Do Companies Operating in Mexico need a Data Protection Officer?

Article 30 of the Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares or LFPDPPP) mandates that all data controllers must appoint a “person or department of data protection” within the organization. While the law does not use the exact same name, the responsibilities are similar in nature to those of the Data Protection Officer under the GDPR.

What they do

The “person or department of data protection” has two legal responsibilities:

1. Answering data subject requests, especially those regarding their ARCO rights.
2. Promote the protection of personal data within the controller’s organizational structure. 

The way in which these responsibilities should be exercised will depend on the nature, size, and needs of the company. Companies should have defined processes and channels to be able to respond to data subject’s requests in a timely manner and in the most efficient and lawful way.

Functions related to the promotion of personal data could include overseeing the design and implementation of the company’s privacy policy, communicating the data protection rules to other departments within the organisation, training the employees, designing a security incident response plan, keeping track of any data breaches, representing the organisation in any communications with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI), advising the senior management on information security matters, and other similar duties. 

Who to appoint

Although the law does not provide guidance on the requirements for this role, the INAI in Mexico has issued recommendations on who should be appointed as the “person or department of data protection”.

The first decision the company must make is whether to designate a single individual, or an entire department. This will depend on the size of the corporation, the type and volume of data being processed, the value of the personal information for the company’s operations, and the expected number of requests from data subjects. Larger companies, those processing sensitive data, or those whose core business depends on the processing of personal data, will be better served by designating an entire department or a whole external firm to ensure that the protection of the information will be well managed.

While there are no requirements regarding the qualities of the designated person or department, it is recommended that they have experience or knowledge in data protection to ensure effective implementation of the law. It is recommended that they hold a senior position within the organisation and that they have sufficient material, technical and human resources to carry out their duties effectively. 

Finally, there is no requirement that the person or department has to be a part of the organisation itself. Companies could therefore appoint an external firm such as FIRST PRIVACY, which is specialised in privacy and data protection, to carry out these tasks.

Registration and location

In Mexico, companies are not required to register or notify the INAI of the appointment of the person or department responsible for personal data. However, it is recommended – although not mandated – that the identity of this person or department be disclosed to the public through the privacy policy or any other effective means. In this way, data subjects will know whom to contact in the event of a request.

There are no restrictions on the location of the appointees, and companies could designate a person located anywhere in the world to fulfil these obligations.