Data Protection Guide: A Global Legal Guide

Data Protection 2014
The International Comparative Legal Guide to:
BANNING
Barrera, Siqueiros y Torres Landa, S.C.
CMS Reich-Rohrwig Hainz
Dittmar & Indrenius
DLA Piper
ECIJA ABOGADOS
Eversheds
Gilbert + Tobin Lawyers
Herbst Kinsky Rechtsanwälte GmbH
Hunton & Williams
KALO & ASSOCIATES
Koep & Partners
Marrugo Rivera & Asociados, Estudio Jurídico
Matheson
Mori Hamada & Matsumoto
Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados
Osler, Hoskin & Harcourt LLP
Pachiu & Associates
Pestalozzi
Portolano Cavallo Studio Legale
Raja, Darryl & Loh
Subramaniam & Associates (SNA)
Wigley & Company
Wikborg, Rein & Co. Advokatfirma DA
Published by Global Legal Group, with contributions from:
A practical cross-border insight into data protection law
1st Edition

General Chapter:
1 Data Protection – a Key Business Risk – Bridget Treacy, Hunton & Williams 1
www.ICLG.co.uk
Disclaimer
This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice.
Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication.
This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified
professional when dealing with specific situations.
Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720
The International Comparative Legal Guide to: Data Protection 2014
Contributing Editor
Bridget Treacy,
Hunton & Williams
Account Managers
Edmond Atta, Beth
Bassett, Antony Dine,
Susan Glinska, Dror Levy,
Maria Lopez, Florjan
Osmani, Paul Regan,
Gordon Sambrooks,
Oliver Smith, Rory Smith
Sales Support Manager
Toni Wyatt
Sub Editors
Nicholas Catlin
Amy Hirst
Editors
Beatriz Arroyo
Gemma Bridge
Senior Editor
Suzie Kidd
Global Head of Sales
Simon Lemos
Group Consulting Editor
Alan Falach
Group Publisher
Richard Firth
Published by
Global Legal Group Ltd.
59 Tanner Street
London SE1 3PL, UK
Tel: +44 20 7367 0720
Fax: +44 20 7407 5255
Email: info@glgroup.co.uk
URL: www.glgroup.co.uk
GLG Cover Design
F&F Studio Design
GLG Cover Image Source
iStockphoto
Printed by
Ashford Colour Press Ltd.
May 2014
Copyright © 2014
Global Legal Group Ltd.
All rights reserved
No photocopying
ISBN 978-1-908070-98-2
ISSN 2054-3786
Strategic Partners
Country Question and Answer Chapters:
2 Albania KALO & ASSOCIATES: Eni Kalo 7
3 Australia Gilbert + Tobin Lawyers: Peter Leonard & Ewan Scobie 15
4 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit
& Dr. Isabel Funk-Leisch 24
5 Belgium Hunton & Williams: Wim Nauwelaerts & Laura De Boel 34
6 Brazil Opice Blum, Bruno, Abrusio e Vainzof Advogados Associados:
Renato Opice Blum 42
7 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Bridget McIlveen 49
8 China Hunton & Williams LLP Beijing Representative Office: Manuel E. Maisog
& Zhang Wei 57
9 Colombia Marrugo Rivera & Asociados, Estudio Jurídico:
Ivan Dario Marrugo Jimenez 63
10 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 69
11 France Hunton & Williams: Claire François 77
12 Germany Hunton & Williams: Dr. Jörg Hladjk & Johannes Jördens 85
13 India Subramaniam & Associates (SNA): Hari Subramaniam
& Aditi Subramaniam 94
14 Ireland Matheson: John O’Connor & Anne-Marie Bohan 105
15 Italy Portolano Cavallo Studio Legale: Laura Liguori & Federica De Santis 115
16 Japan Mori Hamada & Matsumoto: Akira Marumo & Hiromi Hayashi 123
17 Kosovo KALO & ASSOCIATES: Loriana Robo & Atdhe Dika 132
18 Malaysia Raja, Darryl & Loh: Tong Lai Ling & Roland Richard Kual 140
19 Mexico Barrera, Siqueiros y Torres Landa, S.C.: Mario Jorge Yanez V.
& Federico de Noriega O. 149
20 Namibia Koep & Partners: Hugo Meyer van den Berg & Chastin Bassingthwaighte 157
21 Netherlands BANNING: Monique Hennekens & Chantal Grouls 163
22 New Zealand Wigley & Company: Michael Wigley 175
23 Norway Wikborg, Rein & Co. Advokatfirma DA: Dr. Rolf Riisnæs
& Dr. Emily M. Weitzenboeck 181
24 Romania Pachiu & Associates: Mihaela Cracea & Ioana Iovanesc 191
25 Slovenia CMS Reich-Rohrwig Hainz: Luka Fabiani & Ela Omersa 200
26 South Africa Eversheds: Tanya Waksman 210
27 Spain ECIJA ABOGADOS: Carlos Pérez Sanz 217
28 Switzerland Pestalozzi: Clara-Ann Gordon & Dr. Michael Reinle 226
29 United Kingdom Hunton & Williams: Bridget Treacy & Naomi McBride 234
30 USA DLA Piper: Jim Halpert & Kate Lucente 242

EDITORIAL
Welcome to the first edition of The International Comparative Legal Guide to:
Data Protection.
This guide provides the international practitioner and in-house counsel with a
comprehensive worldwide legal analysis of the laws and regulations of data
protection.
It is divided into two main sections:
One general chapter entitled Data Protection – a Key Business Risk.
Country question and answer chapters. These provide a broad overview of
common issues in data protection laws and regulations in 29 jurisdictions.
All chapters are written by leading data protection lawyers and industry
specialists and we are extremely grateful for their excellent contributions.
Special thanks are reserved for the contributing editor Bridget Treacy of
Hunton & Williams for her invaluable assistance.
Global Legal Group hopes that you find this guide practical and interesting.
The International Comparative Legal Guide series is also available online at
www.iclg.co.uk.
Alan Falach LL.M.
Group Consulting Editor
Global Legal Group
Alan.Falach@glgroup.co.uk

WWW.ICLG.CO.UKICLG TO: DATA PROTECTION 2014
© Published and reproduced with kind permission by Global Legal Group Ltd, London
Chapter 19
149
Mexico
1 Relevant Legislation and Competent
Authorities
1.1 What is the principal data protection legislation?
In Mexico, the Mexican Federal Constitution (Constitucíon Política
de los Estados Unidos Mexicanos) provides the right of data
protection and grants Congress the power to issue federal laws
related to protection of personal information. In an effort to unify,
clarify and extend data protection, and in compliance with its
constitutional mandate to issue a federal data protection law,
Congress enacted the Federal Law on Protection of Personal Data
held by Private Parties (Ley Federal de Protección de Datos
Personales en Posesión de los Particulares) (the “Data Protection
Law”), which is the main data protection law in Mexico.
The Data Protection Law was published in the Official Gazette of the
Federation on July 5, 2010 and became effective on July 6, 2010. The
Regulations of the Data Protection Law were published on December
21, 2011 (Reglamento de la Ley Federal de Protección de Datos
Personales en Posesión de los Particulares (the “Data Protection
Regulations”)). Thereafter, the regulator issued on January 17, 2013
certain rules for drafting privacy notices (Lineamientos del Aviso de
Privacidad) (the “Privacy Notice Guidelines”).
In addition to the foregoing, the regulator has issued several
recommendations and guidelines with respect to the appointment of
data privacy officers and security measures.
1.2 Is there any other general legislation that impacts data
protection?
There are industry-specific laws that have an impact on data
protection such as the Banking Law (Ley de Instituciones de
Crédito), the Law for the Transparency and Order of Financial
Services (Ley para la Tranparencia y Ordenamiento de los
Servicios Financieros) and the Federal Law of Consumer
Protection (Ley Federal de Protección al Consumidor).
The Federal Copyright Law (Ley Federal del Derecho de Autor)
also regulates ownership and use of databases.
1.3 Is there any sector specific legislation that impacts data
protection?
The consumer sector is directly impacted by the general data
protection provisions in the Federal Law of Consumer Protection
(Ley Federal de Protección al Consumidor) that contain some data
privacy provisions.
There are plenty of financial laws that impact data protection,
including the Banking Law (Ley de Instituciones de Crédito), the
Law for the Transparency and Order of Financial Services (Ley
para la Tranparencia y Ordenamiento de los Servicios
Financieros), the Investment Funds Law (Ley de Fondos de
Inversión), and the Law to Protect and Defend the User of Financial
Services (Ley para la Protección y Defensa del Usuario de
Servicios Financieros).
The Federal Copyright Law (Ley Federal del Derecho de Autor)
contains some as well.
1.4 The Data Protection Law applies to every private party
(natural person or entity) that collects, uses, transfers or
stores Personal Data. What is the relevant data protection
regulatory authority(ies)?
The Federal Institute for Access to Public Information and Data
Protection (Instituto Federal de Acceso a la Información Pública y
Protección de Datos) (“IFAI”) has the authority, to investigate
compliance and penalise infringements of personal data protection
laws by both government agencies and private parties (the latter
when violating the Data Protection Law).
2 Definitions
2.1 Please provide the key definitions used in the relevant
legislation:
“Consent”
Expression of the will of the Data Owner by which data
processing is enabled.
“Data Controller”
Individual or private legal entity that decides on the
processing of personal data.
“Data Owner”
The natural person to whom the personal data corresponds.
“Data Processor”
The natural person or entity that individually or jointly with
other natural person(s) or entities processes the Personal
Data on behalf of the Data Controller.
“Dissociation”
The procedure through which personal data cannot be
associated with the data owner nor allow, by way of its
structure, content or degree of disaggregation, identification
thereof.
Federico de Noriega O.
Mario Jorge Yanez V.

ICLG TO: DATA PROTECTION 2014WWW.ICLG.CO.UK
Mexico
150
Barrera, Siqueiros y Torres Landa, S.C. Mexico
“Financial or Patrimonial Data”
Financial and Patrimonial Data is mentioned as a concept but
is not a defined term in the Data Protection Law. However,
financial data has been recently defined in a resolution of the
privacy regulator (Instituto Federal de Acceso a la
Información Pública y Protección de Datos) [File
PS.0004/13, Defendant: Seguros Banamex, S.A. de C.V.] as
the credit history, revenues, expenses, bank accounts,
insurance, bonds, bank services or any other data that is part
of an individual’s estate.
“Personal Data”
Any information pertaining to a natural person that is
identified or identifiable.
“Public Access Source”
Databases whose information may be accessed by any
person, without further requirement except, where
appropriate, the payment of a fee, in accordance with the
Data Protection Regulations.
“Processing”
The collection, use, disclosure or storage of Personal Data by
any means. Use includes access, management, exploitation,
transfer or disposal of Personal Data.
“Sensitive Personal Data”
Personal Data touching on the most private areas of the data
owner’s life, or which misuse might lead to discrimination or
involve a serious risk for said data owner. In particular,
sensitive data is considered that which may reveal items such
as racial or ethnic origin, present and future health status,
genetic information, religious, philosophical and moral
beliefs, union membership, political views and sexual
preference.
“Third Party”
A Mexican or foreign individual or legal entity other than the
Data Owner or the Data Controller.
3 Key Principles
3.1 What are the key principles that apply to the processing
of personal data?
Consent
The Data Controller shall obtain the consent of the Data
Owner for processing his/her Personal Data for determined
purposes.
Data Quality
The Data Controller shall process the exact, complete,
correct, strictly necessary and updated Personal Data in order
to achieve the purposes for which the data is processed.
Information
Prior to the collection and use of the Data Owner’s Personal
Data, the Data Controller has to make available a privacy
notice disclosing the purposes for which the data is being
collected and meeting several other statutory requirements.
Lawful basis for processing
The Data Controller shall process Personal Data in
accordance with national and international laws.
Loyalty
Data Controller has the obligation to process Personal Data
privileging the protection of Data Owner’s interests and a
reasonable expectation of privacy.
Proportionality
The Data Controller may only process Personal Data that is
necessary, adequate and relevant for the purposes disclosed
when collecting it, applying a minimisation criterion in
accordance with such purposes.
Purpose limitation
Personal Data may only be processed to comply with the
purposes disclosed in the privacy notices.
Responsibility
The Data Controller is liable and accountable for the
Processing of Personal Data kept by the Data Controller as
well as for the Personal Data shared with its Data Processors.
4 Individual Rights
4.1 What are the key rights that individuals have in relation to
the processing of their personal data?
Access to data
Data Owners have the right to access their Personal Data and
to review the privacy notice applicable to the processing of
their Personal Data.
Rectify data
Data Owners have the right to rectify whenever their
Personal Data is incomplete, out-dated or imprecise.
Cancel data
Data Owners have the right to cancel their Personal Data in
case such data is not required for the purposes set forth in the
privacy notice, or if such Personal Data is being used for
purposes not consented to.
Objection to data processing
Data Owners have the right to object to the Processing of
their Personal Data for purposes beyond what is necessary
for the origination and maintenance of the relationship with
the Data Controller.
Revoke the consent or limit the use or disclosure of
Personal Data
Data Owners are entitled to, at any time, revoke the consent
granted for the processing of their Personal Data or partially
or completely limit the use or disclosure of it, for the
purposes that are not necessary for the origination and
maintenance of the legal relationship between the Data
Controller and him/her, and be included in an exclusion list,
for purposes such as requesting to not be contacted (i.e.
marketing purposes).
File complaints with relevant data protection
authority(ies)
Data Owners have the right to complain before the IFAI in
case any private party does not answer his/her request to
exercise access, rectification, cancellation, objection or
revocation rights in the manner and within the term provided
by the Data Protection Law and the Data Protection
Regulations.
5 Registration Formalities and Prior Approval
5.1 In what circumstances is registration or notification
required to the relevant data protection regulatory
authority(ies)? (E.g., general notification requirement,
notification required for specific processing activities.)
The Data Protection Law does not provide any registration or
notification to the data protection regulator.

151
5.2 On what basis are registrations/notifications made? (E.g.,
per legal entity, per processing purpose, per data
category, per system or database.)
Registrations and notifications are not applicable.
5.3 Who must register with/notify the relevant data protection
authority(ies)? (E.g., local legal entities, foreign legal
entities subject to the relevant data protection legislation,
representative or branch offices of foreign legal entities
subject to the relevant data protection legislation.)
5.4 What information must be included in the
registration/notification? (E.g., details of the notifying
entity, affected categories of individuals, affected
categories of personal data, processing purposes.)
5.5 What are the sanctions for failure to register/notify where
required?
5.6 What is the fee per registration (if applicable)?
5.7 How frequently must registrations/notifications be
renewed (if applicable)?
5.8 For what types of processing activities is prior approval
required from the data protection regulator?
Prior approval from the data protection regulator is not required for
any type of processing.
5.9 Describe the procedure for obtaining prior approval, and
the applicable timeframe.
Approval is not applicable.
6 Appointment of a Data Protection Officer
6.1 Is the appointment of a Data Protection Officer mandatory
or optional?
In accordance to the Data Protection Law, every Data Controller
must appoint a person or department in charge of Personal Data
(“Data Protection Officer” or “DPO”). The main functions of the
DPO are to process requests from Data Owners about exercise of
their access, rectification, cancellation, revocation and objection
rights of privacy and to promote the protection of Personal Data
within their companies or organisations.
The Data Protection Law is relatively ambiguous with respect to the
appointment of a DPO within an organisation and fails to provide
specific criteria, methods or mechanisms for companies or
organisations to follow for this purpose.
The IFAI has published certain non-mandatory guidelines and
recommendations for the appointment of the DPO.
6.2 What are the sanctions for failing to appoint a mandatory
Data Protection Officer where required?
The Data Protection Law does not provide a specific sanction for
failing to appoint a DPO.
6.3 What are the advantages of voluntarily appointing a Data
Protection Officer (if applicable)?
This is not applicable since it is required to appoint a DPO.
6.4 Please describe any specific qualifications for the Data
Protection Officer required by law.
There are no specific qualifications for the DPO in the Data
Protection Law.
Pursuant to the recommendations of the IFAI, the following are a
few of the ideal characteristics of the profile for a DPO:
Experience in Personal Data protection or knowledge of the
subject.
Vision and leadership.
Organisational and communication skills.
Resource availability and exploitability.
Due position and hierarchy within the entity.
6.5 What are the responsibilities of the Data Protection
Officer, as required by law or typical in practice?
Some of the specific duties/tasks of the DPO are the following:
Setting forth and managing procedures for the reception,
processing and timely attention of requests made by Personal
Data Owners in the exercise of their access, rectification,
cancellation and/or objection rights.
Monitoring developments and changes in law regarding
Personal Data protection and privacy that may affect the
actions performed within the organisation at any given time
and taking the necessary steps to adjust them.
Drafting, publishing, delivering and executing Personal Data
protection practices and policies within the organisation or
otherwise adjusting the current ones with the applicable legal
framework.
Developing instruments to assess the efficiency and
effectiveness of such practices and policies.
Surveying and reviewing the internal procedures of the
organisation regarding collection, use, exploitation, storage,
cancellation, application and transfer of Personal Data in
order to ensure its protection and strict compliance with the
principles stated in the Data Protection Law.
Coordinating and training the other areas or departments of
the organisation for them to acknowledge the practices and
policies issued as well as the compliance with such.
Promoting internal and external data protection as well as
taking on the position of Personal Data representative of the
entity.
Mexico

Mexico
152
6.6 Must the appointment of a Data Protection Officer be
registered/notified to the relevant data protection
authority(ies)?
The appointment does not need to be registered or notified with any
data protection authorities.
7 Marketing and Cookies
7.1 Please describe any legislative restrictions on the sending
of marketing communications by post, telephone, e-mail,
or SMS text message. (E.g., requirement to obtain prior
opt-in consent or to provide a simple and free means of
opt-out.)
The Data Protection Law and the Data Protection
Regulations provide that processing for marketing,
advertising or commercial promotion purposes needs to be
expressly and specifically included as one of the “purposes
of processing” in the privacy notice.
Such rules provide the creation of exclusion lists, which are
databases intended to record the refusal of the Data Owner
concerning the processing of his/her personal data for
marketing and/or offering and promoting goods, products
and services by any physical or technological means.
Consent is required but it may be implied consent.
Therefore, it is an opt-out system. Opt-out mechanisms shall
be expressly included in the privacy notice.
The Federal Law of Consumer Protection (Ley Federal de
Protección al Consumidor), sets forth rules aimed to protect
private consumer data and data exchanged in consumer
transactions and specifically in electronic transactions. It
provides the registration of consumers on the Public Registry
of Consumers, which will be integrated by a list of
consumers that do not want to be contacted to receive any
kind of marketing communications. Up to this date, the
Public Registry of Consumers only allows to list a phone
number to avoid receiving marketing phone calls. This law
provides for an opt-out system.
The Federal Law to Protect and Defend Users of Financial
Services (Ley de Protección y Defensa al Usuario de
Servicios Financieros), provides that financial institutions
regulated thereunder shall not contact their consumers for
marketing or advertising purposes when they have expressly
asked not to be contacted or if they are registered in the no-
call registry of the National Commission for the Defense of
Financial Consumers. This law provides for an opt-out
system.
Federal Law of Transparency and Order of Financial
Services (Ley Federal para la Transparencia y
Ordenamiento de Servicios Financieros), provides that
clients of banks and loan companies may only be contacted
to offer them financial products if they expressly accepted to
be contacted and only through their business address, phone
or email. This law provides for an opt-in system.
Credit Institutions Law (Ley de Instituciones de Crédito),
includes rules protecting the use of information provided by
bank consumers for advertising or marketing purposes
without authorisation. Users of financial services may
register their email addresses and phone numbers in order to
avoid unwanted advertising.
Regulatory Law of Credit Reporting Companies (Ley para
Regular las Sociedades de Información Crediticia), provides
that Credit Reporting Companies may not use the data
contained in credit reports in marketing or advertising
promotions.
7.2 Is the relevant data protection authority(ies) active in
enforcement of breaches of marketing restrictions?
The IFAI has been very active in the enforcement of data protection
rules. Recently the IFAI has imposed severe fines ton diverse
private parties, in particular the regulator has imposed fines on
financial entities derived from infringement on marketing
restrictions.
7.3 What are the maximum penalties for sending marketing
communications in breach of applicable restrictions?
A fine of up to 320,000 days of the minimum daily wage in Mexico
City (approximately €1,200,000) may be imposed for sending
unsolicited marketing communications.
Fines may be doubled when dealing with Sensitive Data.
7.4 What types of cookies require explicit opt-in consent, as
mandated by law or binding guidance issued by the
relevant data protection authority(ies)?
Currently neither the Data Protection Law nor the Data Protection
Regulations provide the requirement of explicit opt-in consent for
the collection of Personal Data through cookies.
On the other hand, the Privacy Notice Guidelines provide that in
case the Data Controller uses mechanisms through remote or local
electronic means that allow automatic collection of Personal Data,
Data Controllers shall inform the Data Owner conspicuously about
the use of such technologies and the manner to disable such
methods.
7.5 For what types of cookies is implied consent acceptable,
under relevant national legislation or binding guidance
issued by the relevant data protection authority(ies)?
Please see answer above.
7.6 To date, has the relevant data protection authority(ies)
taken any enforcement action in relation to cookies?
Currently, we have no notice of any sanction or proceeding initiated
by the regulator regarding to this matter.
7.7 What are the maximum penalties for breaches of
applicable cookie restrictions?
By the interpretation of the Data Protection Law, consent being an
essential principle protected by the law, if a Data Controller collects
and processes Personal Data without consent or without informed
consent (i.e., failing to include cookie warnings), a Data Controller
maybe sanctioned with a fine from 200 to 320,000 days of the
General Minimum Wage in Mexico City (approximately €750 to
€1,200,000), and likewise, such fine may be doubled when dealing
with Sensitive Data.
8 Restrictions on International Data Transfers
8.1 Please describe any restrictions on the transfer of
personal data abroad.
Personal Data may be transferred to third parties in Mexico or

153
abroad as long as: (i) such transfer was disclosed in the privacy
notice; (ii) the transferee receives a copy of the privacy notice; and
(iii) the transferee uses the Personal Data for the purposes disclosed
in the privacy notice.
The privacy notice must contain a specific clause indicating that the
Data Owner authorises transfer to third parties.
The transferee or recipient shall be liable for the same obligations
as those imposed on the Data Controller.
Transfers may be made without the Data Owner’s consent when the
transfer is: (i) required by law or an international treaty; (ii)
required for medical treatment or services; (iii) to affiliates,
subsidiaries or controlling companies; (iv) required by a contract to
be executed or executed between the transferee and the Data
Owner; (v) required for public interest or for administration of
justice; (vi) required for the recognition, exercise or defence of a
right in a judicial procedure; or (vii) required to maintain or perform
an agreement between the Data Controller and the Data Owner.
8.2 Please describe the mechanisms companies typically
utilise to transfer personal data abroad in compliance with
applicable transfer restrictions.
Companies typically execute a Data Transfer Agreement, which
states all the responsibilities that the Data Controller and transferee
will have in order to comply with the Mexican laws.
8.3 Do transfers of personal data abroad require
registration/notification or prior approval from the relevant
data protection authority(ies)? Describe which
mechanisms require approval or notification, what those
steps involve, and how long they take.
There is no registration or notification requirement for data
transfers.
9 Whistle-blower Hotlines
9.1 What is the permitted scope of corporate whistle-blower
hotlines under applicable law or binding guidance issued
by the relevant data protection authority(ies)? (E.g.,
restrictions on the scope of issues that may be reported,
the persons who may submit a report, the persons whom
a report may concern.)
Whistle blowing is not expressly regulated by the Data Protection
Law or the Data Protection Regulations, and currently the authority
has not published any guidance related to this matter. Note,
however, that whenever Personal Data is collected, processed
and/or transferred, a privacy notice shall be provided by the Data
Controller to the Data Owners prior his/her data Processing.
9.2 Is anonymous reporting strictly prohibited, or strongly
discouraged, under applicable law or binding guidance
issued by the relevant data protection authority(ies)? If
so, how do companies typically address this issue?
As mentioned on our answer above, whistle blowing is not
expressly regulated by the Data Protection Law or the Data
Protection Regulations and currently the authority has not published
any guidance related to this matter. Typically, and for the purposes
of a whistle-blowing system, companies inform its employees (on
their Privacy Notice), that their Personal Data may be used for
anonymous reporting and investigation or for the implementation of
a whistle-blowing system.
9.3 Do corporate whistle-blower hotlines require separate
data protection authority(ies)? Please explain the
process, how long it typically takes, and any available
exemptions.
There is no registration or notification requirement for whistle-
blower hotlines.
10 CCTV and Employee Monitoring
10.1 Does the use of CCTV require separate
data protection authority(ies)?
As mentioned before, Data Protection Law does not provide any
registration or notification to the Data Protection Regulator.
10.2 What types of employee monitoring are permitted (if any),
and in what circumstances?
Employee monitoring is not regulated on the Data Protection Law.
However, any methods used to collect Personal Data shall be
informed to the Data Owners in the privacy notice.
10.3 Is consent or notice required? Describe how employers
typically obtain consent or provide notice.
Typically employers inform their employees of the collection of
their Personal Data through the Privacy Notice. The form of
consent varies depending on whether the Personal Data is Sensitive
Data, Financial Data or any other data. If Sensitive Data is
processed, expressly written consent is required. Express consent is
required for the processing of Financial Data and implied consent is
required for the processing any other Personal Data.
In the case of CCTV systems, we understand that only ordinary
Personal Data is collected, so implied consent is enough. The IFAI
has issued some recommendations on short-form privacy notices to
be used for CCTV systems.
In the case of employee monitoring and collection of Sensitive Data
or Financial Data, employers will require express written consent
from the employee.
10.4 To what extent do works councils/trade unions/employee
representatives need to be notified or consulted?
No notice to unions or employees’ representatives is required.
10.5 Does employee monitoring require separate
Data Protection Law does not provide any registration or
notification to the data protection regulator in this regard.
Mexico

Mexico
154
11 Processing Data in the Cloud
11.1 Is it permitted to process personal data in the cloud? If so,
what specific due diligence must be performed, under
applicable law or binding guidance issued by the relevant
The Data Protection Regulations regulate cloud computing. The
Data Protection Regulations provide that Data Controllers shall
only contract cloud-computing services from a provider that meets
the following requirements:
(i) have policies and procedures similar to those contemplated
by the Data Protection Law and the Data Protection
Regulations;
(ii) disclose the fact that it subcontracts third parties;
(iii) not condition the service upon becoming the owner or
acquiring any right over the Personal Data;
(iv) maintain the confidentiality of Personal Data; and
(v) have mechanisms to: (a) notify changes in their privacy
policies; (b) allow the Data Controller to limit the processing
of the Personal Data; (c) have security measures that are
reasonable with respect to the service; (d) guarantee the
cancellation of data once the service is terminated; and (e)
block access to the Personal Data to those persons that do not
have access privileges except when ordered by a competent
authority and the Data Controller is informed of such order.
The Data Protection Regulations state that Data Controllers shall
not contract cloud-computing services that do not guarantee
adequate data protection.
11.2 What specific contractual obligations must be imposed on
a processor providing cloud-based services, under
applicable law or binding guidance issued by the relevant
Please refer to the answer above.
12 Big Data and Analytics
12.1 Is the utilisation of big data and analytics permitted? If so,
what due diligence is required, under applicable law or
binding guidance issued by the relevant data protection
authority(ies)?
Data Protection Law does not regulate the utilisation of big data or
analytics and the IFAI has not issued any guidance on this matter.
13 Data Security and Data Breach
13.1 What data security standards (e.g., encryption) are
required, under applicable law or binding guidance issued
by the relevant data protection authority(ies)?
Data Controllers shall adopt the security measures and procedures
that are necessary to protect the Personal Data against damage, loss,
alteration, destruction and unauthorised use, access or processing.
These measures shall at least be equal to the measures that the Data
Controller uses to protect its own information.
Regarding to the foregoing, IFAI published on October 30, 2013 in
the Official Gazette of the Federation the “Recommendations on
Security of Personal Data”, in order to provide Data Controllers
with some guidance with respect to the minimum actions
considered necessary for the security of Personal Data.
Adoption of the foregoing recommendations is voluntary and
monitoring thereof does not exempt Data Controllers of their
liability for any breach of their databases.
In this regard, IFAI has expressed as a general recommendation to
adopt a Security Management System of Personal Data (“SGSDP”),
which the Institute has defined as a “general management system to
establish, implement, operate, monitor, review, maintain and
improve processing and security of personal data on the basis of the
risk of the assets and of the basic principles of legality, consent,
information, quality, purpose, loyalty, proportionality and liability
provided for in the Data Protection Law, its regulations, secondary
regulations and any other principle which provided good
international practice in the matter”.
The recommended SGSDP has four cycles with different phases
and activities known as Plan-Do-Check-Act.
13.2 Is there a legal requirement to report data breaches to the
relevant data protection authority(ies)? If so, describe
what details must be reported, to whom, and within what
timeframe. If no legal requirement exists, describe under
what circumstances the relevant data protection
authority(ies) expects voluntary breach reporting.
Data Protection Law does not require the reporting or notification
of data breaches to the IFAI.
13.3 Is there a legal requirement to report data breaches to
individuals? If so, describe what details must be reported,
to whom, and within what timeframe. If no legal
requirement exists, describe under what circumstances
the relevant data protection authority(ies) expects
voluntary breach reporting.
Yes. Data breaches need to be notified to the Data Owners but only
those that significantly affect the patrimonial or moral rights of the
Data Owners. Data Controllers must send the notice immediately
after becoming aware of the data breach.
The notification must include: (a) the nature of the incident; (b) the
compromised data; (c) the recommendations to the Data Owners as
to what measures he/she may take to protect his/her interests; (d)
corrective actions taken by the Data Controller; and (e) how he/she
can get more information on the matter.
14 Enforcement and Sanctions
14.1 Describe the enforcement powers of the data protection
authority(ies):
Investigatory Power
Civil/Administrative
Sanction
Criminal Sanction
Federal Institute for
Access to Public
Information and Data
Protection (Instituto
Federal de Acceso a la
Información Pública y
Protección de Datos;
“IFAI”).
Administrative
Sanctions.

155
14.2 Describe the data protection authority’s approach to
exercising those powers, with examples of recent cases.
Infringements of the Data Protection Law are subject to sanctions
by the regulator (administrative fines) and to civil and criminal
liability by the corresponding authorities (mentioned above).
Administrative fines may be from 100 to 320,000 times the daily
minimum wage (approximately €375 to €1,200,000), and doubled
when dealing with Sensitive Personal Data; criminal liability may
also be found in the event of illegal handling of personal data.
Precedents regarding sanctions applied to private parties are: (i) a
bank infringed several provisions of the Data Protection Law
arising from a request of exercise of access, rectification,
cancellation and objection rights; the authority sanctioned the bank
with a fine of €900,00 approx.; (ii) a sports club failed to include in
its privacy notice the options and means by which the data owner
could limit the use or disclosure of their personal data, and was
sanctioned by our regulator with a fine of €72,000 approx.; and (iii)
a savings bank that did not have a privacy policy and collected
personal financial and economic data without the express consent of
the Data Owner was sanctioned with a fine of €72,000 approx.
15 E-discovery / Disclosure to Foreign Law
Enforcement Agencies
15.1 How do companies within Mexico respond to foreign e-
discovery requests, or requests for disclosure from
foreign law enforcement agencies?
Mexican companies typically request that for any disclosure of
Personal Data, such request shall be supported by a legal valid
document or judicial order provided by the foreign competent
authority and delivered through appropriate diplomatic or judicial
channels.
15.2 What guidance has the data protection authority(ies)
issued?
The IFAI has failed to issue any guidance on this matter.
Acknowledgment
The authors would like to acknowledge the assistance of their
colleague Rodrigo Méndez S. in the preparation of this chapter.
Mexico
Investigatory Power
Civil/Administrative
Sanction
Criminal Sanction
Public Prosecutor’s
Office.
Corporal penalties from
six months to five years
imprisonment.
Civil Courts.
Civil Sanctions (tort
liability/claim of
damages/honour and
reputation).

Mexico
156
Mario Jorge Yanez V.
Paseo de Tamarindos 150 PB
Bosques de las Lomas
Mexico City, D.F., 05120
Mexico
Tel: +52 55 5091 0165
Fax: +52 55 5091 0123
Email: mjyanez@bstl.mx
URL: www.bstl.com.mx/en
Mr. Yanez received his law degree at Universidad Nacional
Autónoma de México (1986-1991), followed by a Masters degree
at Columbia University in New York (1992-1993). Mr. Yanez has
excelled in different practice areas like Mergers and Acquisitions;
Foreign Trade (Anti-dumping Investigations and NAFTA
Disputes); Environmental; Data Protection; Entertainment and
Gaming; Nationality/Immigration. Mr. Yanez clerked at Barrera,
Siqueiros y Torres Landa (BSTL) from 1988-1991, becoming a
full-time associate in 1992. Mr. Yanez moved to the United
States to earn his Masters degree at Columbia University (1992-
1993) and to occupy a foreign associate position at Vial,
Hamilton, Koch & Knox LLP (Dallas, Texas; 1993-1994). Mr.
Yanez returned to BSTL to resume his position as associate,
becoming partner in 2000. Mr. Yanez has received recognitions
from Chambers Global, Chambers Latin America, Latin America’s
Leading Lawyers for Business, Latin Lawyer 250, and other
publications. Mr. Yanez is admitted to practice law in Mexico. Mr.
Yanez is also available at: Barrera, Siqueiros y Torres Landa,
S.C., Av. Ricardo Margáin 444, Torre Norte, Mezzanine “A”, Valle
del Campestre, San Pedro Garza Garcia, N.L., 66265, Mexico,
Tel: +52 (81) 8220 1500, Fax: +52 (81) 8220 1529.
Federico de Noriega O.
Paseo de Tamarindos 150 PB
Bosques de las Lomas
Mexico City, D.F., 05120
Mexico
Tel: +52 55 5091 0154
Fax: +52 55 5091 0123
Email: fnoriega@bstl.mx
URL: www.bstl.com.mx/en
Mr. Noriega completed his law degree at Universidad
Iberoamericana (2000-2005), followed by a Masters degree at
Harvard Law School (2006-2007). Mr. Noriega’s areas of
practice include Commercial Law, Mergers and Acquisitions,
Corporate Financing and Data Protection. Mr. Noriega was a
foreign associate at Sidley Austin LLP (New York office) in 2007
and 2008, after which he re-joined Barrera, Siqueiros y Torres
Landa. Mr. Noriega elevated to partnership at BSTL in 2014. Mr.
Noriega was awarded Academic Excellence by the Universidad
Iberoamericana for scoring the Highest GPA of his class.
Chambers & Partners Latin America 2012 and 2013 editions
ranked Mr. Noriega as an “Associate to watch” in “Banking and
Finance”. Mr. Noriega is admitted to practice law in Mexico and
in the State of New York.
BSTL is one of leading firms in Mexico with more than 65 years of experience. BSTL is a full-service firm with the necessary
resources to meet the challenges our clients face in some of the most important transactions in their history as well as on a day-
by-day basis. Moreover, the diversity of our firm allows us to provide comprehensive legal advice in any particular transaction,
meeting all of our clients’ expectations.
BSTL is well recognised by its clients, peers and local authorities for its work in several areas of practice, including privacy,
corporate services, mergers and acquisitions, real estate, antitrust, arbitration and litigation and government procurement.
Our privacy team has advised clients in issues related to compliance of general privacy laws and industry-specific privacy laws
(labour, consumer-protection, financial and health laws). We analyse the data Processing activities carried out by our clients and
provide business-oriented solutions.

www.iclg.co.uk
59 Tanner Street, London SE1 3PL, United Kingdom
Tel: +44 20 7367 0720 / Fax: +44 20 7407 5255
Email: sales@glgroup.co.uk
Other titles in the ICLG series include:
Alternative Investment Funds
Aviation Law
Business Crime
Cartels & Leniency
Class & Group Actions
Competition Litigation
Construction & Engineering Law
Copyright
Corporate Governance
Corporate Immigration
Corporate Recovery & Insolvency
Corporate Tax
Data Protection
Employment & Labour Law
Environment & Climate Change Law
Franchise
Insurance & Reinsurance
International Arbitration
Lending & Secured Finance
Litigation & Dispute Resolution
Merger Control
Mergers & Acquisitions
Mining Law
Oil & Gas Regulation
Patents
Pharmaceutical Advertising
Private Client
Product Liability
Project Finance
Public Procurement
Real Estate
Securitisation
Shipping Law
Telecoms, Media & Internet

Data Protection Guide: A Global Legal Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Data Protection Guide: A Global Legal Guide

Similar to Data Protection Guide: A Global Legal Guide (20)

More from Hogan Lovells BSTL

More from Hogan Lovells BSTL (20)

Recently uploaded

Recently uploaded (20)

Data Protection Guide: A Global Legal Guide