An Overview of Data Protection in Mexico

Mexico's data protection rules are becoming increasingly important for businesses operating in the country. Companies looking to expand into the Aztec country need to be aware of the intricacies of their data protection law. But what does the law actually entail?

What the Mexican law says

The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares, LFPDPPP), enacted in 2025 to replace its 2010 predecessor, applies to all private entities that process personal data, including businesses and other private organizations. The law’s objective is to safeguard individuals’ privacy by regulating the collection, use, storage, and transfer of personal information.

Under the LFPDPPP, data controllers must obtain consent from individuals before collecting their personal data and may process such data only for the purposes originally specified. The law also imposes an obligation to implement appropriate technical, administrative, and physical measures to ensure the confidentiality, integrity, and security of the data throughout its lifecycle.

The LFPDPPP has several requirements that businesses must comply with. These include:

  • Lawfulness: As a general rule, businesses must rely on a legal basis to ensure the lawfulness of data processing activities.
  • Protection of the “ARCO”: these are the data subject’s rights to Access, Rectification, Cancellation and Objection. Other rights are also guaranteed, such as the right to revoke consent.
  • Ensuring security: Businesses must take steps to ensure the security of personal data. This includes implementing security measures to prevent unauthorized access, use, or disclosure of personal data.
  • Appoint an Oficial de Protección de Datos (Data Protection Officer): All data controllers must appoint a responsible person or department to overview data protection within the organization, ensure compliance, and respond to data subject’s requests.

Non-compliance with the LFPDPPP can result in significant consequences for businesses. The law provides for fines of up to MXN $18,102,400 in 2025 (approximately $918,000) or double in the case of sensitive personal data. In addition, individuals who benefit from data breaches may be subject to imprisonment. Companies may face reputational damage and loss of customer trust if they are found to have mishandled personal data.

The takeaway for businesses operating in Mexico

The impact of Mexico's data protection laws on businesses can be significant. Compliance with the LFPDPPP can be challenging, particularly for companies that collect and use large amounts of personal data. Businesses must invest in the infrastructure and resources needed to ensure compliance, including engaging expert consultants to help them implement data protection policies and procedures, train staff on data protection practices, and ensure that data security measures are in place.

Contact Person

Tania Vanessa Eslava Suarez

Tania Vanessa Eslava Suarez, MLB, Jurist

Privacy Counsel

Email: teslava@re-move-this.first-privacy.com

Phone: +49 421 69 66 32-832

FIRST PRIVACY GmbH, Bremen

Manon Punie

Manon Punie, LL.M., Lawyer

Privacy Counsel

Email: mpunie@re-move-this.first-privacy.com

Phone: +31 20 211 72 62

FIRST PRIVACY B.V., Amsterdam

Learn more

Data Security Incidents in Mexico: A quick Guide

More information

Understanding data subject rights in Mexico

More information

Do Companies Operating in Mexico need a Data Protection Officer?

More information

Privacy Notices in Mexico

More information