*The information in this article about Mexico's data protection law, LFPDPPP or Ley Federal de Protección de Datos Personales en Posesión de los Particulares, is not and should not be considered legal advice. Please consult your legal counsel to determine its affect on your company, your data privacy and security policies, and your email program.
Mexico's data protection law, LFPDPPP or Ley Federal de Protección de Datos Personales en Posesión de los Particulares was approved by the Mexican Congress April 27, 2010. The effective date for enforcement was July 6, 2010.
- LFPDPPP text:
- Date the law was enforced:
- July 6, 2010
- Penalties for non-compliance:
- Penalties for non-compliance range from 100 to 320000 days of the minimum wage in force within a specific federal district.
- Additional fines within the same range may be enforced for repeat offenders and may double if the non-compliance is related to processing sensitive personal data.
- Changes to the LFPDPPP:
- Amendments to the LFPDPPP may occur. Be sure to consult your legal counsel for details about any amendments to the law.
What is the LFPDPPP?
The LFPDPPP is a law intended to protect personal data held by private parties (data controller) to ensure individual privacy. With this law, Mexican residents (data owner) have the right to:
- Access their personal data held by the data controller.
- Correct inaccurate data.
- Cancel personal data.
- Cancellation blocks data from processing until the data is erased by the data controller.
- Object to the processing of their data.
How does it affect me?
LFPDPPP applies to any individual or organization that reside and process personal data within Mexico. LFPDPPP applies to foreign organizations when personal data is collected and transferred outside of Mexico.
Should you or your company meet the requirement for compliance, you must take action as outlined within the law.
You may be required to:
- Obtain express consent from the data owner to collect and process their personal data.
- Ensure the personal data is relevant, correct, and up-to-date for the purposes for which it was collected.
- Establish technical security measures to protect personal data from damage, loss, alteration, destruction or unauthorized use, access, or processing.
- Report security breaches to the data owner.
- Designate a person or department that will process data owner access or change requests.
- Process data owner access or change requests.
- Promote the protection of personal data within your organization.
- Verify the data owner's identity to ensure they have the legal right to access or request changes to their personal data.
- The third-party will assume the same data privacy obligations on transferred data.
Other regulations under Mexican law may exist that could have additional effects to your business. Consult your legal counsel for detail on additional regulations.