical infrastructure and determine institutions and organisations that are exempted from cybersecurity regulations.

The duties of the operators mentioned under the Law No. 5809 have been outlined under a separate piece of legislation, namely, the Regulation, indicated above, which has been enacted based on the Law No. 5809.

According to the Regulation, the operators are obliged, among others to: 

  • establish a “Cyber Incidents Intervention Team” within themselves; 
  • set up protection mechanisms on their IP addresses, communication ports and application protocols such as user verification or access control;
  • provide protection services against cyberattacks upon request;
  • take all necessary measures against cyberattacks such as DoS/DDoS attacks, propagation of malicious software;
  • if the resource of the cyberattack informed by the Computer Emergency Response Team is one of the users of the operator, notify the related user and suspend the electronic communication service if requested by that user; and
  • if the resource of the cyberattack informed by the Computer Emergency Response Team is one of the users of another operator, ensure that the related operator is notified.   

Obligations Arising from Law No. 5651:

  • The Authority must facilitate the coordination between content providers, hosting service providers, access providers and other related institutions and organisations regarding the determining and preventing of cyberattacks, execute the operations for taking the necessary measures and conduct necessary studies. 
  • Collective usage providers are obliged to take the necessary measures to fight against crimes and detect criminals within procedures and principles as determined under the applicable legislation. 

Obligations Arising from Decree No. 2012/3841:

  • Please see above the obligations arising from Law No. 5809.

6. Sanctions & non-compliance 

Even though there is no definition of “cybercrime”, the Federal Criminal Code sanctions some behaviours that can be identified as cybercrimes, such as hacking, phishing, infections of IT systems with malware, identity theft or fraud. These illegal behaviours can be punished with prison sentences and a range of fines, depending on the severity of the crime. 

Administrative sanctions:

Law No. 5809

The Authority is authorised to inspect and monitor the compliance of operators and consequently has the right to impose, among others, the following sanctions:

  • an administrative fine of up 3% of the operator’s net sales of the previous calendar year;
  • the suspension of the operator’s authorisation, in the case of gross negligence;
  • if the operator initiated its operations recently, an administrative fine from TRY 1,000 to TRY 1m, or other sanctions specified within the Law considering the circumstances applicable;
  • the suspension of the operator’s operations temporarily or imposition of other tangible measures in the occurrence of cases as specified in the applicable regulations in effect prior to the incident.

Law No. 5651

As mentioned in our responses to “Key Obligations” above, collective usage providers must take the necessary measures to fight against crimes and detect the individual engaged in such criminal activity. Commercial collective access providers who violate this liability shall receive a warning, an administrative monetary fine and/or the suspension of their business operations for up to three days. 

Criminal sanctions:

Law No. 5237

Various penalties for cybercrimes have been determined under the Law No. 5237. These are as follows:

Any person who unlawfully accesses, partially or fully, a data processing system, or remains within such system, shall be subject to a penalty of imprisonment for a term of up to one year or a judicial monetary fine.

Where the act defined in the paragraph above is committed in relation to a system that is only accessible upon the payment of a fee, the penalty shall be decreased by up to a half.

Where any data within any such system is deleted or altered because of this act, the penalty to be imposed shall be a term of imprisonment of six months to two years.

Any person who prevents the functioning of a data processing system or renders such system useless shall be subject to a penalty of imprisonment for a term of one to five years.

Any person who deletes, alters, corrupts, or bars access to data, or introduces data into a system or sends existing data to another medium shall be subject to a penalty of imprisonment for a term of six months to three years.

Where this offence is committed in relation to a data processing system of a public institution or establishment, bank, or institution of credit, then the penalty to be imposed shall be increased by a half.

Where a person obtains an unjust benefit for himself or another by committing the acts defined in the aforementioned paragraphs, and such acts do not constitute a separate offence, this person shall be subject to a penalty of imprisonment from two years to six years and a judicial fine of up to 5,000 days.

Any person who produces, imports, transfers, stores, accepts, sells, supplies for sale, purchases, gives to another person, or holds an equipment, computer program, password or other security code which was produced or created for committing abovementioned crimes or other crimes that could be committed by using information systems shall be subject to imprisonment of one to three years and judicial fine of up to 5,000 days. 



7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

The authority responsible for the prevention and response of any cybersecurity issue is the National Response Centre for Cyber Incidents of the Federal Police (now formally incorporated to the National Guard) or CERT-MX. This body is in charge of preventing and mitigating any threat to technological infrastructure and operability in Mexico. Additionally, the INAI is responsible for supervising compliance with legislation regarding personal data protection.

Yes, the Computer Emergency Response Team (National Centre for Intervention to Cyber Incidents - USOM) (the “Team”) was founded within the Authority to detect the threats within the cyberspace, develop measures to prevent and minimise the effects of potential cyberattacks and share information with relevant actors when necessary. The Team also evaluates the cyberattack notifications and facilitates the coordination between relevant public and private organisations. 

Additionally, once again within the Authority, the Intervention Team for Sectoral Cyber Incidents and the Intervention Team for Institutional Cyber Incidents have been established under the abovementioned Team. 

  • The Intervention Team for Sectoral Cyber Incidents ensures that measures aimed at, among others, cyberattacks, DoS/DDoS attacks and sprawling of malicious software are taken against the energy, banking and finance, transportation, critical public services, water management and electronic communications sectors. In accordance with these sectors and matters, in cases that fall within the responsibility of the Intervention Team to Sectoral Cyber Incidents, it is reported to and handled under the coordination of the Team. 
  • The Intervention Team for Institutional Cyber Incidents operate likewise the Intervention Team for Sectoral Cyber Incidents, but for matters that are connected to ministries, separate public institutions and other public institutions holding information systems. 

8. National cybersecurity incident management structure

The CERT-MX is responsible for dealing with any cybersecurity incidents, but only after a specific request, complaint or demand is submitted. The INAI can also initiate investigations regarding the protection of personal data.

Please see above our responses to “Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?”

9. Other cybersecurity initiatives 

In the private sector, the Mexican Association for Cybersecurity offers services and products regarding cybersecurity and data protection. It also encourages the protection of information and proper information handling. 

The Cybersecurity Initiative was established under the Board of Internet Development, an organ within the Authority. The aim of the Cybersecurity Initiative is to conduct studies and present new ideas regarding the cybersecurity matters to the Ministry by working with sectoral stakeholders, facilitating exchange of ideas and coordination among relevant institutions, and revealing new common ideas. 

Portrait of Héctor González Martínez
Héctor González Martínez
Senior Associate
Mexico City
Portrait of Döne Yalçın
Döne Yalçın
Managing Partner Turkey
Portrait of Sinan Abra
Sinan Abra
Iremgül Mansur