Federal Law on the Protection of Personal Data held by Private Parties (LFPDPPP) Mexico

• Enacted: July 5, 2010
• Effective: July 6, 2010
• Compliance Deadlines: Privacy notices and data controller assignments were required by July 6, 2011.

The law applies to private individuals and legal entities processing personal data in Mexico, including:

• Organizations collecting personal data for commercial use.
• Entities processing data of Mexican residents, even if located abroad.

• Data collected exclusively for personal or household use.
• Credit reporting agencies governed by separate regulations.

• Obtain consent before processing personal data.
• Provide clear and accessible privacy notices.
• Implement security measures to protect data from misuse or unauthorized access.
• Ensure data accuracy, relevance, and up-to-date information.

• Publish a comprehensive privacy notice.
• Implement mechanisms for consent, including opt-in/opt-out for specific data uses.
• Notify individuals of any changes in data use or breaches that could affect their rights.

• Appoint a Data Protection Officer (DPO) or department to manage compliance.
• Ensure proper data transfers with third parties through contractual safeguards.
• Maintain records of data processing activities.

• Access: Individuals can access their personal data.
• Rectification: Correct inaccurate or incomplete data.
• Cancellation: Request deletion of their personal data.
• Objection: Object to processing for specific purposes.

• Authority: The Federal Institute for Access to Information and Data Protection (INAI).
• Penalties:
  • Fines ranging from 100 days ($1,206 USD) to 320,000 days ($3,857,007 USD) of Mexico City’s minimum wage.
  • Criminal penalties, including imprisonment for certain violations.