Following our most recent Client Alert in which we informed you of the modification of the regulatory framework for the collection, processing and protection of personal data, we present below a more detailed analysis of the changes in the Federal Law for the Protection of Personal Data (hereinafter, the “Law”) published in the Official Gazette of the Federation on March 20, 2025, and the considerations that companies must take into account for proper regulatory compliance.
- Modifications in Definitions (art. 2). Several definitions of the terms of the Law are broadened to include more assumptions.
- Privacy Notice: It is modified in such a way that it is understood that it is the document that is made available to individuals at the time data and consent are collected. In the previous text of the Law, it had to be previously made available.
- Databases: It is added that they are made up of identifiable personal data ordered and conditioned to determined criteria – regardless of the modality of creation, type of support, storage and organization.
- Consent: It is added that the will must be free, specific and informed, understanding the need for greater clarity and delimitation of the collection and processing of personal data by the individual in possession. This modification was regulated at the regulatory level.
- Personal Data: It is added that Personal Data is understood as any information that directly or indirectly identifies a person.
- Sensitive Personal Data: It is added that the definition is enunciative but not limiting. It is understood that a sensitive personal data may be any data that may give rise to discrimination, or that entails a risk thereof. Union membership is removed as Sensitive Personal Data.
- ARCO Rights: The complete definition of the rights of Access, Rectification, Cancellation and Opposition to the processing of personal data that the holders of Personal Data have was added to the Law as such.
- Disassociation: The definition is added to the Law as a process by which personal data cannot be associated to a data subject.
- Public Access Source: It is added that they are not considered “Public Access Source” (being these the Public Access Databases) when the information contained therein has been obtained in an unlawful manner in accordance with the provisions of this Law, being understood that the consent was not obtained in an adequate manner.
- Responsible: Only directs the regulated entities.
- Regulated Subjects: The Law is completely amended to modify the nature of the person who collects and processes data from “Data Controller” to “Regulated Subject”.
- Processing: The definition is broadened to include: manual and automated procedures, understood as artificial intelligence processes as well, as well as the inclusion of obtaining, using, recording, recording, organizing, preserving, processing, using, communicating, disseminating, storing, possessing, accessing, handling, using, disclosing, transferring or disposing of personal data as actions that are considered processing.
- Transfers: The definition is broadened to include foreign territory and any communication other than to the holder, the person responsible or the person in charge of the processing.
- Modifications to exceptions for obtaining consent (art. 9). It is modified as an exception to obtaining consent that its transfer is provided for in a “legal provision” in a broad manner, as opposed to a law. Consent could also be omitted only by resolution by a competent authority and is broadened to include court orders, or a grounded and reasoned mandate from a competent authority.
- Obtaining consent each time a treatment different from that foreseen in the Privacy Notice is to be carried out (art. 14). It is understood from the text of the Law that the processing can only be carried out for the purposes for which it was informed in the privacy notice, and, consequently, it is required to obtain consent each time a different processing is to be carried out to the one that was informed. It is important to remember that the processing must be lawful, informed, proportional and adequate for the company’s business purposes.
- Specification of data subject to processing and purposes (art. 15). The Privacy Notice must indicate the Personal Data that will be subject to processing and the purposes of the processing.
- Obligation of administrative, technical and physical security mechanisms for the protection of information (art. 19). The obligation to have several procedures that, considering the company’s activity, generate a reasonable expectation of information protection is strengthened.
- Limitation to the right of opposition (art. 26 fr. II). It is added as a limitation that, in addition to not being necessary for compliance with a legal obligation, it is subject to automated processes that automatically, without human intervention, affect the interests, rights or freedoms of a person.
- Disappearance of the chapter on regulatory authorities. The National Institute of Access to Information as an autonomous constitutional body is abolished and is now the Secretariat of Anticorruption and Good Governance, according to a decree published on March 21, 2025 in the Official Gazette of the Federation.
Challenges to rulings (Article51). The Law provides that amparo proceedings, which are heard by specialized judges and courts, may be brought against the resolutions.
If you have any doubt or clarification on this matter, our Intellectual and Industrial Property team is at your disposal.
