Mexico issues Personal Data Protection Rules

por Gustavo Alcocer

The long awaited Personal Data Protection Rules (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares, the “Rules”) were finally issued on December 19, 2010 and published by executive decree of Felipe Calderon, President of Mexico, on December 21, 2011.

The Personal Data Protection Law (Ley Federal de Protección de Datos Personales en Posesión de Particulares, the “Law”) enacted by the Mexican Congress on April 27, 2010 and published on July 5, 2010, had three important dates: July 5, 2011, when the Personal Data Protection Rules should have been published; July 6, 2011, which was the deadline for the designation of the person/entity in charge of personal data compliance and the issuance of the privacy notice and; January 6, 2012, which will be the date when personal data owners may exercise their access, rectification, cancelation and opposition rights (“ARCO Rights”).

The Rules are now part of the Personal Data Protection legal framework in Mexico and have the purpose of regulating the provisions of the Law. Additional definitions to the ones contained in the Law include: ARCO Rights, digital media, exclusion list, administrative, physical and technical security measures, identifiable individual, remittance, electronic and physical back-up and suppression or data deletion.

The broad mandatory scope of application is not with a strict reference to the territory of Mexico but rather with a territorial approach. The Rules apply to any treatment of personal data by private individuals or entities as a result of the treatment of data or activities being performed within the Mexican Territory. As an example, if the responsible compliance person/entity is not I n the Mexican Territory the security measures contained in the Rules still apply.

There is personal data exempted such as data of individual business owners or private professionals and practitioners and such data resulting from a contractual or legal provision. Also public source is further regulated to include yellow pages and the like directories, daily news papers (not limited to printed versions) gazettes and other bulletins. It is not clear if all social networks are public source; thus, the information contained in such networks may not be excluded from application of the Rules.


Personal Data Protection principles contained in legal frameworks around the world are also present in the Rules that impose on the person/entity in charge of compliance to observe: consent, information, quality, purpose, loyalty, proportionality, responsibility, security and confidentiality, as referred to in the Law. Following these principles the Rules impose specific requirements to the different forms of consent, characteristics of the privacy notice, amongst other.

Other provisions of relevance regulate (i) the term to maintain personal data; (ii) the need to implement procedures for conservation, blockage and deletion of personal data; (iii) measures to be adopted by the compliance officer/entity; (iv) obligations of the compliance officer/entity; (v) treatment of personal data on computer systems and the cloud; (vi) national and international remittance of personal data; (vii) outsourcing; (viii) sensitive personal data; (ix) self-regulation and; (x) the exercise of ARCO Rights and the personal data protection administrative procedure, verification and sanctions.

The Rules entered into effect on Thursday December 22, 2011, with the exception of security measures that have been given a holding period of 18 months following the date of publication.