Fintech Market Overview

This article does not constitute legal advice.

Data protection in Mexico


In terms of data protection, applicable law regulates the protection of clients' personal data (as data subjects) and the processing of their information for any purpose, including marketing purposes, by ITFs.1

Here are the most important rules:

  • ITFs must inform clients of the purpose for acquiring and processing their personal data, including marketing purposes, by providing them with a privacy notice that must comply with specific requirements set forth in the Mexican Data Protection Law; excluding certain exceptions, ITFs must obtain clients' consent for processing their personal data as per the terms of the privacy notice;
  • if ITFs use a client's personal data for marketing purposes, the ITFs must implement a mechanism that allows the client to reject the use of his or her information for that purpose, which should be described in the privacy notice and available to clients from the moment the ITF publishes its privacy notice;
  • ITFs must process clients' personal data exclusively on the terms of the privacy notice; and
  • if ITFs 'communicate' personal data to third parties (either processors or controllers), they need to comply with specific requirements set forth in Mexican personal data protection regulations. 1

As one of the stated purposes of processing personal data, digital profiling should be included in the privacy notice if it is to be carried out. When profiling is conducted through an algorithm, without human involvement, a controller must also notify data subjects, through a privacy notice or other appropriate means.1

Cross-border payments in Mexico

Fintech in Mexico

Fintech in other countries

  1. https://thelawreviews.co.uk/title/the-financial-technology-law-review/mexico