All questions

Intellectual property and data protection

In Mexico, software is not subject to be patented. The Industrial Property Law specifically provides in its Article 19(IV) that software may not be considered as an invention. In practice, software is registered as an intellectual work in accordance with the provisions set forth in the Federal Copyright Law. The foregoing provisions apply to fintech business models and related software; in both cases, they may be registered under the copyright provisions.

Considering the above, in accordance with the provisions set forth within the Federal Copyright Law, when an individual or company requests a contractor to develop software or business models, by the payment of remuneration, the company will own the economic rights over the work and have the rights related to its divulgation, integrity and collection.

Regarding contractors, they may have the right to be expressly mentioned in the role of authors over the parts in which they have participated. It is essential that agreements are drafted in a clear manner and that the terms of the work to be created and its remuneration are stated precisely, considering that in case of doubt, interpretation will be in favour of the author.

When a work is made as a consequence of a labour relationship, established within a written individual labour agreement, it will be presumed, if it is not otherwise agreed, that economic rights will be divided equally between employer and employee. The employer may divulgate the work without the authorisation of the employee but not the other way around. If an individual labour agreement is absent, economic rights will be granted to the employee.

Regarding privacy rights, the Fintech Law regulates the exchange of information with authorities. Specifically, it provides that fintech companies are required to provide information to the CNBV and Banxico about their operations and their clients, including data that may be useful to estimate their financial situation and information that may be useful for mentioned authorities in order to duly comply with their functions.

Additionally, the Fintech Law provides that clients' information shall be considered as confidential and that in no case may fintech companies give notices or information of their activities or services contracted by them unless such information is requested by the client itself, his or her legal representatives or those whose have granted a power of attorney to intervene in the relevant operation or service. This is similar to current banking secrecy provisions.

There are no special rules applying to the digital profiling of clients considering that processing of personal data is not distinguished if physical or electronic means are implemented for this purpose. On this topic, the Federal Law on the Protection of Personal Data held by Private Parties (the Data Protection Law), requires data controllers to obtain consent before processing data subjects' personal information and to obtain that consent through the delivery of a detailed privacy notice that contains at least the requirements set forth within the privacy law framework applicable within Mexico. Furthermore, financial information shall be protected under stricter means and measures than identification data. When processing financial information, express consent is required.

The Data Protection Law also requires data controllers to process personal information in accordance with the following principles: lawful basis for processing; consent; information; data quality; purpose limitation; loyalty; proportionality; and responsibility.

Data controllers shall also adopt the security measures and procedures that are necessary to protect the personal data against damage, loss, alteration, destruction and unauthorised use, access or processing. These measures shall be at least equal to the measures that the data controller uses to protect the company's own information.

If storage is through a cloud computing service provider, the storage will be subject to specific conditions provided within the Regulations of the Data Protection Law. The data controller and service provider (i.e., the cloud computing service provider) relationship, shall be documented within a legal instrument and the relevant service provider, in its role of data processor, shall be informed about the data controller's (company) privacy notice and may only process the personal data received by the data controller, in accordance with its privacy notice and its instructions.

The data controller shall only contract services from a provider that it:

  1. has policies and procedures similar to those contemplated by the Data Protection Law and the Data Protection Regulations;
  2. discloses if it subcontracts to third parties;
  3. does not condition the service upon the service provider becoming the owner or acquiring any right over the personal data;
  4. maintains confidentiality; and
  5. has mechanisms to:
    • notify changes in its privacy policies;
    • allow the data controller to limit the processing of the personal data;
    • have security measures that are reasonable with respect to the service;
    • guarantee the cancellation of data once the service is terminated; and
    • block access to the personal data by persons that do not have access privileges except when ordered by a competent authority and the data controller is informed of such order.

Finally, another essential obligation is that data controllers must appoint a data protection officer or department to answer data subjects' access, rectification, suppression and rejection requests.