DLA Piper Intelligence

Data Protection
Laws of the World

Collection & Processing

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the data subject. This information may only be disclosed to:

  • The data subject or authorized third parties, pursuant to the procedure established by law
  • The Users of the Data
  • Any judicial or jurisdictional authority upon request
  • Any control or administrative authority, when an investigation is ongoing
  • Data processors, whether with the data subject’s authorization, or when no authorization is needed if, and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the data subject in order for the data controller to process private and semi-private personal data. For the authorization to be valid it shall be prior to the data processing and shall be informed, meaning that the data subject shall be aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

  • Personal data shall only be collected and processed in accordance with the purposes authorized by the data subject.
  • Such authorization shall be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

  • The information is demanded by a public or administrative entity by means of a judicial order or exercising its legal duties.
  • It is public data.
  • A medical or sanitary urgency demands the personal data processing. 
  • The data processing is authorized by law for historical, statistic or scientific purposes.
  • The data is related to people’s birth certificates.

Regarding sensitive data, Section 6 of Decree 1377 states that the data controller shall do the following: 

  • Expressly inform to the data subject that he or she is not compelled to provide sensitive data, and
  • Obtain his / her prior and express consent prior to the sensitive data processing

In any case, silence will be deemed as a reasonable means of obtaining authorization for personal or sensitive data processing.

Furthermore, when collecting personal data of children the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the authorization for processing a child’s data shall be provided by his or her legal representative.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

  • Name, address, email and phone number of the data controller
  • Processes and handling of data and the purpose of such processing
  • Rights of the data subject
  • Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
  • Procedure to exercise the abovementioned rights, and
  • Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Last modified 28 Jan 2021

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
  • adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
  • accurate and where necessary kept up-to-date (the "accuracy principle");
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
  • where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
  • where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):

  • with the explicit consent of the data subject;
  • where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • in limited circumstances by certain not-for-profit bodies;
  • where processing relates to the personal data which are manifestly made public by the data subject;
  • where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their legal capacity;
  • where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
  • where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to 're-purpose' personal data - ie, use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • any link between the original purpose and the new purpose
  • the context in which the data have been collected
  • the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
  • the possible consequences of the new processing for the data subjects
  • the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, ie, the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • the identity and contact details of the controller;
  • the data protection officer's contact details (if there is one);
  • both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers;
  • the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • the consequences of failing to provide data necessary to enter into a contract;
  • the existence of any automated decision making and profiling and the consequences for the data subject; and
  • in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (eg, commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

  1. necessary for entering into or performing a contract;
  2. authorized by EU or Member State law; or 
  3. the data subject has given their explicit (ie, opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.

The BDSG has additional rules regarding processing of special categories of personal data. Contrary to Art. 9 (1) GDPR, processing of such data is permitted by public and private bodies in some cases, see Sec. 22 (1), 26 (3) BDSG. Also, Sec. 24 BDSG determines cases in which controllers are permitted to process data for a purpose other than the one for which the data were collected.

Sec. 4 BDSG provides a special rule for video surveillance of publicly accessible areas. According to the German DPAs as well as the German Federal Administrative Court (Bundesverwaltungsgericht – ‘BVerwG’) and the near unanimous opinion in German legal literature, the provision is not compliant with the GDPR insofar as it regulates surveillance by private bodies (Sec. 4 (1) Nbrs. 2, 3 BDSG). This is based on the argument that the GDPR does not contain any opening clause on which these deviations from Art. 6 (1) GDPR could be based.

Furthermore, the BDSG provides special rules regarding processing for employment-related purposes in Sec. 26 BDSG. The German legislator has made very broad use of the opening clause in Art. 88 (1) GDPR and has basically established a specific employee data protection regime. These new rules reflect the current German employee privacy rules which also has the consequence that a set of case law of the German Federal Labour Court (Bundesarbeitsgericht – ‘BAG’) will apply. In case the processing is conducted for employment-related purposes it is subject to Sec. 26 BDSG only and a recourse to the general legal grounds set out in Article 6 GDPR is blocked. Personal data of employees can only be processed in the employment context (setting aside some very special cases under the BDSG when it comes to the assessment of the working capacity of the employee and other handling of special categories data as well as exchange of data with the works council) in the following cases:

  • The processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment contract (Sec. 26 (1) sentence 1 BDSG) (please note that the BAG interprets the predecessor provision broader than Art. 6 (1) (b) GDPR)

  • Employees’ personal data may be processed to detect criminal offenses only if there is a documented reason to believe the data subject has committed such an offense while employed, the processing of such data is necessary to investigate the offense and is not outweighed by the data subject’s legitimate interest in not processing the data, and in particular the type and extent are not disproportionate to the reason (Sec. 26 (1) sentence 2 BDSG)

  • The processing is based on a works council agreement which complies with the requirements set out Art. 88 para. 2 GDPR (Sec. 26 (4) BDSG)

  • The processing is based on the employee’s consent in written or electronic form. A derogation from this form can apply if a different form is appropriate because of special circumstances (but this derogation will rarely apply in practice). Moreover, the utilization of consent as basis for the processing is particularly problematic in Germany as Sec. 26 (2) BDSG stipulates requirements in addition to Art. 7 GDPR. If personal data of employees are processed on the basis of consent, then the employee’s level of dependence in the employment relationship and the circumstances under which consent was given shall be taken into account in assessing whether such consent was freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the employee, or if the employer and employee are pursuing the same interests. The German DPAs interpret this provision in a way that employee consent cannot be used for processing of personal data which directly relates to the employment relationship, but only to supplementary services offered by the employer (eg, private use of company cars or IT equipment, occupational health management or birthday lists).

Notwithstanding, processing of employee personal data for purposes that are not specifically related to employment as such can still be based on Art. 6 (1) GDPR. In particular, controllers that are part of a group of companies may be able to base transfers of data within the group for internal administrative purposes on their legitimate interests in accordance with to Art. 6 (1) f) (as stated by Recital 48 of the GDPR).

Last modified 12 Jan 2021
Law
Colombia

Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: the right to privacy and the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.

Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.

Law 1266 regulates the terms Data Subject, Data Source, User of Data and Data Operator, as follows:

  • ‘Data Subject’ is the owner of the information;
  • ‘Data Source’ is a person or entity who receives or collects the information in virtue of a commercial relationship with the Data Subject and shares this information with the Data Operator;
  • ‘User of Data’ is a person or entity who accesses databases and uses the information gathered by the Data Operator;
  • ‘Data Operator’ is a person who manages a database with information provided by the Data Sources and shares it with Users of Data, under the rules provided by Law 1266. The most common example of Data Operators are Credit Bureaus.

Law 1266 provides the applicable rules and conditions for Data Sources to share information with Data Operators and for such Data Operator to manage and share the information with Users of Data, all the abovementioned considering that the law privileges the activity of management of financial, credit, commercial and services information, considering that it benefits the financial and credit activity as a public interest activity.

Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. Under the law a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. The Data Controller creates databases on its own or in association with others, while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as both Controller and Processor of personal data.

The law further regulates the obtention of authorization to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).

Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to apply Colombian law under international treaties.

Law 1581 does not regulate:

  • Databases regulated under Law 1266;
  • Personal or domestic databases;
  • Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing;
  • Intelligence and counter-intelligence agency databases;
  • Databases with journalistic information and editorial content; and
  • Databases regulated under Law 79 of 1993 (on population census).

Law 1581 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed without the data subject’s consent, and will only be used for purposes identified in a privacy policy or notice.

Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of data bases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.

Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

Last modified 28 Jan 2021
Definitions

The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules related to sensitive personal data.

Definition of personal data

Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public purpose, is intimate in nature and the disclosure of which concerns only the data subject.   

Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only. 

Definition of sensitive personal data

Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner. 

Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is forbidden by law: 

  • Ethnic or racial origin
  • Political orientation
  • Religious or philosophic convictions
  • Membership in labor unions, human right groups or social organizations
  • Membership in any group that promotes any political interest or that promotes the rights of opposition parties
  • Information regarding health and sexual life, and
  • Biometrics

Sensitive data shall only be processed:

  • With a special and specific authorization given by the data subject
  • When it is necessary to preserve the data subject’s life, or a vital interest and such data subject is physically or legally unable to provide authorization
  • When it is data used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of nonprofit entity, in which case, the entity will need an authorization granted by the data subject to provide the data to third parties
  • When the data is related to or fundamental to the exercise of a right in the context of a trial or any judicial procedure, or
  • When the data has a historic, statistical or scientific purpose, in which case the identity of the data subject must not be disclosed
Last modified 28 Jan 2021
Authority

According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or credit records and verifies the enforcement of Law 1266.

Nevertheless, under Law 1581, the SIC is the highest authority in personal data protection and data privacy. It is empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and elimination of personal data.

Last modified 28 Jan 2021
Registration

Law 1581 created the National Register of Data Bases (NRDB). Databases that store personal data and whose automated or manual processing is carried out by a natural or legal person, whether public or private in nature, in the Colombian territory or abroad, shall be registered in the NRDB. Database registration is also required if Colombian law is applicable to the data controller or data processor in accordance with an International Law or Treaty. Registration is mandatory for data controllers that are either of the following:

  • Companies or nonprofit entities that have total assets valued above 100,000 Tax Value Units (TVU), meaning COP 3.63 billion (USD 1,067,882)[1]
  • Legal persons of public nature

Decree 866 states that each data controller shall register each one of its databases, independently and must distinguish between manual and automatized databases. In addition, in order to register each database, the data controller or data processor shall provide the following information: 

  • Identification information of the data controller, such as: business name, tax identification number, location and contact information
  • Identification details of the data processor, such as: business name, tax identification number, location and contact information
  • Contact channels to grant data subjects rights
  • Name and purpose of the database
  • Form of processing (manual / automatized)
  • Security standards
  • Privacy policy

All data bases were required to register by January 31, 2019. Any new data base(s) shall be registered within the 2 months following its creation.

Any substantial change to any of the abovementioned items, shall be updated in the National Registry of Data Bases. For this purpose, substantial changes are considered as any changes that are made in regards to the purposes of the databases, the data processors, the channels to process any claim or request from the data subject, the class or type of personal data, the security measures implemented, the data privacy policy and/or the international transfer or transmission of personal data.

Such updates shall be made:

       i. Within the 10 first days of the month in which the substantial change was made,

       and

       ii. Yearly (between January 2 and March 31 of each year).

Moreover, through the National Register of Data Bases, data controllers shall inform of the following:

  1. Any claim submitted by a data subject to the data controller and/or data processor, within each semester of the year. This information shall be registered within the first 15 business days of February and August of each year with the information of the previous semester.
  2. Any breaches of registered data bases. Such report shall be submitted within the 15 business days following the day on which the data controller had knowledge of the data breach.

Footnotes

Footnote 1: Based on the Tax Value Unit for 2021 (COP 36,308 (approximately USD 11)). The Tax Value Unit is updated yearly by the Colombian tax authority.

Last modified 28 Jan 2021
Data Protection Officers

There is no requirement to appoint a data protection officer in Colombia. Nevertheless, it is required for a specific person in the company or a designated group within the company to be in charge of personal data matters, specifically any request made by the Data Subjects.

Last modified 28 Jan 2021
Collection & Processing

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the data subject. This information may only be disclosed to:

  • The data subject or authorized third parties, pursuant to the procedure established by law
  • The Users of the Data
  • Any judicial or jurisdictional authority upon request
  • Any control or administrative authority, when an investigation is ongoing
  • Data processors, whether with the data subject’s authorization, or when no authorization is needed if, and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the data subject in order for the data controller to process private and semi-private personal data. For the authorization to be valid it shall be prior to the data processing and shall be informed, meaning that the data subject shall be aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

  • Personal data shall only be collected and processed in accordance with the purposes authorized by the data subject.
  • Such authorization shall be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

  • The information is demanded by a public or administrative entity by means of a judicial order or exercising its legal duties.
  • It is public data.
  • A medical or sanitary urgency demands the personal data processing. 
  • The data processing is authorized by law for historical, statistic or scientific purposes.
  • The data is related to people’s birth certificates.

Regarding sensitive data, Section 6 of Decree 1377 states that the data controller shall do the following: 

  • Expressly inform to the data subject that he or she is not compelled to provide sensitive data, and
  • Obtain his / her prior and express consent prior to the sensitive data processing

In any case, silence will be deemed as a reasonable means of obtaining authorization for personal or sensitive data processing.

Furthermore, when collecting personal data of children the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the authorization for processing a child’s data shall be provided by his or her legal representative.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

  • Name, address, email and phone number of the data controller
  • Processes and handling of data and the purpose of such processing
  • Rights of the data subject
  • Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
  • Procedure to exercise the abovementioned rights, and
  • Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Last modified 28 Jan 2021
Transfer

Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, ie, a data controller.

Cross-border data transfer is prohibited unless the country where the data will be transferred meets at least the same data privacy and protection standards as those in Colombian regulation. In this regard, adequate levels of data protection will be determined in accordance with the standards set by the SIC. 

This prohibition does not apply in the following cases: 

  • When the data subject has expressly consented to the cross-border transfer of data
  • Exchange of medical data
  • Bank or stock transfers
  • Transfers agreed under international treaties to which the Colombia is a party
  • Transfers necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures, provided the data owner consented, and
  • Transfers legally required in order to safeguard the public interest

Therefore, the data controller requires the authorization of the data subject for transferring the personal data abroad, unless such transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels. 

Authorized countries for international transfer of personal data

  • Albania
  • Argentina
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Costa Rica
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungry
  • Iceland
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Mexico
  • Netherlands
  • New Zealand
  • Norway
  • Perú
  • Poland
  • Portugal
  • Republic of Korea
  • Romania
  • Serbia
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • United States
  • United Kingdom
  • Uruguay

The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers to meets its standard for levels of protection.

Transmission of personal data 

The transmission of personal data takes place when the data controller provides personal data to a data processor, in Colombia or abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s consent is required for the transmission of data, unless there is an adequate data transfer agreement in place between the data processor and the data controller. 

In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:

  1. The extent and limitations of the data treatment
  2. The activities that the data processor will perform on behalf of the data controller, and
  3. The obligations the data processor has to data subjects and the data controller 

The data processor has three additional obligations when processing personal data: 

  • Process data according to the legal principles established in Colombian law
  • Guarantee the safety and security of the databases
  • Maintain strict confidentiality of the personal data  

The data controller that transmits data to a data processor must identify the data processor in the National Database Register for each database transmitted. Finally, the data processor must process the personal data in accordance with the data controller’s privacy policy and the authorization given by the data subject.

Last modified 28 Jan 2021
Security

Data controllers have the legal duty of guaranteeing that the information under their control is kept under strict security measures. For this reason, they shall ensure that such information will not be manipulated or modified without the authorization of the data subject. Indeed, the data controller shall develop an information security policy that prevents the unauthorized access, the damage or loss of information, including personal data.

Last modified 28 Jan 2021
Breach Notification

Under section 17. and section 18. of Law 1581, both the data controller and the data processor shall notify the authority (SIC) if there is a breach of security, a security risk, or a risk for data administration. 

Last modified 28 Jan 2021
Enforcement

Since privacy and proper maintenance of personal data are fundamental constitutional rights in Colombia, every citizen is entitled to pursue protection before any Colombian judge, via constitutional action. Any judge may order a private or public entity to modify, rectify, secure or delete personal data if it is kept under conditions that violate constitutional rights. Constitutional actions can take up to ten days to be resolved and an order issued and failure to comply may result in imprisonment of the legal representative of the violating entity.

The Criminal Code of Colombia sets out in section 269F that anyone who, without authorization, seeking personal or third party gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of approximately USD 26,700 to USD 267,000.

Finally, since SIC is an administrative and jurisdictional authority, it is allowed to investigate (as mentioned above), request information, initiate actions against private entities, and impose fines up to approximately USD 534,000, and order or obtain temporary or permanent foreclosure of the company, entity or business.

Last modified 28 Jan 2021
Electronic Marketing

Law 527 of 1999 (Law 527) regulates e-commerce and electronic marketing, but there is no specific regulation regarding data privacy on electronic marketing. In any case, authorization of the data subject is required for types of marketing, whether electronic or other and the processing of any personal data for this purpose shall be made accordingly with Law 1581.

Last modified 28 Jan 2021
Online Privacy

There is no specific regulation regarding processing of personal data online, therefore, this kind of processing shall be ruled by Law 1581.

Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted.

The use of cookies in web pages is forbidden unless the data subject has given an authorization for usage which may be obtained by a pop-up informing the user about the privacy policy and the way to disable cookies. All the other tracking systems need proper authorization from the data subject.

Last modified 28 Jan 2021
Contacts
Maria Claudia Martinez Beltrán
Maria Claudia Martinez Beltrán
Partner
DLA Piper Martinez Beltrán
T +57 3174720
Daniela Huertas
Daniela Huertas
Junior Associate
DLA Piper Martinez Beltrán
T +57 3174720
Last modified 28 Jan 2021