Data Privacy Law
Compliance with Data Privacy Law

Data Privacy Law

According to their press release, throughout 2021, the Mexican Data Protection Authority (INAI) imposed fines of approximately $4.5 million on individuals and/or legal entities that had infringed the Data Privacy Law.

In 2021, a total of 1,930 complaints were filed before the INAI for the unlawful processing of personal data, where the most relevant sectors are financial services and insurance, mass media information, and health and social assistance.

Among the most frequent actions that result in penalties are:

  • collecting or transferring personal data without the corresponding consent of the data subject; and
  • non-compliance with requirements for privacy notices, as set out in the law.

Fines range from 100 days of minimum wage in Mexico (approximately $475) to 320,000 days of minimum wage (approximately $1.5 million). They are calculated per infringement (the law sets out 18 infringement types or breaches), and are calculated considering the nature of the data, the financial capacity of the collector and the negligence of the infringer. Fines can be doubled when processing sensitive data or in case of a relapse.

The fines associated with privacy law non-compliance have broad implications – the amount of those fines could also impact the company's reputation and operations, its brand equity and its financial position.

Compliance with Data Privacy Law

Compliance is possible through several mechanisms, including:

  • making the privacy notice available to data subjects and making the corresponding updates;
  • appointing a data privacy officer;
  • implementing administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorised use, access or processing;
  • developing a mandatory and enforceable privacy framework within the organisation;
  • adopting clauses for personal data transfers or data processing;
  • implementing privacy awareness and training programs; and
  • monitoring compliance through regular audits.


Privacy compliance does not only revolve around contracts, policies and legal paperwork. In most cases, a holistic approach to compliance requires a company to hire new service providers, adopt and implement security policies, or appoint a local chief information security officer to mitigate future risks.

The Data Privacy Law can be difficult to navigate, but the sentiment "privacy is a journey, not a destination" paired with legal advice is helpful when tackling such issues.

For further information on this topic please contact Luis Gerardo García, Jorge Kargl, Gaby Finkel or Dafne Mendez at Creel, García-Cuellar, Aiza y Enriquez, SC by telephone (+52 55 4748 0600 ) or email ([email protected], [email protected], [email protected] or [email protected]). The Creel, García-Cuellar, Aiza y Enriquez, SC website can be accessed at