Key takeaways

• Obligated Parties: The guidelines are mandatory for all government entities and private companies, referred to as “Diverse Institutions.” This definition is broad and includes companies in sectors such as financial services, healthcare, telecommunications, and any organization managing employee databases.
• Interconnection and Access Requirements: Public institutions and companies must interconnect with the PUI. The technical rules for this interconnection will be published in the Technical Manual for Diverse Institutions, which must be issued within 30 days.
• Personal Data Segmentation: Companies must structure their personal data to collaborate with authorities, differentiating between basic, historical, and continuous searches.
• Registration with Authorities: Legal entities must register in Mexico City using their Llave MX (digital key).
• New Data Protection and Cybersecurity Obligations: Companies connected to the PUI must maintain security measures as required by data protection laws, plus any additional requirements set forth in the Guidelines and Manuals of the PUI.
• Mandatory Notification to RENAPO: Companies must notify the regulator in case of any breach compromising the security of personal data.
• Evidence of Compliance: Companies are required to document and keep updated evidence of compliance with personal data protection legislation.
• Obligation to Cooperate with Authorities: The primary obligation is to assist in the search for missing persons, although the law’s wording may allow for broader interpretations.
• Liability and Sanctions: Companies failing to implement the required measures for PUI interconnection may face fines ranging from USD 60,000 to USD 120,000.
• Implementation Deadlines: Technical and operational manuals must be issued within 30 business days, and the National Personal Identification Service will begin operating no later than 45 business days after the manuals are published.

Recommendation for companies

• Does this apply to me? Assess whether your company qualifies as an obligated party under the law. If necessary, consult with authorities to confirm criteria.
• Do I collect CURP or should I? Review your company’s Personal Data Management Program, identifying existing databases that may be affected by this law. Document any controls or measures not yet formally recorded.
• Update internal processes to ensure secure and continuous interconnection with the PUI, differentiating the types of searches required by the regulations.
• Implement technical and administrative measures for the handling and safeguarding of personal data, ensuring compatibility with the standards defined in the PUI manuals.
• Train staff on new obligations and regulatory risks related to identity data management and cooperation with authorities in cases of missing persons.
• Review and strengthen privacy notices and response protocols for PUI information requests.
• Register your company in the Llave MX system and designate a Technical Liaison for coordination with RENAPO and ATDT.

Conclusion

The entry into force of these guidelines represents a structural change in identity management and personal data protection in Mexico. Companies and obligated parties must anticipate the technical, administrative, and legal challenges posed by interconnection with the Unique Identity Platform, ensuring regulatory compliance, protection of fundamental rights, and avoidance of fines.

Our team is available to provide specialized advice and support your organization in adapting to this new regulatory environment.