Federal Law on the Protection of Personal Data Held by Private Parties (FDPL)

Highlights

Applicability:

The FDPL applies to the processing of Personal Data by private individuals or private legal entities where:

• The processing is carried out by a Controller established in Mexico;
• The processing is carried out by a Processor (whether or not located in Mexico), if the processing is performed on behalf of a Mexican Controller;
• The processing is performed by or on behalf of Controller not located in Mexico, if Mexican laws and regulations apply pursuant to a contract or Mexico’s adherence to an international convention; or
• Processing is carried out within Mexican territory by or on behalf of a Controller not established therein, unless the processing is merely for transit purposes.

The FDPL does not apply to:

• Public entities (e.g., t governmental entities);
• Credit reporting companies governed by the Law Regulating Credit Reporting Companies, or persons processing Personal Data exclusively for personal (and not commercial) use; or
• Business-to-business data, including Personal Data regarding individuals in their capacity as professionals or merchants, or Personal Data of natural persons acting on behalf of a business, where the Personal Data processed is:
  
  • limited to name, position, address, phone number, and business contact data, such as mailing or physical address, email address, telephone number and fax number; and
  • the Personal Data is processed solely for the purpose of representing the business or administering the business relationship (i.e., fulfilling orders, providing services, carrying out transactions between the business entities).

Controller Obligations:

Controllers must:

• Collect and process Personal Data fairly and lawfully.
• Collect Personal Data for specified, explicit, and legitimate purpose and process such Personal Data for only such purposes.
• Receive a Data Subject’s consent to process their Personal Data unless an exception under the Act applies¹, provided that Controllers must receive express consent to process Sensitive Personal Data and financial data. “Express” consent means consent that is communicated verbally, in writing, by electronic means or via any other technology, or by unmistakable indications. Controllers may presume consent if a Data Subject receives a privacy notice and does not affirmatively object (except with respect to Sensitive Personal Data and financial data).
• Implement reasonable physical, technical, and administrative security measures to protect Personal Data.²
• Maintain Sensitive Personal Data only if justified by legitimate purposes consistent with the Controller’s activities.
• Provide a comprehensive privacy notice to Data Subjects before or at the point of collection.
• Appoint a data protection officer or other individual to be responsible for the Controller’s privacy practices.
• Notify Data Subjects of Transfers to Third Parties (not including processors) and, where consent to the Transfer is required, obtain consent.³

Processors must:

• Process Personal Data in accordance with the Controller’s instructions.
• Implement reasonable physical, technical, and administrative security measures to protect Personal Data (see footnote 2).
• Maintain the confidentiality of the Personal Data.
• Delete Personal Data that were processed after termination of any agreement with the Controller or as instructed by the Controller unless there is a legal requirement for the Processor to maintain such data.
• Not transfer Personal Data unless instructed by the Controller, or if required for subcontracting purposes or a request by a competent authority.

Consumer Rights:

Controllers must respond without undue delay and within twenty (20) days to a verified request⁴ regarding the processing of Personal Data and Sensitive Personal Data, including Data Subjects:

• Right to access Personal Data
• Right to correct inaccurate Personal Data
• Right to request erasure of Personal Data
• Right to object to collection of Personal Data
• Right to limit disclosure of Personal Data
• Right to revoke consent to process Personal Data

More Details

Definitions:

• Controller: the individual or private entity that makes decisions regarding the processing of Personal Data.
• Data Subject: the individual to which the Personal Data belongs.
• Personal Data: any information relating to an identified or identifiable individual.
• Processor: the individual or entity that separately or jointly with others processes Personal Data on behalf of the Controller.
• Sensitive Personal Data: Personal Data that (i) relates to the most private areas of the Data Subject's life or (ii) might lead to discrimination or involve a serious risk for the Data Subject if misused. Sensitive Personal Data may include racial or ethnic origin, present and future health status, genetic information, religious, philosophical, and moral beliefs, union membership, political views, and sexual preference.
• Third Party: an individual or entity, whether national or foreigner, that is not the Data Subject, the Controller, or the Processor of the Personal Data.

Penalties:

• Civil: Violations of the FDPL may be enforced by the National Institute of Transparency, Access to Information and Protection of Personal Data (“INAI”). The maximum civil penalty for violations ranges from MXN 8,450 to MXN 27 million, though the INAI may double this amount for violations related to Sensitive Personal Data.
• Criminal: Individuals may face criminal penalties, as well, including:
  
  • Three to five years imprisonment for causing a data breach with intent to profit.
  • Six months to five years imprisonment for using fraud or deceitful methods to process Personal Data with intent to profit.

These penalties may be increased if a violation is related to Sensitive Personal Data.

Private Action:

No

Associated Regulations:

• The Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (effective December 22, 2011)
• The Privacy Notice Guidelines (the Guidelines) (effective April 18, 2013)
• The Recommendations on Personal Data Security (effective November 30, 2013)

Effective Date:

July 6, 2010

¹ Examples of exceptions include circumstances where: the Personal Data is contained in publicly available sources; the Personal Data is used to fulfill contractual obligations between the Controller and the Data Subject; there is an emergency that could potentially harm an individual or his property; or the Personal Data is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health services management, where the Data Subject is unable to give consent in the terms established by the certain Mexico health laws and other applicable laws, and the Processing is carried out by a person subject to a duty of professional secrecy or an equivalent obligation.

² The Federal Institute of Access to Information and Data Protection (IFAI) released recommended security measures as set out in the Recomendaciones en materia de seguridad de datos personales. 

³ Mexican privacy laws distinguish between Transfers to Third Parties on the one hand, and “transmissions” to processors on the other.  Transfers require Data Subject consent in most cases, whereas transmissions generally do not.

⁴Controllers must reliably verify the Data Subject’s identity. Authorized representatives may also make requests on behalf of the Data Subject, provided the Controller verifies the identity of the Data Subject, the identity of the authorized representative, and a legal instrument confirming the representation (e.g., a power of attorney).