The Mexican Congress passed the Federal Data Protection Act (FDPA) to protect personal data processed by private entities. The FDPA establishes principles of lawful processing, data subject rights, and legal proceedings. It will take effect after publication and requires controllers to designate a privacy officer, provide privacy notices, and enable rights access within set timelines. Violations can result in liability, fines up to $1.5M, and imprisonment for unlawful access of data for profit.

1. FOR IMMEDIATE RELEASE
MEXICO, D.F. - APRIL 27, 2010
M E X I C A N CONGRESS PASSES
DATA PROTE CTIO N L AW
The Act will become effective the next day after its publication
Federal Data Protection Act (FDPA)
On April 27th, 2010 the Controller and processor
Mexican Senate passed the Federal Private persons, legal or natural,
Data Protection Act (FDPA) for who process PII, are under this law.
private entities. The new rule Nevertheless, credit bureaus and
establishes the principles, rights and persons who process personal data in
FDPA SUMMARY the exercise of activities which are
proceedings to protect the
fundamental right on data protection exclusively personal or domestic, are
DATA PRINCIPLES excluded.
according to art. 16 of the Mexican
Private entities shall guarantee The Act defines controller as the
the following principles when Constitution at a Federal level.
Although not yet published, the Act private person, natural or legal, who
processing personal data:
lawfulness of data processing, will become effective the next day determines the processing of
data subject´s consent, after its publication in the Federal personal data. Processor is the
information, data quality, Register (Diario Oficial de la natural or legal person who lonely or
purpose, legitimacy, adequacy to Federación). jointly with others processes data on
the purposes, and liability. behalf of the controller.
Fundamental right of data Both, controller and processor,
DATA SUBJECT´S RIGHTS protection, Personal Identifiable have to adopt measures to fulfill the
The Law protects the data Information (PII) and sensitive requirements of the Act and
subject´s rights of access; data minimize any legal risk.
rectification; erasure or blocking,
and objection. The FDPA protects natural
persons (data subject) and guarantees Principles for making data
their right to privacy (data processing legitimate
LEGAL PROCEEDINGS Controllers must guarantee the
Data subject has the power to protection). Therefore, legal persons
are excluded of such protection. following principles on the processing
engage in legal proceedings if his/
For the purposes of this law, of personal data:
her rights have been violated
(administrative remedy). In personal data (PII) shall be any ◆ Lawfulness of data processing;
addition, controllers and information concerning identified or ◆ Quality of data as they must
processors will be subject to identifiable natural persons. In be relevant, accurate and updated;
liability for unlawful processing of particular, the law sets additional ◆ Proporcionality regarding the
personal data. guarantees for sensitive data. Such purpose for processing of such data
data are those which reveal ideology, as stated in the privacy disclaimer;
SUPERVISORY trade union membership, religion, ◆ Legitimate purpose of the
AUTHORITY beliefs, racial or ethnic origin, current
The Federal Institute for Access processing;
or future health condition, genetic ◆ Data subject´s consent, unless
to Public Information (IFAI) will
information or sex life. an exception applies;
enforce the Act and protect the
fundamental right of data As general rule, processing of
◆ Information to be given to the
protection in Mexico. The personal data will require data
data subject when collecting his/her
Department of Commerce will subject´s consent. Nevertheless, some data;
also have an active role by and not little exceptions may apply.
◆ Liability in case of unlawful
promoting best practices on data On the other hand,controller must
protection in its area. Other processing of personal data;
obtain this consent expressly and in
authorities also will support written, with his/her signature or
IFAI´s goals in their own area. electronic signature, for sensitive
data.
©DAVARA ABOGADOS, S.C., 2010
www.davara.com.mx

2. FOR IMMEDIATE RELEASE
MEXICO, D.F. - APRIL 27, 2010
Data subject´s rights warnings to the controller; pecuniary
The person whose data are Codes of conduct, privacy sanctions (up to US$ 1,500,000.00),
processed is entitled to exercise, online and other issues and even prison when having
unless an exception applies, the The Act encourages to draw up authorized access the user infringes
following rights: codes of conduct to increase the level security measures to obtain data with
◆ Right of access: to obtain of data protection. Natural or legal intent to profit.
from the controller information persons by themselves or with the
about the data that are being cooperation of national or Entry into force and deadline
processed; international civil or governmental for some provisions
◆ Right of rectification: when organizations, can set such codes of The FDPA will become effective
the data processed are inaccurate or conduct, privacy seals or other the next day after its publication in
incomplete; mechanisms with rules and standards the Federal Register.
◆ Right of erasure: at any time on privacy. Such instruments shall be
if the processing of data does not notified to the IFAI. Within a year after the Act
comply with the provisions. Erasure The Act applies both offline and becomes effective, the Executive
implies data being blocked, not being online processing of personal data. Power will issue a rule regarding
Therefore, controllers shall adopt several aspects, such as the
deleted until expiration of provided
measures to guarantee a lawful proceedings for protecting data
legal terms;
processing of personal data in any subjects´rights or the proceeding to
◆ Right of objection: to the
case. impose sanctions.
processing of personal data.
Processing of personal data
carried out by credit bureaus are Controllers shall:
Controller´s obligations
excluded of this Act. Such data 1. within a year after the entry
The processing of personal data
processing will follow the Federal into force of the Act:
requires to adopt several measures in
Credit Bureau of Information Act. a. Designate a Chief
order to guarantee its lawfulness.
There are also specific regulations Privacy Officer (CPO)
Among other, the controller shall:
that could apply in the b. Provide privacy
◆ Provide information through a telecommunication sector according disclaimers
privacy disclaimer to the data subject to the Telecommunications Act or in 2. within 18 months after the
when collecting his/her personal the Health sector. entry into force of the Act:
data.
a. Implement procedures to
◆ Adopt and maintain Infractions and sanctions enable data subjects to
organizational and security measures Controllers are subject to exercise the rights.
to protect the personal data and liability when processing personal
prevent their alteration, loss, data in a way that causes damages to Davara Abogados can provide you
unauthorized processing or access. the data subject. An unlawful expert legal advice regarding the
◆ Obtain data subject´s consent, processing could be fined even with privacy implications of the Act, drafting
unless when any exception applies; prison when such unlawful processing privacy disclaimers, security documents
◆ Establish proceedings in order constitutes a felony. or training your staff to the level of risk
than the data subject can exercise In particular, the Law contains a when processing personal data.
his/her rights. range of sanctions that includes
About Davara Abogados, S.C.
Davara Abogados is a boutique law firm that provides Contact us
legal advice and consulting services specialized on ITC Law For additional information or legal
(data protection/privacy, e-commerce, e-signature and e- advice, please contact Davara Abogados.
Government) to public and private entities.
Although incorporated in Mexico, D.F., Davara Abogados has a long
established and leading practice in European IT Law. Also, Davara
Abogados participates at ABA, leading the Latin American E-commerce
Committee at the Section of Science and Technology Law.
The material in this publication does not constitute legal advice and
Davara Abogados does not accept liability for any loss or damage caused
to any person relying on any information or ommission in the publication.
©DAVARA ABOGADOS, S.C., 2010
www.davara.com.mx