A couple weeks back, the Mexican Data Protection Regulator ("INAI") confirmed an increase in requests for access to information and protection of personal data submitted by data subjects, as compared to 2020. Now, the INAI confirmed that this increase in requests resulted in the imposition of USD $4.5 million in fines during 2021.

Such fines derive from 83 new sanctioning procedures and 43 initiated in other years, but resolved during 2020. In addition, the INAI confirmed that during 2020, there were a total of 278 Procedures for the Protection of Rights; of which 143 dealt with the Right of Access to personal data, 19 for Rectification, 106 for Cancellation and 57 for Opposition to the processing of data.

These numbers are complemented with the previous confirmation by INAI that the most requested rights by data subjects were: (1) rights of access to medical records or medical history; (2) certificates of vaccination, (3) payroll receipts or proofs of payment, (4) pension and retirement records, (5) specific documents with personal information; and (6) the correction of data in the certificate of vaccination against the SARS CoV-2 virus.

According to the INAI's records, the most sanctioned sectors, from highest to lowest, were: (1) financial services and insurance; (2) mass media information; and (3) health and social welfare. In most cases the conduct involved: (1) the collection and/or transfer of personal data without the necessary consent; or (2) delivery of noncompliant privacy notices.

These disclosures by INAI are further evidence of the increase in the awareness of data subject rights. Therefore, it is important for companies operating in Mexico to review their compliance with Mexican data protection laws, as the increase in complaints could also lead to a rise in companies fined by INAI.