Facebook Instagram LinkedIn
← Blog

Legal

Personal Data Protection for Mexican Businesses: 2025 Obligations

9 min read · January 2025

Personal Data Protection for Mexican Businesses: 2025 Obligations

The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) has been in force for over 10 years, yet most Mexican businesses still do not fully comply with it. Fines can exceed 20 million pesos.

Who Does the Law Apply To?

The LFPDPPP applies to any private individual or legal entity that processes personal data. This includes: physical and online stores, professional firms, clinics and medical offices, businesses with employees, and any business that uses databases of customers, prospects, or vendors.

Key Obligations

The most important obligations imposed by the law are:

The Privacy Notice: What It Must Say

The privacy notice is not a generic text copied from the internet. It must specify: who is responsible for data processing, what data is collected, for what purposes (primary and secondary), whether data is transferred to third parties, how to exercise ARCO rights, and how the notice may be updated. A generic notice can be as serious a violation as having none at all.

Penalties in 2025

The INAI (National Institute for Transparency) can impose fines ranging from 100 to 320,000 times the daily minimum wage, depending on the severity of the violation. In 2024, record sanctions exceeding $20 million pesos were issued to companies in the healthcare and telecommunications sectors. No sector is exempt.

Representative case

How we work: before and after

Situation based on real cases handled by the firm. Data modified to protect client confidentiality.

Before

Clinic Penalized for Sharing Patient Data Without Consent

A dental clinic in SLP was sharing patient lists with a medical expense insurance company without a privacy notice or consent. The National Institute for Transparency (INAI) opened a verification proceeding following a patient complaint. The preliminary fine was set at $1.8 million pesos.

After

Penalty Reduced and Compliance Program Implemented

We submitted an immediate compliance plan to INAI: we drafted the privacy notice, obtained retroactive consent from patients who were still active clients, and deleted records of those who did not consent. The sanction was reduced to the applicable legal minimum: $120,000. The clinic now operates in full compliance with the LFPDPPP.

Facing a similar situation?

Schedule a consultation
with our team.

Contactar al despacho →