The GDPR and its impact on Mexican companies

GDPR impact ENG

Laura Van Gompel – The GDPR most certainly also had an impact outside the EU, for example in Mexico. As a result of the GDPR, modified compliance, and data protection programs worldwide, many Mexican companies had to adapt to new processes or practices imposed by their European business partners or parent companies. Moreover, Mexican companies also undergo a direct influence of the GDPR.


First of all, the GDPR becomes applicable to Mexican companies that offer services or goods to data subjects located in the EEA. Whether the Mexican company in question acts as a controller or processor is irrelevant, as well as the location of the processing activity. Also, the fact whether the transaction was free or upon payment does not matter.

The mere condition that the processing concerns the personal data of an EEA-located data subject, due to goods or services being offered within the EEA, makes the provider/data processor accountable under the GDPR.

Secondly, the GDPR is an important regulator when Mexican companies receive, as a result of a data transfer, access to personal data protected by the GDPR. For instance: when a European controller transfers personal data to a Mexican processor. In this case not only shall a written data processing agreement pursuant to article 28 GDPR be required, but also a sufficient transfer tool within the meaning of articles 46 ff. GDPR.

An article 28 data processing agreement as such, should not be problematic. As parties can “mold” the agreement in accordance with their data processing frame, their arrangements, and respective liabilities, including of course all elements set out in article 28.

Article 46

Compliance with article 46 ff. GDPR, however, will not be self-evident. As Mexico has not received an adequacy decision in its favor, the most obvious tool shall be the Standard Contractual Clauses, as issued by the European Commission (see the version of June 2021). Please note that also the official SCCs are not necessarily enough to give “sufficient warranty” within the meaning of Chapter V GDPR. According to the EDPB recommendations of June 2021, for some outside EEA transfers, in addition to the SCCs, supplementary measures must need to be taken. This is to guarantee “an essentially equivalent level of protection that meets the EU standards on fundamental rights, necessity, and proportionality”.

The EDPB states that “Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum.” The exporting party should verify, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools.

According to the EDPB, this assessment by the exporter must contain elements:

  • on whether public authorities of the third country of your importer may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice, and reported precedents;
  • on whether public authorities of the third country of your importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal, and of reported precedents

The Mexican “situation” has not been the subject of any European case law. However, bearing in mind Schrems II and the abovementioned EDPB guidelines, it seems appropriate to combine article 46 SCCs with supplementary measures, for data transfers to Mexican importers. Certain local laws do indeed regulate and allow (communication) surveillance by public authorities*.


Feel free to contact us for tailor-made legal expertise via our Spanish Desk.


*Código Nacional de Procedimientos Penales, Ley de la Policía Federal, Ley de Seguridad Nacional, Ley Federal de Telecomunicaciones y Radiodifusión, Ley Federal Contra de Delincuencia Organizada, Ley General para prevenir y Sancionar los Delitos en Materia de Secuestro, etc.

More news

Arbitration vs. ordinary court no watertight partitions

The course of an arbitral proceeding is autonomous. On the one hand, this is based on the agreement made …

Hans Van Gompel

Hans Van Gompel recently obtained his certification as a collaborative negotiator. Collaborative negotiations are a voluntary and confidential method …

Price reduction as an alternative

Liezl Steyfkens – 07/11/2022 – The new Belgian Civil Code (CC) adds a brand-new remedy for creditors whose debtor …

Subscribe to our newsletter