Understanding data subject rights in Mexico

Since the country's Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de Particulares or LFPDPPP) was enacted in 2010, Mexico has had a robust legal framework for data protection and data subject rights. The main pillar of the law is the protection of the ARCO rights: Access, Rectification, Cancellation and Opposition. Let us take a closer look at them.


One of the most important rights granted to data subjects in Mexico is the possibility to access their personal data and gain insights into its processing. This encompasses the right to know what personal information is being collected, how it is being processed, and for what purposes. Access can be provided through physical or electronic copies, as well as in any other comprehensible format for the data subject.
This right is essential for individuals to comprehend how their personal information is being utilized and to make informed decisions regarding its processing.


Another essential right of data subjects in Mexico is the right to rectify their personal data. This right empowers individuals to request updates or corrections to their information if it is inaccurate or incomplete, ensuring that their personal data remains current and reliable. The importance of having accurate and up-to-date information is particularly crucial for sensitive records, such as financial or medical data.

It's worth noting, however, that data subjects may need to provide supporting documentation to the data controller in certain instances to validate their rectification request.


Data subjects have the right to cancel their personal data, which involves an initial 'blocking' of the data followed by its eventual deletion. During the 'blocking' phase, the processing of the data is suspended – except for storage purposes, to allow the assessment of any potential liabilities related to the data subject. Once the blocking period ends, the data must be deleted in a manner similar to the 'right to be forgotten' principle established in the European Economic Area.

The right of cancellation empowers individuals to maintain control over their personal information and minimize its exposure by revoking consent to process their data if it is being handled unlawfully.


The right to oppose the processing of personal data is another fundamental right for data subjects in Mexico. It allows individuals to object to the processing of their personal data even when this processing is lawful, if there is a legitimate reason to believe that it may harm the data subject. 

This right ensures that individuals have a say in how their personal information is used and can protect their privacy and interests.

Beyond ARCO

Although the ARCO rights are the most fundamental part of Mexico’s data protection system, data subjects also have other data protection rights. For example, they have the right to know whether they are being subject to automated decision making and review the information on which such decisions are based. 

Data subjects also have the right to withdraw their consent for the processing of their data at any time and refuse the processing of their data for certain specific purposes.

Finally, data subjects in Mexico can file complaints with the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI) if they believe that their rights have been violated. The INAI is responsible for enforcing the LFPDPPP and ensuring that data controllers comply with their obligations under the law. This right is essential for individuals to hold data controllers accountable for any violations of their data subject rights.

The bottom line

Data subject rights in Mexico are comprehensive and provide individuals with a high degree of control over their personal data. Companies operating in Mexico need to know how to handle personal information in a way that is respectful of the data subject’s rights, and must establish an efficient procedure to answer to requests in a lawful manner. Working with expert consultants is a fundamental step to ensure compliance with Mexican data protection regulations and avoid legal and reputational risks.

FIRST PRIVACY offers a tailored approach to each client's unique needs and ensures that their data processing activities are fully compliant with all applicable laws and regulations. By partnering with our firm, companies can rest assured that they are taking the necessary steps to protect their data in a streamlined way while also maintaining their own reputation and credibility in the marketplace.

Contact Person

Fábio Cavalcante

Fábio Cavalcante, LL.M.

Senior Privacy Counsel

Email: fcavalcante@re-move-this.first-privacy.com

Phone: +49 421 69 66 32-886