Clym Logo
MX flag

MX

Federal Law on the Protection of Personal Data held by Private Parties (LFPDPPP) Mexico

Overview

The Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) is Mexico’s primary privacy law for private-sector organizations. Enacted in 2025, this version updates the 2010 framework, strengthening obligations around consent, transparency, and accountability for the processing of personal data. It applies to individuals and businesses that collect, store, or use personal data for commercial or professional purposes. The 2025 law includes expanded rights for individuals, higher security standards, and stricter penalties.

Regulation Summary

  • Enacted: March 20, 2025
  • Effective: March 21, 2025
  • Repeals: 2010 version of the LFPDPPP

  • Private individuals and legal entities engaged in data processing for commercial purposes.
  • Businesses operating in Mexico or offering goods/services to individuals in Mexico.
  • Foreign companies that process data of Mexican residents.

  • Personal data processed for purely personal or household use.
  • Data governed by other sector-specific regulations (e.g., credit bureaus).

  • Obtain lawful, informed, and express consent before processing data.
  • Provide clear, accessible, and timely privacy notices.
  • Implement organizational and technical security measures.
  • Maintain data integrity, relevance, and accuracy.

  • Display both simplified and full privacy notices.
  • Incorporate consent mechanisms (opt-in/opt-out) for secondary data uses.
  • Provide mechanisms for exercising ARCO and portability rights.
  • Notify users promptly of any data breaches.

  • Appoint a Data Protection Officer (DPO) or internal data privacy team.
  • Keep updated records of processing activities.
  • Establish procedures for international and third-party data transfers.

  • Access: Individuals can access their personal data.
  • Rectification: Correct inaccurate or outdated data.
  • Cancellation: Request data deletion.
  • Objection: Object to specific uses of their data.
  • Portability: Request transfer of their data in a machine-readable format.

  • Authority: Ministry of the Interior (Secretaría de Gobernación) through the National Authority for Personal Data Protection.
  • Penalties:
    • Fines from 100 to 320,000 days of the UMA (Unidad de Medida y Actualización – approx. $1,206 to $3,857,007 USD).
    • Temporary or permanent suspension of data processing activities.
    • Criminal sanctions, including imprisonment for severe violations.