Protection site

Trends in Data Protection Enforcement in Mexico – Commentary

Data Privacy Law
Data Privacy Law Compliance

Data Privacy Law

According to them Press releasethroughout 2021, the Mexican Data Protection Authority (INAI) imposed fines of approximately $4.5 million on individuals and/or legal entities that violated data privacy law.

In 2021, a total of 1,930 complaints were filed with the INAI for unlawful processing of personal data, the sectors most affected being financial services and insurance, media information, health and welfare.

Some of the most common actions that result in penalties include:

  • collect or transfer personal data without the corresponding consent of the data subject; and
  • Failure to comply with privacy notice requirements as required by law.

Fines range from 100 days of minimum wage in Mexico (about $475) to 320,000 days of minimum wage (about $1.5 million). They are calculated per offense (the law defines 18 types of offense or breach), and are calculated taking into account the nature of the data, the financial capacity of the collector and the negligence of the infringer. Fines can be doubled when processing sensitive data or in the event of a relapse.

Fines associated with non-compliance with privacy law have broad implications – the amount of these fines could also impact the reputation and operations of the company, its brand value and its position. financial.

Data Privacy Law Compliance

Compliance is possible through several mechanisms, including:

  • make the privacy notice available to data subjects and make updates accordingly;
  • appoint a data protection officer;
  • implement administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing;
  • develop a mandatory and enforceable privacy framework within the organization;
  • adopt clauses for the transfer of personal data or the processing of data;
  • implement privacy awareness and training programs; and
  • monitor compliance through regular audits.


Privacy is not just about contracts, policies and legal documents. In most cases, a holistic approach to compliance requires a company to hire new service providers, adopt and implement security policies, or appoint a local information security officer to mitigate future risks. .

Data privacy law can be tricky to navigate, but the “privacy is a journey, not a destination” sentiment coupled with legal advice is helpful in solving such issues.

For more information on this subject, please contact Luis Gerardo Garcia, Jorge KarglGaby Finkel or Dafne Mendez in Creel, García-Cuellar, Aiza y Enriquez, SC by phone (+52 55 4748 0600 ) or email ([email protected], [email protected], [email protected] Where [email protected]). The Creel, García-Cuellar, Aiza y Enriquez, SC website can be accessed at