ASAP

ASAP

Mexico Has a New Law on Personal Data Protection

By Estefania Rueda Garcia

  • 4 minute read

On March 20, 2025, the new Federal Law on the Protection of Personal Data Held by Private Parties (FLPPD) was published. This law came into force on March 21, and contains important changes in terms of privacy. 

First, the law eliminates the National Institute of Transparency, Access to Information and Protection of Personal Data, the responsibilities of which will be assumed by the Anti-Corruption and Good Government Ministry.

Another significant change is the new definition of personal data. While this concept continues to refer to “information concerning an identified or identifiable person,” the law no longer establishes that such information must belong to a natural person. Similarly, the definition of owner of personal data removes the requirement of being a natural person to be entitled to all the rights enshrined in the Constitution and in this law regarding the personal data. This opens the possibility for legal entities to assert the rights of access, rectification, cancellation, and objection (“ARCO Rights”) and for the person responsible for the processing of personal data to be sanctioned for failure to comply with their obligations to companies, such as providing them with a privacy notice, obtaining their consent to process their information when required by law, among others.

Notwithstanding the above, it is possible that these concepts will be clarified later in regulations, which are pending harmonization with the new law. These must be published within 90 calendar days of the new law coming into force.  

Among other changes, the FLPPD now establishes the following new obligations for those responsible for the processing of personal data:

  1. Provide a simplified privacy notice to the data owners when their information is obtained through electronic or technological means.
  2. Establish controls or mechanisms to ensure that third parties involved in the processing of personal data keep the information confidential, even after the relationship of the controller with the third party has ended.
  3. Promote the protection of personal data within the organization.

Regarding the rights of the data owners, the following are incorporated into the law:

  1. Updating personal data is contemplated as part of the right to rectify the data owner’s information.
  2. Objecting to the automated processing of personal data when it significantly affects the data owner’s rights and the information is analyzed without human intervention, for example, to predict work performance, reliability, behavior of the data owner, etc.

This new legal framework also provides for self-regulation schemes in which those responsible for the processing of personal data may agree among themselves (e.g., companies with the same group, suppliers and customers, etc.) or with civil or governmental organizations, national or foreign, on the metrics to determine compliance with the legislation, as well as sanctions in case of noncompliance. This can be translated into codes, policies, regulations, and processes adopted by the parties to the agreement to ensure compliance with the law and make it easier for the owners of personal data to assert their rights in accordance with the law.

Finally, an issue that could generate progress in the protection of personal data in Mexico is that the decree ordering the publication of the FLPPD also requires the establishment of district courts and specialized courts in the matter within 120 calendar days following the entry into force of the decree in order to resolve the requests for constitutional remedies (amparo petitions) filed by individuals.

Although the penalties for non-compliance with the FLPPD have not changed, it is important to consider that the authority may issue fines ranging from 100 to 320,000 Units of Measurement and Update1 (currently from USD$565.70 to USD$1,810,240), which can be doubled in case sensitive data is affected (those whose improper use could result in discrimination).

Given the new law, it is important for employers to verify whether they have privacy notices for their employees, candidates, and other holders of personal data they process, as well as to confirm if they are taking measures to guarantee data processing in accordance with current legislation.

Related Insights

View All Insights
Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
© 2025 Littler Mendelson P.C.
Littler Mendelson is part of the international legal practice, Littler Global, which operates worldwide through a number of separate legal entities. Attorney Advertising.

Let us know how we can help you navigate your particular workplace legal issues.