Pasero Abogados, S.C. Home Print Contact us
« Return to newsletters menu

Federal Law for the Protection of Personal Data

April 2011

Federal Law for the Protection of Personal Data Held by Private Parties (“The Law”). Published in the Federal Official Gazette (D.O.F.) on July 5th, 2010

The constant improvements in technologies and the way information is handled, has motivated our authorities to set standards to regulate the privacy of individuals. For this purpose, Mexico has enacted the Federal Law for the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or LFPDP).

The LFPDP, as many other data protection laws enforced in other countries including the U.S. and Canada, has been created to protect personal information held by private parties (“the Responsible Parties”), with the purpose of ensuring privacy and the right of self determination regarding personal information of each individual (“Data owner or Dat Proprietor”).

This Law regulates the methods and conditions under which private corporations must collect, handle and process personal data.

Parties subject to the Law

All individuals and corporations carrying out the process of collecting and handling personal data, such as banks, department stores, insurance companies, telephone companies, hospitals, laboratories, universities, among others.

The organisms that are exempted to comply with the LFPDP are credit information companies; also, individuals collecting data for personal use only (non-disclosure or commercial use).

Classification of Data according to the Law

Sensible Data: Personal data that affects the most intimate sphere of its proprietor, or data that improperly handle can lead to discrimination or entails a serious risk to the individual. In particular, information that may reveal sensitive issues such as: racial or ethnic origin, current or future health status, genetic information, religious, philosophical and moral information, union affiliation, political views, sexual preferences.

When collecting, handling and processing Sensible Data, the Responsible Party must obtain written consent from the Data Proprietor, through the obtainment of the Data Proprietor’s written signature, electronic signature or any other mechanism of authentication that is established for said purpose.

The law prohibits the creation of sensible databases without a justification for the creation of the same with legitimate purposes, concrete and according to the activities or purposes of the collecting Responsible Party.

Personal Data: Any information that identifies an individual or makes him/her identifiable, such as: name, address, age, nationality, profession, etc.

Required Obligations

The Responsible Party of collecting, handling and processing data will have the obligation to inform Data Owners, which information is being collected from them and for what purposes by means of an execution of a Privacy Notice.

The Responsible Party will have the obligation to allow Data Owners to:

  • Access their data.
  • Deny transfer of their data.
  • Rectify data when they are inaccurate.
  • Cancel data at any moment, except in the cases stipulated in the Law.

The Privacy Notice

In connection to the aforementioned, the Privacy Notice is a written, electronic or any other type of document generated by the Responsible Party for collecting Data from individuals, which must be made available to Data Owner prior to the processing of its personal Data.

The Privacy Notice must contain:

  • Name and domicile of the Responsible Party.
  • The means the Data Owner has to exercise its right of access, rectification, cancellation or opposition, in accordance to the Law.
  • Final purpose of data processing.
  • The choices or means offered by the Responsible Party to the Data Owner with the purpose of limiting the use or disclosure of such data.
  • In its case, the transference of data carried out, and
  • The procedure and means by which the Responsible Party will communicate to Data Owners of any applicable changes to the Privacy Notice in accordance to the provisions of the Law

Important facts regarding the Privacy Notice

  • The Responsible Party must request approval from the Data Proprietor in the Privacy Notice in order to transfer any data.
  • In case of Sensible Data, the Privacy Notice must expressly mention that it contains this type of data.
  • When data has not been directly collected from its owner, the Responsible Party must inform this through the Privacy Notice.
  • Whenever personal data is no longer necessary for the fulfillment of the purposes mentioned in the Privacy Notice and the legal applicable dispositions, said data must be cancelled.
  • The Privacy Notice must indicate the person or department that will be in charge of responding all requests to access, modify, cancel or oppose to the use of personal data.

Cases when data may be transferred national or international without having to obtain written consent from its proprietor

  1. When said transfer is provided in a Law or Treaty in which Mexico is part.
  2. When said transfer is necessary for the prevention or medical diagnosis, the rendering of health services, medical treatment or the management of health services.
  3. When said transfer takes place among holding companies, subsidiaries or affiliates under the control of the Responsible Party, or a parent company or any other company from the same group of the Responsible Party that operates under the same process and internal policies.
  4. When the transfer is necessary due to an agreement executed or to be executed in interest of the Data Proprietor, the Responsible Party and a third party.
  5. When the transfer is necessary or legally required for the safeguard of a public interest, or for the enforcement or administration of justice.
  6. When the transfer is necessary for the establishment, exercise or to defend a right in a judicial process, and
  7. When the transfer is necessary for the maintenance or complying of a judicial relationship between the Responsible Party and the Data Proprietor.

Governmental Agencies responsible for the regulation and compliance of the Law

Institute for Access to Information and Data Protection (IFAI): will be responsible of the safekeeping and protection of data and it will only act previous request of data owners or their legal representatives.

The IFAI will be the acting authority in investigating and imposing any fines and/or penalties to the Responsible Parties, in case of breach of the Law.

Ministry of Economy: Its main purpose will be to inform and educate about the obligations regarding the protection of personal data between national and international corporations with commercial activities in Mexican territory.

Administrative Consequences related with the LFPDP

  1. Written warning issued by the IFAI.
  2. Fine from 100 up to 160,000 days of minimum wage, when the Responsible Party acts with negligence or intentionally with respect to personal data, does not observe the data principles established in the Law or omits data in the Privacy Notice.
  3. Fine from 200 up to 320,000 days of minimum wage, when the Responsible Party fails to comply with its duty of confidentiality in the treatment of data, changes the purpose of said data without giving notice, transfers data to a third party without consent of the data owner, blocks the acts of verification of the IFAI or makes an illegitimate use of data.
  4. In case of repeated breach of the Law, the IFAI may impose additional fines of 100 to 320,000 days of minimum wage.

Fines may be increased up to twice the amount in case of infringement in the handling and processing of sensitive data.

Criminal Consequences related with the LFPDP

  1. Three months to three years imprisonment for anyone authorized to process personal data that for profit purposes, causes a security breach to the databases under their custody.
  2. Six months to five years imprisonment to anyone that with the intention of obtaining an unjustified profit, treats databases by deception, taking advantage of an error committed by the Data Owner or by a person authorized to transfer the data.

Penalties may be increased up to twice the amount in case of any violation in the handling and processing of sensitive data.


The Law requires companies and third parties involved in the processing of personal data to maintain the confidentiality of personal data at all times. The obligation to maintain confidentiality exists even after the relationship with the data subject ends.


The LFPDP entered in force on July 6th, 2010.

The authority has a term of one year after the enactment of the Law to publish the Regulations and Policies of the Law; until this date, said Regulations and Policies have not been published.

All parties subject to this Law have a term of one year after the enactment and publication of the Law to prepare and issue the Privacy Notice.

For unrelated companies, data transfers should be covered by contractual terms that specify the relevant restrictions and provide notice to the individuals unless an exception applies.

It is now mandatory that companies establish specific procedures and appoint dedicated personnel to respond to Data Proprietors requests as efficiently as possible and in accordance with obligations under the Law.

The Responsible Party must ensure that the data in their possession are duly protected.


Corporations must start to separate and classify the data they have on their files.

Corporations must start to draft comprehensive privacy policies, procedures, and guidelines aimed to satisfy with the new legal requirements under the Law.

Corporations must also develop internal mechanisms to ensure that personal data is protected, accurate, and used within the confines of the privacy notice.

Corporations must be pending to receive specific details in order to comply with the above once the Regulations and Policies are enacted.

Blvd. Agua Caliente No. 4558-403
Col. Aviación
Tijuana, B.C. 22420, México

Tel. 52 (664) 686 5557
Fax 52 (664) 686 5558

P.O. Box 767
Bonita, CA 91908
* Mailing Address only

Tel. (619) 498 9282
Toll Free 1 855 498 9282