On March 20, 2025, the new Federal Law on the Protection of Personal Data Held by Private Parties (the “LFPDPPP”) was published in the Official Gazette of the Federation (the “DOF”). The law entered into force the following day and replaces the original 2010 law.
The new LFPDPPP introduces significant changes to the personal data protection framework in Mexico, with important implications for data subjects and for data controllers.
Changes in Authorities.
The functions related to personal data protection, which were previously carried out by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), have been formally assumed by the newly created Ministry for Anti-Corruption and Good Governance due to the dissolution of the INAI. This Ministry is now responsible for overseeing compliance with the law and promoting proper handling of personal data.
Additionally, the law mandates the creation of specialized district courts and collegiate tribunals for data protection, with a deadline of 120 calendar days for their establishment.
Key Regulatory Changes.
1. Expanded definitions potentially broaden the scope of the law.
The definitions of “personal data” and “data subject” have been revised to include any information related to an identified or identifiable person, with no distinction between natural and legal persons (the former law referred exclusively to natural persons). These changes may be interpreted as allowing legal entities to be considered data subjects under Mexican regulation, marking a paradigm shift in the ownership of data protection rights.
2. Changes to the “controller” concept.
Any individual or legal entity that processes personal data is now considered a data controller, even if they do not make decisions regarding such processing. As a result, the obligations of controllers now also extend to data processors.
3. Privacy Notice Requirements
The Comprehensive Privacy Notice is no longer required to disclose data transfers, but must now explicitly identify the personal data being processed, including sensitive data, and the purposes that require consent.
The Simplified Privacy Notice is now mandatory when data is collected via electronic or technological means, and must include the identity and address of the controller, as well as other specific elements.
4. Reinforced Obligations
Data Controllers are required to implement controls or mechanisms to ensure that third parties with access to personal data maintain its confidentiality even after the termination of the contractual relationship, reinforcing the need for proper compliance policies. Additionally, the concept of a “data retention period” is introduced.
5. Strengthened Rights for Data Subjects.
The law provides more detailed guidelines for exercising the ARCO rights (Access, Rectification, Cancellation, and Objection) by data subjects.
The right of access to the personal data is broadened to require data controllers to inform the data subject of the general conditions of data processing.
The right of data rectification is expanded to expressly include updates of the personal data.
The right to object is strengthened, allowing data subjects to oppose automated processing of their personal data when it significantly impacts their rights, for example, in algorithmic evaluations without human involvement (profiling).profiling).
Next Steps
The Ministry for Anti-Corruption and Good Governance has 90 calendar days to issue the implementing regulations for the new LFPDPPP. These regulations will be essential to clarify aspects such as: (i) the scope of the term “data subject,” now including legal entities; (ii) the rules governing domestic and cross-border data transfers; (iii) the formal requirements for both the comprehensive and simplified privacy notices.
Although secondary regulation is still pending, we recommend that organizations begin to review and update their data privacy policies, including:
- The adjustment of privacy notices in line with the new legal framework.
- The review of contracts with third parties that involve data processing.
- The strengthening of internal compliance programs.
Taking early action will be key to ensuring compliance and minimizing risks under the new regulation.
To view the decree, press here.
Our partner in charge of advising you and our expert in these matters (Carlos A. Chávez Pereda cacp@santoselizondo.com) and our team of lawyers, will be attentive to further define the new paradigms that this decision entails, as well as the way to face it in a timely and efficient manner.