The implementing regulations of Mexico’s Federal Law for the Protection of Personal Data (the “Law”) came into effect on 22 December 2011. The regulations have allowed the Law to finally fully enter into force. As reported earlier, Mexico’s privacy law is the first piece of federal legislation to regulate how businesses handle personal information in Mexico.
The implementing regulations bring into force the Law’s provisions dealing with data subjects’ rights to access, correct and delete personal information relating to them, which individuals have been able to exercise since January 2012. Failure to comply with individuals’ requests to exercise these rights are actionable by the Federal Institute of Access to Information and Personal Data and may lead to civil penalties. The regulations also deal with security and breach notification, cloud computing, consent and notice requirements, as well as data transfers.
Although the Law is now fully enforceable, a “honeymoon period” of 18 months has been granted to companies to implement the security measures required under the regulations.
Breaches of the Law may lead to fines as well as to custodial sanctions. If sensitive personal data is processed, the penalties can be increased significantly.