Data Protection in Colombia

Collection and processing in Colombia

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the Data Subject. However, this information may only be disclosed to:

  • The Data Subject or authorized third parties, pursuant to the procedure established by law
  • The Users of the Data
  • Any judicial or jurisdictional authority upon request
  • Any control or administrative authority, when an investigation is ongoing
  • Data processors, with the Data Subject’s authorization, or when no authorization is needed , and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the Data Subject for the data controller to process private and semi-private personal data. For the authorization to be valid it must be obtained prior to the data processing and must be "informed", meaning that the data subject must have been made aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

  • Personal data shall only be collected and processed in accordance with the purposes authorized by the Data Subject.
  • Such authorization may be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

  • A public or administrative entity demands the information through a judicial order or exercising its legal duties.
  • It is public data.
  • A medical or sanitary urgency requires the processing of personal data. 
  • The data processing is authorized by law for historical, statistical or scientific purposes.
  • The data is related to people’s birth certificates.

Regarding sensitive personal data, Section 6 of Decree 1377 states that the data controller shall do the following: 

  • Expressly inform the Data Subject that he or she is not compelled to provide sensitive personal data
  • Expressly identify what data to be collected and processed is sensitive and
  • Obtain the Data Subject's express consent prior to the processing of their sensitive personal data

In any case, silence is not considered a reasonable means of obtaining authorization for personal data or sensitive personal data processing.

Furthermore, when collecting personal data of children, both the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the child's legal representative (parent or guardian) must authorize the processing of their child’s personal data.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

  • Name, address, email and phone number of the data controller
  • Processes and handling of data and the purpose of such processing
  • Rights of the Data Subject
  • Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
  • Procedure to exercise the abovementioned rights, and
  • Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Continue reading

  • no results

Previous topic
Back to top