Recently, the National Institute of Transparency, Access to Information and Protection of Personal Data («INAI», for its acronym in Spanish) issued a guide titled «Suggested minimum criteria for contracting cloud computing services that involve the processing of Personal Data” (hereinafter the «Guide «).


The purpose of this Guide is to provide suggestions or criteria for individuals or legal entities that wish to hire cloud computing services, offered by both, domestic or international companies and, especially, when such services involve the processing of personal data.


According to the Guide, among the issues that must be verified prior to contracting a cloud computing service, and that are related to the provisions of the Regulations of the Federal Law on Protection of Personal Data Held by Private Parties, are:


  • The reputation of the service provider;
  • The location of the provider and the place where the personal data will be stored,
  • Jurisdiction and applicable laws,
  • If the service provider has appropriate security measures,
  • If the provider will return or destroy the data or any information upon termination of the agreement,
  • Interoperability and portability of the data.


In general, the Guide suggests preferring those suppliers that allow the negotiation of the terms of cloud agreements over those that seek to subject the provision of services to contracts of adhesion.


The full text (in Spanish) of the Guide can be found at:


The ​​IT and Data Protection Practice of the firm will be pleased to provide any additional information.





Adolfo Athie Cervantes

Teresa Espinosa Vega





Mexico City, December 4, 2018