{"id":26154,"date":"2025-03-21T22:44:48","date_gmt":"2025-03-21T22:44:48","guid":{"rendered":"https:\/\/basham.com.mx\/?p=26154"},"modified":"2025-03-21T22:44:50","modified_gmt":"2025-03-21T22:44:50","slug":"new-federal-law-for-the-protection-of-personal-data-held-by-private-parties-published-in-the-official-gazette-of-the-federation","status":"publish","type":"post","link":"https:\/\/basham.com.mx\/en\/new-federal-law-for-the-protection-of-personal-data-held-by-private-parties-published-in-the-official-gazette-of-the-federation\/","title":{"rendered":"New Federal Law for the Protection of Personal Data Held by Private Parties Published in the Official Gazette of the Federation"},"content":{"rendered":"

Mexico City, March 21 2025<\/p>\n\n\n\n

On March 20, 2025, the New Federal Law for the Protection of Personal Data in Possession of Private Parties (NLFPDPPP)<\/strong> was published in the Official Gazette of the Federation (DOF)<\/strong>. The law will come into effect on March 21, 2025, superseding the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP)<\/strong>, which is hereby repealed.<\/p>\n\n\n\n

Key Modifications Introduced by the NLFPDPPP<\/strong><\/p>\n\n\n\n

1. Modification and Clarification of Definitions<\/strong><\/p>\n\n\n\n

The NLFPDPPP revises several definitions from the previous law. Below are some of the key modifications:<\/p>\n\n\n\n

Concept<\/strong><\/td>LFPDPPP (Old Definition)<\/strong><\/td>NLFPDPPP (New Definition)<\/strong><\/td><\/tr>
Privacy Notice<\/strong><\/td>A physical, electronic, or other format document generated by the data controller that is made available to the data subject prior to the processing of their personal data, in accordance with Article 15 of the law.<\/td>A document available to the data subject in physical, electronic, or any other format, generated by the data controller at the time their personal data is collected, informing them of the purposes of processing, in accordance with Article 14 of the law.<\/td><\/tr>
Databases<\/strong><\/td>An ordered set of personal data concerning an identified or identifiable person.<\/td>An ordered set of personal data referring to an identified or identifiable person, subject to specific criteria, regardless of its form, mode of creation, storage type, processing, or organization.<\/td><\/tr>
Consent<\/strong><\/td>The manifestation of the data subject’s will, enabling processing.<\/td>The free, specific, and informed manifestation of the data subject’s will, allowing personal data processing.<\/td><\/tr>
Personal Data<\/strong><\/td>Any information concerning an identified or identifiable natural person.<\/td>Any information concerning an identified or identifiable person. A person is considered identifiable if their identity can be determined directly or indirectly through any information.<\/td><\/tr>
Sensitive Personal Data<\/strong><\/td>  Personal data that affects the most intimate sphere of its holder or whose improper use could lead to discrimination or pose a serious risk to them. In particular, data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical, and moral beliefs, trade union membership, political opinions, and sexual preference are considered sensitive.<\/td>Personal data that affects the most intimate sphere of the data subject or whose improper use could lead to discrimination or pose a serious risk to them. By way of example, but not limited to, personal data that may reveal aspects such as racial or ethnic origin, present or future health status, genetic information, religious, philosophical, and moral beliefs, political opinions, and sexual preference are considered sensitive.<\/td><\/tr>
ARCO Rights<\/strong><\/td>No definition in the LFPDPPP.<\/td>The rights of Access, Rectification, Cancellation, and Opposition (ARCO)<\/strong> regarding personal data processing.<\/td><\/tr>
Public Access Sources<\/strong><\/td>Databases that can be consulted by any person, subject to applicable fees, in accordance with the provisions of the Regulations of this Law.<\/td>Databases, systems, or files that, by law, may be publicly accessed without any prohibitive regulation, subject to applicable fees. Information obtained unlawfully is not considered a public access source.<\/td><\/tr>
Data Controller<\/strong><\/td>A private individual or legal entity that decides on the processing of personal data.<\/td>Now explicitly referred to as Regulated Entities<\/strong> under section XVI of this article.<\/td><\/tr>
Regulated Entities<\/strong><\/td>No definition in the LFPDPPP.<\/td>Individuals or private legal entities engaged in personal data processing.<\/td><\/tr>
Processing<\/strong><\/td>The collection, use, disclosure, or storage of personal data by any means. Includes access, handling, use, exploitation, transfer, or disposal.<\/td>Any operation or set of operations applied to personal data, whether manual or automated, including collection, recording, organization, conservation, modification, retrieval, dissemination, and deletion.<\/td><\/tr>
Transfers<\/strong><\/td>Any communication of data to a person other than the data controller or processor.<\/td>Any communication of personal data within or outside Mexico to a person other than the data subject, controller, or processor.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

2. Consent Requirements<\/strong><\/p>\n\n\n\n

The NLFPDPPP mandates that consent must be free, specific, and informed<\/strong>. Tacit consent remains valid as a general rule, a principle previously outlined in the Regulation of the LFPDPPP but now explicitly incorporated into the law.<\/p>\n\n\n\n

Key changes include:<\/p>\n\n\n\n