Client Alert

12 Jun Amendments to the Federal Law for the Protection of Personal Data Held by Private Parties

On December 20, 2024, the Mexican government published a decree that amends, adds and repeals several provisions of the Political Constitution of the United Mexican States, regarding organizational simplification of the Mexican government (the “Decree”). The Decree sets forth the dissolution of several government organizations, including the National Institute for Transparency, Access to Information and Protection of Personal Data (“INAI”).


As a result of this legal reform, on March 20, 2025, the new Federal Law for the Protection of Personal Data Held by Private Parties (the “Law”) was enacted. This new Law repeals the previous legislation and establishes a new regulatory framework in this area, which entered into effect on May 21, 2025.


Significant changes have been identified that require companies to review and reassess their data management practices and internal processes. This review is essential to ensure compliance with the Law and to prevent potential sanctions from the competent authority.


Among the most significant changes are the following:

  • Amendments and extensions to key definitions, which will require companies to conduct a comprehensive review of their current personal data processing practices to ensure alignment with new definitions.
  • Appointment of a new regulatory authority, the Ministry of Anti-Corruption and Good Governance, which replaces the INAI as the competent authority for personal data protection.
  • The incorporation of the amparo proceeding as a constitutional remedy available to challenge resolutions issued by the aforementioned Ministry.

In this regard, Mexican companies will need to update or implement, if necessary, the following documents and procedures to ensure compliance with the Law:

  1. Privacy Notice(s).
  2. Internal policies on data privacy and personal data processing.
  3. Contracts or agreements with third parties regarding data processing.
  4. Procedures for handling ARCO (Access, Rectification, Cancellation, and Opposition) rights requests.
  5. Training programs for personnel involved in the processing of personal data.

Additionally, within 90 calendar days following the effective date of the Law, the Mexican government must issue the corresponding amendments to the regulations and other applicable provisions in this regard.


If your company does not yet have the aforementioned documents or if they need to be updated, the Personal Data Protection team at Cuesta Campos has extensive experience to advise our clients on any matters related to the implementation of this reform. Should you have any questions or comments, please do not hesitate to contact us.

Contact

Mauricio Castillo
mcastillo@cuestacampos.com

Héctor Valladares
hvalladares@cuestacampos.com

Fionna Folino
ffolino@cuestacampos.com

HE ABOVE IS PROVIDED AS GENERAL INFORMATION PREPARED BY PROFESSIONALS WITH REGARD TO THE SUBJECT MATTER. THIS DOCUMENT ONLY REFERS TO THE APPLICABLE LAW IN MEXICO. WHILE EVERY EFFORT HAS BEEN MADE TO ENSURE ACCURACY, NO RESPONSIBILITY CAN BE ACCEPTED FOR ERRORS OR OMISSIONS. THE INFORMATION CONTAINED HEREIN SHOULD NOT BE RELIED ON AS LEGAL, ACCOUNTING OR PROFESSIONAL ADVICE BEING RENDERED.