DLA Piper Intelligence

Data Protection
Laws of the World

National Data Protection Authority

According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or credit records and verifies the enforcement of Law 1266.

Nevertheless, under Law 1581, the SIC is the highest authority in personal data protection and data privacy. It is empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and elimination of personal data.

Last modified 28 Jan 2021

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the Garante in Italy). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other "concerned" authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Germany does not have one central Data Protection Authority but a number of different Authorities for each of the 16 German states (Länder) that are responsible for making sure that data protection laws and regulations are complied with. In addition the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für Datenschutz und Informationsfreiheit – ‘BfDI’) is the Data Protection Authority for telecommunication service providers and represents Germany in the European Data Protection Board. To ensure that all the Authorities have the same approach a committee consisting of members of all Authorities for the public and the private sector has been established – the 'Data Protection Conference' (Datenschutzkonferenz 'DSK'). The coordination mechanism between the German Authorities mirrors the consistency mechanism under the GDPR.

A list with the contact details and websites of the different can be found here.

Last modified 12 Jan 2021

Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: the right to privacy and the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.

Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.

Law 1266 regulates the terms Data Subject, Data Source, User of Data and Data Operator, as follows:

  • ‘Data Subject’ is the owner of the information;
  • ‘Data Source’ is a person or entity who receives or collects the information in virtue of a commercial relationship with the Data Subject and shares this information with the Data Operator;
  • ‘User of Data’ is a person or entity who accesses databases and uses the information gathered by the Data Operator;
  • ‘Data Operator’ is a person who manages a database with information provided by the Data Sources and shares it with Users of Data, under the rules provided by Law 1266. The most common example of Data Operators are Credit Bureaus.

Law 1266 provides the applicable rules and conditions for Data Sources to share information with Data Operators and for such Data Operator to manage and share the information with Users of Data, all the abovementioned considering that the law privileges the activity of management of financial, credit, commercial and services information, considering that it benefits the financial and credit activity as a public interest activity.

Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. Under the law a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. The Data Controller creates databases on its own or in association with others, while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as both Controller and Processor of personal data.

The law further regulates the obtention of authorization to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).

Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to apply Colombian law under international treaties.

Law 1581 does not regulate:

  • Databases regulated under Law 1266;
  • Personal or domestic databases;
  • Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing;
  • Intelligence and counter-intelligence agency databases;
  • Databases with journalistic information and editorial content; and
  • Databases regulated under Law 79 of 1993 (on population census).

Law 1581 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed without the data subject’s consent, and will only be used for purposes identified in a privacy policy or notice.

Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of data bases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.

Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

Last modified 28 Jan 2021

The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules related to sensitive personal data.

Definition of personal data

Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public purpose, is intimate in nature and the disclosure of which concerns only the data subject.   

Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only. 

Definition of sensitive personal data

Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner. 

Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is forbidden by law: 

  • Ethnic or racial origin
  • Political orientation
  • Religious or philosophic convictions
  • Membership in labor unions, human right groups or social organizations
  • Membership in any group that promotes any political interest or that promotes the rights of opposition parties
  • Information regarding health and sexual life, and
  • Biometrics

Sensitive data shall only be processed:

  • With a special and specific authorization given by the data subject
  • When it is necessary to preserve the data subject’s life, or a vital interest and such data subject is physically or legally unable to provide authorization
  • When it is data used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of nonprofit entity, in which case, the entity will need an authorization granted by the data subject to provide the data to third parties
  • When the data is related to or fundamental to the exercise of a right in the context of a trial or any judicial procedure, or
  • When the data has a historic, statistical or scientific purpose, in which case the identity of the data subject must not be disclosed
Last modified 28 Jan 2021

According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or credit records and verifies the enforcement of Law 1266.

Nevertheless, under Law 1581, the SIC is the highest authority in personal data protection and data privacy. It is empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and elimination of personal data.

Last modified 28 Jan 2021

Law 1581 created the National Register of Data Bases (NRDB). Databases that store personal data and whose automated or manual processing is carried out by a natural or legal person, whether public or private in nature, in the Colombian territory or abroad, shall be registered in the NRDB. Database registration is also required if Colombian law is applicable to the data controller or data processor in accordance with an International Law or Treaty. Registration is mandatory for data controllers that are either of the following:

  • Companies or nonprofit entities that have total assets valued above 100,000 Tax Value Units (TVU), meaning COP 3.63 billion (USD 1,067,882)[1]
  • Legal persons of public nature

Decree 866 states that each data controller shall register each one of its databases, independently and must distinguish between manual and automatized databases. In addition, in order to register each database, the data controller or data processor shall provide the following information: 

  • Identification information of the data controller, such as: business name, tax identification number, location and contact information
  • Identification details of the data processor, such as: business name, tax identification number, location and contact information
  • Contact channels to grant data subjects rights
  • Name and purpose of the database
  • Form of processing (manual / automatized)
  • Security standards
  • Privacy policy

All data bases were required to register by January 31, 2019. Any new data base(s) shall be registered within the 2 months following its creation.

Any substantial change to any of the abovementioned items, shall be updated in the National Registry of Data Bases. For this purpose, substantial changes are considered as any changes that are made in regards to the purposes of the databases, the data processors, the channels to process any claim or request from the data subject, the class or type of personal data, the security measures implemented, the data privacy policy and/or the international transfer or transmission of personal data.

Such updates shall be made:

       i. Within the 10 first days of the month in which the substantial change was made,


       ii. Yearly (between January 2 and March 31 of each year).

Moreover, through the National Register of Data Bases, data controllers shall inform of the following:

  1. Any claim submitted by a data subject to the data controller and/or data processor, within each semester of the year. This information shall be registered within the first 15 business days of February and August of each year with the information of the previous semester.
  2. Any breaches of registered data bases. Such report shall be submitted within the 15 business days following the day on which the data controller had knowledge of the data breach.


Footnote 1: Based on the Tax Value Unit for 2021 (COP 36,308 (approximately USD 11)). The Tax Value Unit is updated yearly by the Colombian tax authority.

Last modified 28 Jan 2021
Data Protection Officers

There is no requirement to appoint a data protection officer in Colombia. Nevertheless, it is required for a specific person in the company or a designated group within the company to be in charge of personal data matters, specifically any request made by the Data Subjects.

Last modified 28 Jan 2021
Collection & Processing

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the data subject. This information may only be disclosed to:

  • The data subject or authorized third parties, pursuant to the procedure established by law
  • The Users of the Data
  • Any judicial or jurisdictional authority upon request
  • Any control or administrative authority, when an investigation is ongoing
  • Data processors, whether with the data subject’s authorization, or when no authorization is needed if, and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the data subject in order for the data controller to process private and semi-private personal data. For the authorization to be valid it shall be prior to the data processing and shall be informed, meaning that the data subject shall be aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

  • Personal data shall only be collected and processed in accordance with the purposes authorized by the data subject.
  • Such authorization shall be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

  • The information is demanded by a public or administrative entity by means of a judicial order or exercising its legal duties.
  • It is public data.
  • A medical or sanitary urgency demands the personal data processing. 
  • The data processing is authorized by law for historical, statistic or scientific purposes.
  • The data is related to people’s birth certificates.

Regarding sensitive data, Section 6 of Decree 1377 states that the data controller shall do the following: 

  • Expressly inform to the data subject that he or she is not compelled to provide sensitive data, and
  • Obtain his / her prior and express consent prior to the sensitive data processing

In any case, silence will be deemed as a reasonable means of obtaining authorization for personal or sensitive data processing.

Furthermore, when collecting personal data of children the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the authorization for processing a child’s data shall be provided by his or her legal representative.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

  • Name, address, email and phone number of the data controller
  • Processes and handling of data and the purpose of such processing
  • Rights of the data subject
  • Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
  • Procedure to exercise the abovementioned rights, and
  • Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Last modified 28 Jan 2021

Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, ie, a data controller.

Cross-border data transfer is prohibited unless the country where the data will be transferred meets at least the same data privacy and protection standards as those in Colombian regulation. In this regard, adequate levels of data protection will be determined in accordance with the standards set by the SIC. 

This prohibition does not apply in the following cases: 

  • When the data subject has expressly consented to the cross-border transfer of data
  • Exchange of medical data
  • Bank or stock transfers
  • Transfers agreed under international treaties to which the Colombia is a party
  • Transfers necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures, provided the data owner consented, and
  • Transfers legally required in order to safeguard the public interest

Therefore, the data controller requires the authorization of the data subject for transferring the personal data abroad, unless such transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels. 

Authorized countries for international transfer of personal data

  • Albania
  • Argentina
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Costa Rica
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungry
  • Iceland
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Mexico
  • Netherlands
  • New Zealand
  • Norway
  • Perú
  • Poland
  • Portugal
  • Republic of Korea
  • Romania
  • Serbia
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • United States
  • United Kingdom
  • Uruguay

The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers to meets its standard for levels of protection.

Transmission of personal data 

The transmission of personal data takes place when the data controller provides personal data to a data processor, in Colombia or abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s consent is required for the transmission of data, unless there is an adequate data transfer agreement in place between the data processor and the data controller. 

In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:

  1. The extent and limitations of the data treatment
  2. The activities that the data processor will perform on behalf of the data controller, and
  3. The obligations the data processor has to data subjects and the data controller 

The data processor has three additional obligations when processing personal data: 

  • Process data according to the legal principles established in Colombian law
  • Guarantee the safety and security of the databases
  • Maintain strict confidentiality of the personal data  

The data controller that transmits data to a data processor must identify the data processor in the National Database Register for each database transmitted. Finally, the data processor must process the personal data in accordance with the data controller’s privacy policy and the authorization given by the data subject.

Last modified 28 Jan 2021

Data controllers have the legal duty of guaranteeing that the information under their control is kept under strict security measures. For this reason, they shall ensure that such information will not be manipulated or modified without the authorization of the data subject. Indeed, the data controller shall develop an information security policy that prevents the unauthorized access, the damage or loss of information, including personal data.

Last modified 28 Jan 2021
Breach Notification

Under section 17. and section 18. of Law 1581, both the data controller and the data processor shall notify the authority (SIC) if there is a breach of security, a security risk, or a risk for data administration. 

Last modified 28 Jan 2021

Since privacy and proper maintenance of personal data are fundamental constitutional rights in Colombia, every citizen is entitled to pursue protection before any Colombian judge, via constitutional action. Any judge may order a private or public entity to modify, rectify, secure or delete personal data if it is kept under conditions that violate constitutional rights. Constitutional actions can take up to ten days to be resolved and an order issued and failure to comply may result in imprisonment of the legal representative of the violating entity.

The Criminal Code of Colombia sets out in section 269F that anyone who, without authorization, seeking personal or third party gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of approximately USD 26,700 to USD 267,000.

Finally, since SIC is an administrative and jurisdictional authority, it is allowed to investigate (as mentioned above), request information, initiate actions against private entities, and impose fines up to approximately USD 534,000, and order or obtain temporary or permanent foreclosure of the company, entity or business.

Last modified 28 Jan 2021
Electronic Marketing

Law 527 of 1999 (Law 527) regulates e-commerce and electronic marketing, but there is no specific regulation regarding data privacy on electronic marketing. In any case, authorization of the data subject is required for types of marketing, whether electronic or other and the processing of any personal data for this purpose shall be made accordingly with Law 1581.

Last modified 28 Jan 2021
Online Privacy

There is no specific regulation regarding processing of personal data online, therefore, this kind of processing shall be ruled by Law 1581.

Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted.

The use of cookies in web pages is forbidden unless the data subject has given an authorization for usage which may be obtained by a pop-up informing the user about the privacy policy and the way to disable cookies. All the other tracking systems need proper authorization from the data subject.

Last modified 28 Jan 2021
Maria Claudia Martinez Beltrán
Maria Claudia Martinez Beltrán
DLA Piper Martinez Beltrán
T +57 3174720
Daniela Huertas
Daniela Huertas
Junior Associate
DLA Piper Martinez Beltrán
T +57 3174720
Last modified 28 Jan 2021