Data Protection in Colombia

Definitions in Colombia

The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules related to sensitive personal data.

Definition of personal data

Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public purpose, is intimate in nature and the disclosure of which concerns only the data subject.   

Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only. 

Definition of sensitive personal data

Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner. 

Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is prohibited by law: 

  • Ethnic or racial origin
  • Political orientation
  • Religious or philosophic convictions
  • Membership in labor unions, human right groups or social organizations
  • Membership in any group that promotes any political interest or that promotes the rights of opposition parties
  • Information regarding health and sexual life, and
  • Biometrics

Sensitive personal data shall only be processed:

  • With the Data Subject's special and specific consent
  • If necessary to preserve the data subject’s life, or a vital interest and the Data Subject is physically or legally unable to provide consent
  • If used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of nonprofit entity, in which case, the entity will need the Data Subject's consent to provide the sensitve personal data to third parties
  • If such data is related to or fundamental to exercising a right in the context of a trial or any judicial procedure, or
  • If such data has a historic, statistical or scientific purpose, in which case the Data Subject's identity may not be disclosed

Continue reading

  • no results

Previous topic
Back to top