The Control and Central Management Criterion is incorporated into Mexican data protection law through Article 4 of the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011. This provision extends the applicability of the law to entities that may not be formally incorporated or registered in Mexico but have their central management and control located within the country.The regulation defines "establishment" for corporate bodies in three ways:

1. "the location of the principal management of the business"
2. For foreign entities: "the location of the principal management of the business in Mexico"
3. In absence of the above: "any stable installation that allows actual or real performance of an activity"

This broad definition ensures that the law applies to entities that have a significant presence in Mexico, even if they are not formally incorporated there. The use of terms like "

principal management

" and "

stable installation

" indicates that the law focuses on the actual operational control and decision-making center of the entity, rather than its formal legal status.

Implications

This criterion has several important implications for businesses:

1. Foreign companies with management in Mexico: Companies incorporated abroad but managed primarily from Mexico will likely fall under the jurisdiction of Mexican data protection law.
2. Stable installations: Even without formal incorporation or principal management in Mexico, companies with stable installations performing real activities in the country may be subject to the law.
3. Flexible interpretation: The broad language allows for a flexible interpretation of what constitutes "establishment," potentially capturing a wide range of business arrangements.
4. Compliance obligations: Entities meeting these criteria must comply with Mexican data protection law, including appointing representatives and implementing necessary mechanisms to fulfill legal obligations.
5. Extra-territorial effect: This provision effectively extends the reach of Mexican data protection law beyond its borders, capturing foreign entities with significant ties to Mexico.

Businesses operating in or with connections to Mexico should carefully assess their management structure and operational presence to determine if they fall under the jurisdiction of Mexican data protection law based on this Control and Central Management Criterion.