When entering the Mexican market with a franchise system, certain legal aspects must be considered and complied with. For example, legal requirements under the Industrial Property law, such as providing a Franchise Disclosure Document 30 business days before executing the Franchise Agreement, observing the minimum provisions in the Franchise Agreement, and complying with obligations under the Data Protection Law.

Following constitutional amendments that included the right to data protection as a basic right of individuals, in 2010 the Federal Law on Protection of Personal Data held by Private Parties was enacted, followed, in 2011, by its Regulations (together the Data Protection Law). These pieces of legislation – which are complemented by guides issued by Mexico’s data protection authority, the National Institute for Transparency, Access to Information and Protection of Personal Data – apply at a federal level and make up the Mexican data protection legal framework.

The Data Protection Law applies to all processing of personal data by private entities or individuals, except when it is processed for personal or domestic use or by credit bureaus. Franchisors and franchisees will be data controllers with respect to certain personal data they process; for example, franchisees will be controllers of their employees’ personal data and, in some cases, a franchisor is a data controller also with regard to customer data. In this sense, when processing personal data, i.e. any information concerning identified or identifiable individual, both franchisors and franchisees need to be aware of their obligations and responsibilities, which are more onerous for data controllers.

Some of the obligations of data controllers are: (1) to maintain appropriate physical, technical and organizational security measures, (2) to provide a privacy notice to all data subjects, (3) to collect consent from data subjects, where necessary, and (4) to allow data subjects the exercise of their rights (access, rectification, cancellation, objection, etc.). Personal data can be transferred to third countries regardless of the level of protection a country provides if transfers are covered by an agreement that is in compliance with the Data Protection Law and with the privacy notice that was made available to data subjects. Failure to comply with the provisions of the Data Protection Law may result in hefty fines and, if personal data is processed deceitfully or for profit, penalties of imprisonment may be imposed.