1. Summary of Resolution No. SPDP-SPD-2026-0005-R (General Standard on Large-Scale Personal Data Processing)

The resolution establishes a Large-Scale Technical Model (Modelo Técnico de Gran Escala – “MTGE”) that enables an objective and verifiable determination of when a processing activity qualifies as “large-scale.” This model jointly assesses six standardized variables, applicable across all sectors:

• Number of data subjects;
• Volume of personal data processed;
• Categories of personal data;
• Frequency of processing;
• Duration/continuity of processing; and
• Geographic scope of processing.

The outcome of the MTGE must be recorded in the Record of Processing Activities (Registro de Actividades de Tratamiento – “RAT”), kept up to date, and is binding for triggering obligations such as conducting a data protection impact assessment, appointing a Data Protection Officer, recording the processing in the RAT, and adopting enhanced compliance measures.

The resolution also identifies scenarios in which mandatory direct classification as large-scale applies—without the need to apply the MTGE—consistent with the pre-determined processing activities set out in the Regulations to the LOPDP.

These scenarios include: health data and other special categories; systematic/exhaustive assessment involving automated decisions producing legal or similarly significant effects; monitoring/video surveillance in public spaces; biometric data or geolocation; credit/financial information; systematic processing of data relating to children and adolescents; systematic, continuous or structured transfers; and accelerated/express/courier messaging services.

Additionally, the resolution introduces specific governance, audit, and transparency obligations, including the application of the principles of privacy by design and by default, periodic audits, and the preparation of annual reports. It also grants controllers and processors that identify they conduct large-scale processing a ninety (90)-day period, counted from the date the standard enters into force, to appoint their Personal Data Protection Officer and register such appointment before the SPDP.

2. Summary of Resolution No. SPDP-SPD-2026-0003-R (General Standard for Personal Data Processing in Family or Domestic Activities)

The standard on Personal Data Processing in Family or Domestic Activities sets out the purpose, scope of application, and operational definitions to guide companies, organizations, and individuals in identifying processing carried out in the domestic environment and the circumstances in which such processing ceases to be excluded from the LOPDP.

1. The resolution incorporates operational definitions (Public Disclosure and Domestic Digital Environment) that allow interpretation of the scope of personal data processing in domestic settings.
2. The SPDP issued a case-by-case assessment procedure to determine whether personal data processing falls within family or domestic activities, based on the application of criteria (Purpose, Scope, and Impact) in light of technological, social, and/or cultural phenomena that affect the processing.
3. Further, through its general and amending provisions, the resolution establishes amendments to be taken into consideration within Resolution No. SPDP-SPDP-2024-0013-R, regarding the Regulations for the Filing, Receipt, and Processing of Complaints and Requests.

At Bustamante Fabara, we will continue to circulate specialized analyses on the practical application of these regulatory instruments and their implications for the various regulated sectors.

Should you require additional information, please contact us at the following email addresses: