19 February 2018Jurisdiction reportsEmilio Garate

Mexico jurisdiction report: The treatment of personal data

The law defines “personal data” as any information by which a person is identified or might be identified. The law also establishes the term “sensible personal data”, which is defined as any personal data that affects the most intimate details of its owner, or data the wrong use of which can create situations such as discrimination or cause a grave risk for the owner.

Under the law, the racial or ethnic origin, present or future state of health, genetic information, religious, philosophical and moral beliefs, union membership, political opinions and sexual orientation are considered as sensible personal data.

This law establishes that the owner of the personal data has certain rights which are known as the ARCO rights (the initials in Spanish), which are:

  1. Right to access

The owner of the information has the right to access her/his personal data which is in possession of a third party and to be notified through the data privacy notice about the treatment given to the personal data.

  1. Right to rectification

The owner of the information has the right to correct the data when it is incomplete or incorrect.

  1. Right to cancellation

The owner of the information has the right to request the cancellation (removal) of personal data. This action will result in a blocking period, after which the suppression of the data will take place. If the cancellation request is applicable, the authority responsible for the treatment of the personal data will follow the next steps:

  1. Determine the period in which the information will be blocked. This period must be notified to the owner of the information;
  2. Block the information;
  3. Implement measures which, if applicable, will allow the information to be maintained without being exploited;
  4. Inform any third party which might have received the information that it is to be suppressed; and
  5. Suppress the information in a manner that such information will not be recovered under any technique.
  6. Right to oppose

The owner of the information has the right to oppose the use of his/her personal data by the third party.


Personal data may not be cancelled when the following occurs:

  1. The personal data relates to the parties of a private agreement and is is needed for the agreement’s purpose.
  2. It must be handled by legal disposition.
  3. It obstructs judicial and administrative procedures relating from tax obligations, investigation and prosecution of felonies, among others.
  4. It is necessary to protect the judicial interests of the owner of the information.
  5. It is necessary for an action in the public interest.
  6. It is necessary to comply with a legal obligation acquired by the owner of the information.
  7. It is handled for a medical prevention or for a medical detection as long as the handling of the personal data is made by a healthcare professional which is under an obligation of secrecy.

Complying with the law

What we have seen in our practice is that small and medium companies in Mexico are willing to comply with the law, but they do not understand the process enough to fully implement its data privacy policies. They may draft a data privacy notice without any real policy to back it up, or they do not fully understand what type of information is considered personal data when drafting the notice.

To implement a data privacy policy, the first step is to categorise the information that is collected and classify it as business information and personal information.

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Adrian Tapping at