May 28, 2018


By: Liliana Hernández

While the GDPR applies directly to the countries members of the European Union (EU), we shall keep an eye on the fact that it also has implications for those countries outside EU which, although they seem tangential, do not lack of relevance, especially when considering the events that have caused different reactions worldwide such as the Cambridge-Analytica case (Facebook) and recently, the cyber-attack in Mexico to the Interbank Electronic Payments System (SPEI), which raise the need for a better understanding of the GDPR; we consider the following as the more relevant aspects thereof:


  • The application of the GDRP extends to the personal data processing by a data controller or data processor stablished out of EU- when the activities of the processing are related to the offer or provision of goods or services are offered or provided by said data processor stablished out of UE.

(Remarks: The above translates in the fact that every Mexican corporation that provides goods or services through an Internet portal and that collects personal data from an interested party located in the EU shall be mandated by the GDPR and at the same time it raises the need for the corporations in our country to comply with the legal framework in Mexico regarding personal data to ensure an optimal level in processing same.



  • The processing of personal data of a child shall be considered illegal when he is at least 16 years old if the authorization for the processing was given by the parent or guardian of the child with respect to the direct provisions of services of the information society(2)


  • The owner of personal data shall be entitled to obtain from the head of the processing, the deletion of his/her personal data in certain cases, for example, when the personal data are no longer needed for the originally agreed purposes, except for the right to freedom of speech.

(Remarks: Known as the Right to Be Forgotten, provides that any person (individual or legal entity) has the right to ask the search engines in Internet, such as Google, to remove some search results that could affect them. )


  • The right to data portability provides the prerogative of the owner of personal data for his/her data to be directly transmitted from head to head when it is technically possible.


  • Every owner of personal data shall be entitled to oppose, at any time, to the processing of his/her data which aims to the direct marketing, including profile elaboration.


  • Every responsible person and head of the personal data processing shall take the suitable technical and organizational steps to ensure the appropriate security level.


  • Every person or corporation that carry out a personal data transfer to a country outside the EU, must be ensure that said country guarantee an appropriate level of protection for personal data.

(Remarks: The above raises the need to increase the security measures of the databases handled by any Mexican person or corporation that processes personal data of interested parties from the EU).


  • Any security breach, unless an exception according to the GDPR is applicable, shall be notified no later than 72 hours after being aware of same. If the security breach to the personal data poses a high risk for the rights of individuals, the responsible person shall notify the owner of the personal data without undue delay, describing the security breach in a clear and simple language.


  • Every person may receive from the responsible person or from the head of the personal data processing, a compensation for damages.


  • The penalties may range from 20 000 000 Euros to 4% of the total global annual turnover of the previous business year, choosing the higher one.