Mexico Data Protection Law: Location of Individual who Processes Data

The factor of Location of Individual who Processes Data is used in determining the law's applicability by considering whether the data controller or processor is physically present within Mexico's territory, regardless of the data subject's location.

Text of Relevant Provisions

The Regulations Art.4(1)(iv)(1):

"These Regulations will be obligatory for all processing when: IV. The data controller is not established in Mexico and uses media located in Mexico, unless such media are used only for transit purposes that do not involve processing. For purposes of this subsection, the data controller shall provide the media necessary to comply with the obligations imposed by the Law, its Regulations, and other applicable rules and regulations with respect to the processing of personal data. For this purpose, it shall designate a representative or implement the mechanism that it considers appropriate, provided that by means of this, it is ensured that the data controller will be able to effectively comply with the obligations that are imposed by law on individuals and corporate bodies that deal with personal data in Mexico."

Original (Spanish):

"Estos Reglamentos serán obligatorios para todo tratamiento cuando: IV. El responsable no esté establecido en México y utilice medios ubicados en México, salvo que dichos medios se utilicen únicamente para fines de tránsito que no impliquen tratamiento. Para los efectos de este apartado, el responsable deberá proporcionar los medios necesarios para cumplir con las obligaciones impuestas por la Ley, sus Reglamentos y demás disposiciones aplicables en materia de tratamiento de datos personales. Para este fin, deberá designar un representante o implementar el mecanismo que considere adecuado, siempre que por medio de este se asegure que el responsable podrá cumplir efectivamente con las obligaciones que le imponga la ley a las personas físicas y morales que traten datos personales en México."

Analysis of Provisions

The Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011 specify that the law applies to data processing activities conducted by individuals or entities that are not established in Mexico but use media located in Mexico, unless such media are used only for transit purposes that do not involve processing. This provision (Art.4(1)(iv)(1)) indicates that the physical presence of the data controller or processor within Mexico's territory is a critical factor in determining the law's applicability.

The use of media located in Mexico by a data controller not established in Mexico triggers the application of the law, requiring the data controller to comply with all obligations imposed by the law, including designating a representative or implementing a mechanism to ensure compliance.

Implications

This factor has significant implications for businesses that process personal data in Mexico. Companies that are not established in Mexico but use media located in Mexico for data processing activities must comply with Mexican data protection laws. This includes designating a representative or implementing a mechanism to ensure compliance with the law's obligations.

For example, a company based in another country that uses servers located in Mexico to process personal data would be subject to Mexican data protection laws, even if the data subjects are not located in Mexico. Conversely, if a company uses media located in Mexico only for transit purposes that do not involve processing, the law would not apply.

Understanding this factor is crucial for businesses to ensure compliance with Mexican data protection laws and avoid potential legal and financial consequences.