Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) was enacted in 2010 to regulate the protection of personal data held by private entities. The law applies to all private entities that collect, store, use or process personal data.
Under the LFPDPPP, personal data is defined as any information concerning an identified or identifiable individual. It includes sensitive personal data such as financial, health or biometric data.
The LFPDPPP requires that personal data must be processed lawfully, and for specific, explicit and legitimate purposes. Individuals must be informed about the purpose of the processing and provide their consent for the processing of their data. The law also requires that entities that hold personal data implement appropriate technical and organizational measures to ensure the confidentiality, security, and integrity of the personal data.
In addition, the LFPDPPP requires that entities that hold personal data have a privacy notice that informs individuals about the type of personal data collected, the purposes of the processing, and the rights that individuals have in relation to their personal data.
The law also provides individuals with several rights, including the right to access, rectify, cancel, and oppose the processing of their personal data. Individuals can exercise these rights by submitting a request to the entity that holds their personal data.
Entities that violate the LFPDPPP may face penalties of up to 2% of their annual revenue, as well as civil and criminal liability.
Mexico has also recently passed the Federal Law for the Protection of Personal Data in Possession of Obliged Subjects (LFPDPPPVO) which regulates the protection of personal data held by public entities. This law establishes similar obligations to the LFPDPPP, such as implementing appropriate measures to ensure the confidentiality, security, and integrity of personal data, and providing individuals with several rights over their personal data.
In conclusion, the LFPDPPP and the LFPDPPPVO establish important obligations and rights for entities and individuals in Mexico with regard to the protection of personal data. Entities must comply with these regulations to avoid penalties and ensure the protection of their customers’ personal data.