Mexico Data Protection Law: Processing by Entity Registered or Incorporated in Jurisdiction

The factor of Processing by Entity Registered or Incorporated in Jurisdiction is used in determining the law's applicability by ensuring that data processing activities carried out by controllers established in Mexico are subject to the local data protection laws.

Text of Relevant Provisions

The Regulations Art.4(1)(i):

"These Regulations will be obligatory for all processing when: I. It is carried out in an establishment of the data controller located in Mexico;"

Analysis of Provisions

The Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties in Mexico specify that the law applies to data processing activities carried out in an establishment of the data controller located in Mexico. This provision indicates that the law's applicability is based on the physical presence or establishment of the data controller within Mexico's territory.

The use of the term "establishment" is further clarified in The Regulations Art.4(1)(iv)(2) and Art.4(1)(iv)(3), which define establishment for individuals and corporate bodies respectively. For individuals, it refers to "the location of their main place of business or that used to perform their activities or their home". For corporate bodies, it means "the location of the principal management of the business" or, for foreign entities, "the location of the principal management of the business in Mexico, or in the absence thereof, that designated by them or any stable installation that allows actual or real performance of an activity".

This broad definition of establishment ensures that the law applies to a wide range of entities operating within Mexico, regardless of their legal structure or origin.

Implications

The inclusion of this factor has significant implications for businesses operating in Mexico:

1. Local companies: All Mexican companies that process personal data must comply with the law, as they are established in Mexico.
2. Multinational corporations: Foreign companies with subsidiaries, branches, or other forms of establishment in Mexico are subject to the law for their data processing activities carried out in these establishments.
3. Home-based businesses: Even individuals processing personal data from their homes in Mexico for business purposes are covered by the law.
4. Foreign companies without physical presence: Companies that process data of Mexican residents but do not have an establishment in Mexico may not be directly subject to this provision. However, they might still be covered by other provisions of the law if they use equipment located in Mexico or target Mexican residents.
5. Data processors: The law also applies to data processors acting on behalf of data controllers established in Mexico, regardless of the processor's location (as per The Regulations Art.4(1)(ii), not directly quoted in the given provisions).
6. Compliance strategies: Companies operating in Mexico need to develop compliance strategies that align with the requirements of the Mexican data protection law, even if they also comply with data protection regulations in other jurisdictions.