Personal Data and Privacy in Mexico: A Complete Guide for Businesses and Individuals

The protection of personal data in Mexico is a crucial issue for both businesses and citizens. The Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) establishes the legal framework for the proper handling of individuals' personal information. It doesn’t matter if you run a microbusiness, a medical practice, or a law firm—everyone must comply with this law.

This article is designed to help you:

• Comply with your obligations as a small business or professional who handles personal data.

• Exercise your ARCO rights as the owner of personal data.

What Is Personal Data and Privacy?

Personal data and privacy is any information that can identify a person. This includes basic information (name, phone number, email) as well as more sensitive details like banking or health records. Sensitive personal data—such as health status, sexual orientation, or religious beliefs—requires an even higher level of protection.

The LFPDPPP protects this data and prohibits its use without consent, except in specific cases outlined by the law.

👉 Official text of the law: Federal Law on the Protection of Personal Data Held by Private Parties (PDF)

Business Obligations Under the LFPDPPP

If you’re responsible for processing personal data (e.g., you hire employees, provide services, attend to clients, or do marketing), you must comply with the following principles:

1. Lawfulness and loyalty

2. Purpose specification

3. Consent

4. Information

5. Data quality

6. Proportionality

7. Accountability

8. Security

You must also fulfill your duties of confidentiality and data security, and have an up-to-date privacy notice.

👉 Practical guide: Guide to LFPDPPP Obligations (INAI)

What Are ARCO Rights?

ARCO stands for:

• Access: Know what data a business or professional has about you and how it’s being used.

• Rectification: Correct inaccurate or incomplete data.

• Cancellation: Request the deletion of your data.

• Objection: Oppose the processing of your data for certain purposes.

These rights are free of charge, and you can exercise them with any entity or professional who holds your data.

How to Exercise Your ARCO Rights: Step by Step

According to the INAI (National Institute for Transparency, Access to Information and Personal Data Protection), exercising your ARCO rights involves submitting a formal request to the data controller. You may submit this request in person or digitally, depending on the instructions in their privacy notice.

🔗 Official guide: Procedure to Exercise ARCO Rights (PDF)

A. What Should Your Request Include?

• Full name of the data subject

• Proof of identity (voter ID, passport, etc.)

• Legal representative’s ID and authorization (if applicable)

• Address or other contact method (e.g., email) for notifications

• Clear description of the ARCO right you wish to exercise

• Details about the personal data in question (e.g., client number, account ID)

• Supporting documents (required for rectification, cancellation, or objection)

B. Specific Requirements by Type of Right

• Access: Indicate your preferred method of receiving the data (printed, digital, email, etc.)

• Rectification: Specify which data should be corrected and include documentation

• Cancellation: Explain why you’re requesting deletion

• Objection: Justify your objection and identify the purposes you disagree with

C. Where to Submit the Request

Check the responsible party’s privacy notice—it must include a specific email, portal, office address, or online form for ARCO requests.

D. What Must the Data Controller Do?

• Acknowledge receipt of your request

• Within 5 business days, request any missing information (if applicable)

• Within 20 business days, inform you whether your request is accepted

• If accepted, comply with your request within 15 business days

These periods may be extended once for the same amount of time, but only with valid justification.

E. What If You Don’t Receive a Response or Your Rights Are Denied Unjustifiably?

You can file a complaint with the INAI within 15 business days of receiving no response or an unjustified denial. The INAI will initiate a procedure to defend your rights.

Who Can Submit an ARCO Request?

• The data subject (owner of the personal data)

• A duly authorized legal representative

• In the case of minors, deceased individuals, or those under legal guardianship, special documentation is required (birth certificate, sworn declaration, court order, etc.)

ARCO Rights and Businesses: What Are My Duties as a Data Controller?

If you are a small business or independent professional, you must:

• Designate a person or unit in charge of personal data

• Have internal procedures for receiving and responding to ARCO requests

• Maintain updated policies and forms

• Keep a log of received and processed ARCO requests

• Inform the data subject of the status of their request within the required timeframe

• Provide free and accessible mechanisms for data subjects (e.g., web form, email, etc.)

Conclusion

In Mexico, protecting personal data is a constitutional right and a legal obligation. Small businesses must adopt clear policies and procedures to comply with the LFPDPPP. Individuals must know and exercise their ARCO rights to safeguard their privacy.

Complying with the law not only protects you legally—it also builds trust and reputation with clients, users, and employees.

Want to implement a personal data compliance system in your business? Have questions about how to exercise your rights as a data subject?

👉 Write to us. We’re here to help you protect what matters most: your privacy.

📧 contacto@uplaw.com.mx📱 +52 5655 450 359 (WhatsApp)