Mexico: Implemented Regulation of the Federal Law on the Protection of Personal Data Held by Private Parties including cross-border data transfer regulation

On 21 December 2011, the Regulation of the Federal Law on the Protection of Personal Data Held by Private Parties including cross-border data transfer regulation was implemented. Regarding data transfers, the Regulation distinguishes between transmissions (remisiones), which occur between a controller and a processor, and a transfer (transferencia), which occur between a controller and a controller. Transmissions do not require data subject consent, though the processor may only process the data for the specified purpose, and cannot make further data transfers contrary to the controller's instructions. Transfers require consent and the data subject must be informed via privacy notice. The receiving controller must assume the same obligations as the transferring controller, which can be formalised by contract. The Federal Institute for Access to Public Information and Data Protection may be consulted on the permissibility of a transfer.