Mexico: Implemented Federal Law on the Protection of Personal Data Held by Private Parties (2010) including data protection regulation

On 5 July 2010, the Mexican Federal Law on the Protection of Personal Data Held by Private Parties was implemented. The law regulates data subject rights, including the right to access, rectification, erasure and opposition (“ARCO rights”). The law also establishes the conditions for data processing including the notification of the data subject, the consent of the data subject for the specified purposes, the necessity of the data processing to perform a contract, comply with a legal obligation or protect vital interests, the availability of data in public sources or a resolution by a competent authority. In addition, data handling organisations must appoint a data protection officer. It further establishes a complaint mechanism with the National Institute for Transparency for Access to Information and Protection of Personal Data (INAI), responsible for overseeing data controllers’ compliance.