Applicability of the Federal Law on Protection of Personal Data Held by Private Parties (Mexico)

Mexico's data protection framework for private sector entities is governed by federal legislation that regulates the processing of personal data. The primary role of this framework is fulfilled by the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares), which establishes the legal requirements for the handling of personal data by private parties.

The law was adopted on March 20, 2025 and became effective on March 21, 2025.

Material Applicability

The Mexican data protection framework establishes two key material applicability factors:

• Filing System Criterion
• Location of Individual who Processes Data

Filing System Criterion

The Regulations Art.3:

"These Regulations apply to the processing of personal data found on physical or electronic media that make possible, access to personal data according to specific criteria, regardless of the form or method of its creation, type of media, processing, storage, or organization."

This provision extends the law's scope to both digital and non-digital processing of personal data that is structured to allow easy retrieval. The criterion applies regardless of:

• Form or method of creation
• Type of media used
• Processing method
• Storage approach
• Organizational structure

Location of Individual who Processes Data

The Regulations Art.4(1)(iv)(1):

"These Regulations will be obligatory for all processing when: [...] The data controller is not established in Mexico and uses media located in Mexico, unless such media are used only for transit purposes that do not involve processing."

Territorial Applicability

The Mexican law establishes five territorial applicability factors:

• Use of Equipment Within Jurisdiction
• Processing by Local Establishment
• Control and Central Management in Jurisdiction
• Processing in Jurisdiction
• Processing by Entity Registered or Incorporated in Jurisdiction

Processing by Local Establishment

The Regulations Art.4(1)(i):

"These Regulations will be obligatory for all processing when: [...] It is carried out in an establishment of the data controller located in Mexico"

The law applies to all data processing activities conducted by establishments located within Mexico, regardless of the data subjects' location.

Control and Central Management

The Regulations Art.4(1)(iv)(3):

"In case of corporate bodies, the establishment shall mean the location of the principal management of the business; in case of corporate bodies residing abroad, the location of the principal management of the business in Mexico, or in the absence thereof, that designated by them or any stable installation that allows actual or real performance of an activity"

This provision extends applicability to entities with their central management in Mexico, even if not formally incorporated there.

Use of Equipment Within Jurisdiction

The Regulations Art.4(1)(iv):

"These Regulations will be obligatory for all processing when: [...] The data controller is not established in Mexico and uses media located in Mexico, unless such media are used only for transit purposes"

The law applies when non-Mexican entities use equipment or media within Mexico for data processing, excluding mere transit purposes.