DLA Piper Intelligence

Data Protection
Laws of the World

Law

Colombia
Colombia

Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection.

Law 1266/08 (‘Law 1266’), reviewed by the Colombian Constitutional Court in Decision C 1011/08, regulates the collection, use and transfer of personal information regarding monetary obligations related to credit, financial and banking services.

Law 1581 of 2012 (‘Law 1581’), reviewed by the Colombian Constitutional Court in Decision C-748/11, contains comprehensive personal data protection regulations. This law is intended to implement the constitutional right to know, update and rectify information gathered about them in databases or files, enshrined in Article 20 of the Constitution, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the Constitution.

Accordingly Law 1581 applies to:

  • personal data stored in any public or private database or files
  • any processing treatment of personal data in Colombia, and
  • operations performed by individuals who are not located in Colombia but are subject to the jurisdiction of Colombian Law under international standards and treaties.

Under Law 1581, the data owner (data subject) must always give prior, express and informed consent for all activities pertaining the collection, use and transfer of personal data, except those that are specifically exempted from all or part of the Law, which includes the processing of credit data under Law 1266.

Decree 1377 of 2013 ('Decree 1377') which constitutes secondary regulation on data protection matters, regulates:

  • authorization given by data owners for personal data treatment
  • including processing treatment of sensitive data
  • measures to be implemented regarding data collected before the publication of the Decree
  • policies on processing treatment of personal data
  • the exercise of data owner’s rights
  • cross border transfer and transmission of personal data, and
  • liability regarding the processing of personal data through the organisational implementation of the accountability principle.
Last modified 24 Jan 2017
Law
Colombia

Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection.

Law 1266/08 (‘Law 1266’), reviewed by the Colombian Constitutional Court in Decision C 1011/08, regulates the collection, use and transfer of personal information regarding monetary obligations related to credit, financial and banking services.

Law 1581 of 2012 (‘Law 1581’), reviewed by the Colombian Constitutional Court in Decision C-748/11, contains comprehensive personal data protection regulations. This law is intended to implement the constitutional right to know, update and rectify information gathered about them in databases or files, enshrined in Article 20 of the Constitution, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the Constitution.

Accordingly Law 1581 applies to:

  • personal data stored in any public or private database or files
  • any processing treatment of personal data in Colombia, and
  • operations performed by individuals who are not located in Colombia but are subject to the jurisdiction of Colombian Law under international standards and treaties.

Under Law 1581, the data owner (data subject) must always give prior, express and informed consent for all activities pertaining the collection, use and transfer of personal data, except those that are specifically exempted from all or part of the Law, which includes the processing of credit data under Law 1266.

Decree 1377 of 2013 ('Decree 1377') which constitutes secondary regulation on data protection matters, regulates:

  • authorization given by data owners for personal data treatment
  • including processing treatment of sensitive data
  • measures to be implemented regarding data collected before the publication of the Decree
  • policies on processing treatment of personal data
  • the exercise of data owner’s rights
  • cross border transfer and transmission of personal data, and
  • liability regarding the processing of personal data through the organisational implementation of the accountability principle.
Last modified 24 Jan 2017
Definitions

Definition of personal data

Law 1266 defines ‘personal data’ as any information related to one or several identified or identifiable persons or which can be associated with an individual or a legal entity. Personal data may be public, semi private or private. Semi private data is data that is not deemed private, sensitive or public.

Under Law 1581, the definition of ‘personal data’ specifically includes information related to or that may be related to one or several identified or identifiable natural or legal persons.

Definition of sensitive personal data

Under Law 1266 ‘private data’ is data that, due to its sensitive or confidential nature, is relevant only to the data owner. For example, data that pertains to the right to intimacy may be deemed sensitive data under Colombian law.

Under Law 1581 and article 3 of Decree 1377 ‘sensitive data’ is data that relates to the intimacy of the data owner, or that, if disclosed without consent, could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade-union membership, social organizations, human rights organizations, or those organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometrics.

Last modified 24 Jan 2017
Authority

Two different governmental authorities were designated as data protection authorities by Law 1266: The Superintendency of Industry and Commerce ('SIC') and the Superintendency of Finance ('SFC'). As a general rule, the SIC will be the data protection authority, unless the administrator of the data is a company that performs financial or credit activities under oversight of the SFC as set forth in applicable law, in which case the SFC will also serve as a data protection authority.

Regarding the scope of Law 1581 and Decree 1377, the data protection authority is the SIC, which, in accordance with article 19 of Law 1581 and article 26 of Decree 1377, will be responsible for monitoring the compliance of the principles, rights, guarantees and procedures provided under the law, and is entitled to require the data controllers to prove the implementation of the compliance measures provided by applicable regulation.

Last modified 24 Jan 2017
Registration

Law 1581 created the National Register of Databases as a public directory of all databases operating in the country.

This Register will be managed by the SIC, and may be consulted by any citizen. The Ministry of Commerce, Industry and Tourism enacted Decree 886 of 2014, as secondary regulation to Law 1581. This Decree sets out the minimum content that must be included in any entry of databases registered with this National directory, and the terms and conditions of such registry, as well as the timing requirements for the registration of databases.

A data controller must register in the National Registry any database that entails the processing of personal data. The following minimum information that must be included in the registry form:

  • identification of data, location and contact data of the data controller
  • identification of data, location and contact data of the data  processor
  • mechanisms for data subjects to exercise their rights
  • name and purpose of the database
  • means of processing (manual and/or automated), and
  • the data processing policy.

Recently and by means of a regulation (Circular Externa N. 2) dated November 3, 2015 the Superintendency of Industry and Commerce enabled the Registry issuing instructions to personal data Controllers, in order to finally set into force the National Registry whereby the Controllers will have to proceed with the registry of all databases subject to Law 1581. The National Registry implies that personal data Controllers will have to submit, through the web platform created for such end, information related to the processing of the relevant databases. The National Registry does not require the submission of the databases as such.

Under the previous regulation, and until further instructions are issued, the only Controllers obliged to the National Registry by the recent instructions are (i) entities of private nature subject to registry before the Chamber of Commerce and (ii) partially state owned entities (also known as mixed public-private companies). The Superintendency of Industry and Commerce has suggested to Controllers the following registration period in order to comply with the National Registry;

LAST DIGITS OF NIT

(by its Spanish acronym -Tax Identification Number-)

 

REGISTRATION PERIOD

From 00 to 24

Since 09/11/2015 up to 08/02/2016

From 25 to 49

Since 09/02/2016 up to 10/05/2016

From 50 to 74

Since 06/05/2016 up to 08/08/2016

From 75 to 99

Since 09/08/2016 up to 08/11/2016

Although the authority has suggested the above deadlines, it must be clarified as per the instructions issued data Controllers must register their databases within one year from the date in which the Superintendency of Industry and Commerce enable the Registry, and databases created after this date must be registered within two months from their creation. The Registry information must be updated by the data controller whenever material changes occur.

Last modified 24 Jan 2017
Data Protection Officers

Neither Laws 1266 nor 1581 require organizations to appoint a data protection officer. However, data processors and data controllers are obliged to maintain adequate security levels for the protection of databases, as well as an administrative infrastructure to respond to data owners' requests and claims.

On the other hand, Decree 1377 does require organisations to appoint a person or area that will assume the personal data protection matters and that will process the exercise of the rights of the data owners. The suggestion to count with such position within the organisation has also been included in the Accountability Guide issued by the Superintendency of Industry and Commerce on May 2015. Although the content of this Guide is not binding and it was issued to support Controllers to fully comply with the obligations established by Law 1581 and supplemental regulations. The observation to the Guide will be taken into account by the Superintendency of Industry and Commerce whenever it has to examine a possible breach of Law 1581. Specifically the Guide under N.1.2 draws attention on the fact that Controllers should create a position or appoint a person in charge of privacy matters such as a Privacy Officer or Data Protection Officer.

Last modified 24 Jan 2017
Collection & Processing

Under Law 1266 and Decision C 1011, as a general rule the collection and cross border transfer of Private and Semi private Data can be performed only with the prior consent of the data owner unless an exception applies. The exceptions, set forth in Article 5 of Law 1266, permit personal data to be disclosed or delivered directly, without consent in the following conditions:

  • to the data owner or to a person to whom the owner has authorized such disclosure
  • to data users
  • to any judicial authority, pursuant to a judicial order
  • to Government Agencies or entities, when the data is required for the performance of legal or constitutional functions
  • to the Administrative Authorities who require such data for disciplinary, fiscal or administrative investigations, or
  • to other databases that have the same purpose as the database of the disclosing data processor (but see Decision C 1011 below) or to databases as authorized by the data owner.

Under the interpretation in Decision C-1011, the Private and Semi Private Data of data owners may be disclosed in the foregoing cases, if the following conditions are observed: except for the disclosure to the data owner, judicial authorities, governmental agencies, and administrative authorities, the disclosure can be performed only if the data owner gives his or her prior consent, or when the data is delivered to governmental agencies, they will be deemed to act as data users and will have all the corresponding obligations which include those pertaining to confidentiality, restricted circulation, and security of data. Similarly to Law 1266, according to article 10 of Law 1581, any operation performed on personal data requires the prior, express and informed consent from the data owner except in the following cases:

  • data required by a public or administrative agency in performance of their duties or required by a court order
  • data that is deemed public data
  • data related to medical emergencies
  • data related to historical, statistical or scientific purposes, and
  • data related to the Civil Registration of Persons.

Similarly, article 13 states that personal data can be disclosed without consent to the following:

  • to the data owners, their successors or their legal representatives
  • to any administrative authority, when the data is required for the performance of public duties, or pursuant to a judicial order, or
  • to third persons to whom the owner has authorized such disclosure, or who are authorized by law.

In this regard, Decree 1377 establishes the aspects of the authorization that must be provided by the owners of the information for the processing of their personal data. The decree adds, under the concept and scope of the authorization, the need for the purposes for which the processing of data is authorized to be 'specific'. This means that the consent must be limited by the purposes of the processing, prohibiting a broad or general purpose, and thus demanding specific authorization to each one of the objectives pursued with the data processing.

In addition, Article 6 of the Decree regulates matters related to the authorization for the processing of sensitive personal data, adding the following obligations:

  • to inform the owner that since the data is sensitive they are not required to authorize the processing, and
  • to inform the data owner beforehand which of the data processed correspond to sensitive data and the purposes of the processing, obtaining his specific consent.

Article 10 establishes the measures to be taken by the individuals and corporations that have collected data before the Decree enactment. Among the measures to be taken, the Decree requires:

  • to request the authorization of the data owners, whether employees, suppliers or customers, to continue with the processing of their personal data, informing them the policies of the treatment and how to exercise their rights as data owners, and
  • to note that the purposes of processing should be the same, similar or compatible with those for which the data was originally collected and authorized.

Regarding the authorization, it is important to note that it must be obtained through efficient communication mechanisms', i.e. through media that is used in the ordinary course of interaction with the data owner (phone, email, messaging, etc.

Additionally, the new regulation sets a time limit to the processing of personal data, which corresponds to the time during which the data processing is necessary to accomplish the purposes originally authorized by the data owner. Once the purposes are fulfilled, or in the event that they disappear, the data controller shall proceed to eliminate the data collected. However, the Decree provides the possibility of keeping the data when it is necessary for compliance with legal or contractual obligations.

The Decree regulates the obligation of data controllers to develop policies for the processing of personal data and ensure that the data processor complies with the applicable standards. The Decree establishes the need for the policy to be embodied in physical or electronic means, in clear and simple language.

It determines the minimum content of the policy, which includes, among others, the processing of the data, the data owner’s rights and the procedure, person or area responsible for the exercise of these rights, and the entry into force date of the policy. It further provides that any change to the policy shall be informed to the data owners before implementing the new policies.

The Decree also allows the data controllers and processors to send a privacy notice on the existence of such policies and how to access them, when they cannot make the policy available to the data owner.

Last modified 24 Jan 2017
Transfer

Under Law 1581, the cross border transfer of data is prohibited unless the foreign country where the data will be transferred meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian law. This prohibition also applies to personal data governed by Law 1266.

Adequate levels of data protection will be determined in accordance with the standards set by the Superintendency of Industry and Commerce. Regulation on this matter is still pending.

This prohibition against cross-border transfers does not apply in the following cases:

  • if the data owner has expressly and unambiguously authorised the cross-border transfer of data (notice of specific elements, including destination and usage, must be given for consent to be effective)
  • exchange of medical data
  • bank transfers and stock
  • transfers agreed under international treaties to which Colombia is a party
  • transfers necessary for the performance of a contract between the data owner and the controller, or for the implementation of pre-contractual measures provided there is consent of the owner, and
  • transfers legally required in order to safeguard the public interest.

In accordance with the Decree, for the international transmission and transfer of personal data, in addition to the provisions of Law 1581 of 2012, the following rules apply:

  • it is not a requirement to inform the data owner about the international transmission of personal data if the transmission occurs between the data controller and the data processor, in order to process the data, as long as a data transmission agreement has been entered in between them.
  • the data transmission agreement must be signed by the data controller and the data processor, and must indicate the scope of processing, the activities carried out under the data controller’s liability and the obligations of the data processor towards the data owner and the data controller.
Last modified 24 Jan 2017
Security

As mentioned, Law 1266 provides that data processors must implement security systems with technical safeguards to ensure the safety and accuracy of the data, and to prevent damage, loss, and unauthorized use or access of the data.

Similarly, Law 1581 and Decree 1377 require that data protection processors and controllers implement the necessary technical, physical, and administrative safeguards to ensure the safety of databases and to prevent their damage, loss, and unauthorized use or access.

Last modified 24 Jan 2017
Breach Notification

Article 17-N of Law 1581 requires notice to the Superintendency of Industry and Commerce of certain security risks or violations of security policies related to the management of personal data.

The Accountability Guide has established that in case an incident takes place and personal data was compromised, the controller of such data must implement mechanisms in order to notify such situation to the Superintendency of Industry and Commerce and the owner. The communication to the authority must as minimum contain:

  1. type of incident;

  2. date of the incident;

  3. date on which the Controller found out of the incident;

  4. cause;

  5. type of personal data compromised (sensitive, private etc); and

  6. number of data owners of whom data was compromised.

Last modified 24 Jan 2017
Enforcement

Superintendency of Industry and Commerce is allowed to initiate administrative investigations against those who breach the provisions of Laws 1266 or Law 1581 and to impose penalties of up to 2,000 Minimum Monthly Legal Wages (approx. US$430,000) for each case, and sanctions that include the temporary or permanent closure of the professional or commercial activities of the subject who breached the data protection regime.

The penalties under Law 1581 only apply to private entities. If an offense is committed by a public entity, the Superintendency of Industry and Commerce shall refer the action to the Attorney General’s Office to initiate the respective investigation.

Additionally, on 5 January 2009 Colombia’s Congress enacted Act 1273, which added an 'Information and Data Protection' criminal offence to Colombia’s Criminal Code. In particular, Article 269F states: 'Violation of Personal Data: Anyone who, without being authorized to do so, to its own benefit or for a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, personal data contained in files, archives, databases or similar means, will be held liable for imprisonment for a term of forty eight (48) to ninety six (96) months and a fine.'

Finally, data owners have the right to file, before any Colombian judge, a special constitutional action, referred to as the Constitutional Writ of Protection (Acción de Tutela) to have their fundamental right to privacy, data protection or habeas data protected.

This Constitutional Writ of Protection involves a preferential and summary proceeding under which the pertinent court must issue a decision within the 10 days following the date on which the action is filed. This means that in those cases in which the right to privacy, to intimacy or to habeas data is affected, an expeditious action could be implemented to protect the fundamental rights of the individual. In this regard, Decree 2591/91 expressly provides that an Acción de Tutela can be filed against a private individual or company that violates Article 15 of the Colombian Constitution. In general terms, a court granting an Acción de Tutela that involves habeas data will issue a decision ordering that data be rectified, updated or deleted. Failing to observe a Court’s ruling could result in an imprisonment order against the defendant for a period up to 10 days.

With the enactment of Decree 1377, data controllers of personal data should be able to demonstrate at the request of the Superintendent of Industry and Commerce, the measures which have been implemented to comply with the legal obligations.

Once the request is made by the Superintendent, those responsible should provide a description of the procedures used and treatment purposes, as well as evidence of the implementation of appropriate security measures. The policies must ensure:

  • the existence of an internal dependency proportional to the structure and size of the business responsible for the implementation of data protection policies
  • the adoption of internal mechanisms to implement data protection policies, including training and education programs, and
  • the adoption of processes for addressing and responding to inquiries, requests and complaints from data owners.

The non-compliance of the above mentioned measures is subject to the penalties described in Law 1581 of 2012.

Last modified 24 Jan 2017
Electronic Marketing

Electronic Marketing is regulated by Law 527/99. The general rule is that opt-in consent from a data subject is required in order to send electronic marketing materials.

Last modified 24 Jan 2017
Online Privacy

In general, consent is required to use cookies and other tracking mechanisms to collect any data that could be used to identify an individual; consent may generally be obtained via the user’s acceptance to the privacy policy if the use of cookies (and the way to disable them) is fully disclosed in the privacy policy. IP address may be considered personal data; however, currently there is no official opinion or law addressing whether IP address is personal information.

Also, under the principle of access and restricted delivery enshrined in Article 4 of Law 1581, personal data may not be available on the Internet or in other mass media, unless the access is technically controllable to ensure access is available only to data owners or authorized third parties. This prohibition applies unless the information is public data, in which case its disclosure and circulation is possible within the limits established by law.

Last modified 24 Jan 2017
Contacts
Mauricio Jaramillo Campuzano
Mauricio Jaramillo Campuzano
Partner
T +57 1 319 2900, ext. 903
Luisa Fernanda Gutiérrez Quintero
Luisa Fernanda Gutiérrez Quintero
Associate
T +57 1 319 2900, ext. 903
Last modified 24 Jan 2017