{ Banner Image } Print PDF
Subscribe to Publications


Are you in Compliance with Mexico’s Personal Data Protection Requirements?

October 2011

The “Federal Law of Protection of Personal Data held by Private Parties” (Ley Federal de Protección de Datos Personales en Posesión de los Particulares or LPD) was published last year, establishing the scope and principles for the collection and processing of Personal Data, but the provisions described below only became effective on July 6, 2011, one year after its entry into force. 

Scope and Definitions

The LPD governs every aspect of the use and storage of Personal Data and Sensitive Personal Data, including the purposes for which companies collect such information, the way they store it, with whom they share it, and when and how they delete the information after it is used.

The statute is very broad and affects all private companies or individuals doing business in Mexico.

As with similar data protection laws in other jurisdictions, like the U.S. and EU data protections acts, the LPD includes definitions of crucial terms including:

Any collecting of personal data must have a lawful justification and is subject to the consent of the data owner, except as otherwise provided by the LPD

The provisions of the LPD that had to be implemented as of July 6, 2011, are:

Privacy Notice

The Privacy Notice is a document in hard, electronic, or any other format that must be provided to the data owner, through print, digital, visual or audio formats, or any other technology, containing at least the following information:

In the case of Sensitive Personal Data, the Privacy Notice must expressly state that it is dealing with this type of data.


Lack of compliance with or violations of the LPD includes fines ranging from US $500 to US $1,600,000 per violation, and/or imprisonment for up to five years.  In the case of Sensitive Personal Data or reoccurrence, sanctions are doubled.