Mexico

In this regard, it has to be mentioned firstly, that the Controller must safeguard and be accountable of any PI under its custody, or any PI that it has shared with any vendor, either in Mexico or abroad. In order to comply with this principle, the Controller must make use of any best international practices corporate policies, self-regulatory schemes, or any other suitable mechanism for this effect.
Furthermore, Article 19 of the Federal Law for the Protection of Personal Information in Possession of Private Entities requires from every data controllers to implement and maintain administrative, technical and physical security measures, which prevents the collected and stored personal information from any loss, alteration, destruction, or from any unauthorized access and use.
Said measures cannot be lesser than those used by the data owner to protect its own information, and for its implementation the data owner must consider the existent risk the possible consequences for the data subjects, the sensibility of the data and the technological development