DLA Piper Intelligence

Data Protection
Laws of the World

Law

Colombia
Colombia

Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: the right to privacy and the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.

Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.

Law 1266 regulates the terms User of Data and Data Operator. ‘User of Data’ is a person or entity who accesses databases and uses the information it has gathered. ‘Data Operator’ is a person who manages a database. Under the law a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. The Data Controller creates databases on its own or in association with others, while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as both Controller and Processor of personal data.

Law 1266 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed absent prior data subject consent, and will only be used for purposes identified in a privacy policy or notice.

Statutory Law 1581 of 2012 (Law 1581) regulates personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. The law further regulates data processing authorization and procedures, and creates the National Register of Data Bases (NRDB). Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to apply Colombian law under an international treatise.

Law 1581 does not regulate:

  • Databases regulated under Law 1266
  • Personal or domestic databases
  • Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing
  • Intelligence and counter-intelligence agency databases, and
  • Databases regulated under Law 79 of 1993 (on population census)

Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of data bases and privacy warnings, among others. This Decree also requires that controllers and processors to adopt a privacy policy and privacy notice.

Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

Last modified 28 Jan 2019
Law
Colombia

Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: the right to privacy and the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.

Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.

Law 1266 regulates the terms User of Data and Data Operator. ‘User of Data’ is a person or entity who accesses databases and uses the information it has gathered. ‘Data Operator’ is a person who manages a database. Under the law a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. The Data Controller creates databases on its own or in association with others, while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as both Controller and Processor of personal data.

Law 1266 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed absent prior data subject consent, and will only be used for purposes identified in a privacy policy or notice.

Statutory Law 1581 of 2012 (Law 1581) regulates personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. The law further regulates data processing authorization and procedures, and creates the National Register of Data Bases (NRDB). Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to apply Colombian law under an international treatise.

Law 1581 does not regulate:

  • Databases regulated under Law 1266
  • Personal or domestic databases
  • Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing
  • Intelligence and counter-intelligence agency databases, and
  • Databases regulated under Law 79 of 1993 (on population census)

Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of data bases and privacy warnings, among others. This Decree also requires that controllers and processors to adopt a privacy policy and privacy notice.

Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

Last modified 28 Jan 2019
Definitions

The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data, depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules related to sensitive personal data. 

Definition of personal data

Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public purpose, is intimate in nature and the disclosure of which concerns only the data subject.   

Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or determinable individuals, meaning natural persons only. 

Definition of sensitive personal data

Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner. 

Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause discrimination. Data that reveals any of the below information is considered sensitive data and its processing is forbidden by law: 

  • Ethnic or racial origin
  • Political orientation
  • Religious or philosophic convictions
  • Membership in labor unions, human right groups or social organizations
  • Membership in any group that promotes any political interest or that promotes the rights of opposition parties
  • Information regarding health and sexual life, and
  • Biometrics

Sensitive data shall only be processed:

  • With a special and specific authorization given by the data subject
  • When it is necessary to preserve the data subject’s life, or a vital interest and such data subject is physically or legally unable to provide authorization
  • When it is data used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of nonprofit entity, in which case, the entity will need an authorization granted by the data subject to provide the data to third parties
  • When the data is related to or fundamental to the exercise of a right in the context of a trial or any judicial procedure, or
  • When the data has a historic, statistical or scientific purpose, in which case the identity of the data subject must not be disclosed
Last modified 28 Jan 2019
Authority

According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or credit records and verifies the enforcement of Law 1266.

Nevertheless, under Law 1581, the SIC is the highest authority in personal data protection and data privacy. It is empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and elimination of personal data.

Last modified 28 Jan 2019
Registration

Law 1581 created the National Register of Data Bases (NRDB). Databases that store personal data and whose automated or manual processing is carried out by a natural or legal person, whether public or private in nature, in the Colombian territory or abroad, shall be registered in the NRDB. Database registration is also required if Colombian law is applicable to the data controller or data processor in accordance with an International Law or Treaty. Registration is mandatory for data controllers that are either of the following:

  • Companies or nonprofit entities that have total assets valued above 100,000 Tax Value Units (TVU), meaning COP$3.32 billion (USD$1.1 million)[1]
  • Legal persons of public nature 

Decree 866 states that each data controller shall register each one of its databases, independently and must distinguish between manual and automatized databases. In addition, in order to register each database, the data controller or data processor shall provide the following information: 

  • Identification information of the data controller, such as: business name, tax identification number, location and contact information
  • Identification details of the data processor, such as: business name, tax identification number, location and contact information
  • Contact channels to grant data subjects rights
  • Name and purpose of the database
  • Form of processing (manual / automatized)
  • Security standards
  • Privacy policy

According to Decree 090, the following data controllers had to register their databases between September 2018 and January 2019:

  • Companies or nonprofit entities with total assets of a value greater than 610,000 TVU shall have been registered by September 30, 2018.
  • Companies or nonprofit entities with total assets of a value greater than 100,000 and up to 610,000 TVU shall have been registered by November 30, 2018.
  • Legal persons of public nature shall be registered by January 31, 2019. 

Any new database must be registered within two months following its creation. Finally, the data controller has the obligation to update the information contained in each database’s registry. 

Footnotes

[1] Based on the Tax Value Unit for 2018 (COP$33,156 (USD $11)). The Tax Value Unit is updated yearly by the Colombian tax authority.

Last modified 28 Jan 2019
Data Protection Officers

There is no requirement to appoint a data protection officer in Colombia.

Last modified 28 Jan 2019
Collection & Processing

The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require authorization from the data subject. This information may only be disclosed to:

  • The data subject or authorized third parties, pursuant to the procedure established by law
  • The Users of the Data
  • Any judicial or jurisdictional authority upon request
  • Any control or administrative authority, when an investigation is ongoing
  • Data processors, whether with the data subject’s authorization, or when no authorization is needed if, and the database aims for the same objective or involves an activity that may cover the purpose of the disclosing data processor

On the contrary, Law 1581, requires the authorization of the data subject in order for the data controller to process private and semi-private personal data. For the authorization to be valid it shall be prior to the data processing and shall be informed, meaning that the data subject shall be aware of the exact purposes for which the data is being processed. Decree 1377 requires the following:

  • Personal data shall only be collected and processed in accordance with the purposes authorized by the data subject.
  • Such authorization shall be obtained by any means, provided that it allows subsequent consultation.   

Authorization is not required when:

  • The information is demanded by a public or administrative entity by means of a judicial order or exercising its legal duties.
  • It is public data.
  • A medical or sanitary urgency demands the personal data processing. 
  • The data processing is authorized by law for historical, statistic or scientific purposes.
  • The data is related to people’s birth certificates.

Regarding sensitive data, Section 6 of Decree 1377 states that the data controller shall do the following: 

  • Expressly inform to the data subject that he or she is not compelled to provide sensitive data, and
  • Obtain his / her prior and express consent prior to the sensitive data processing

In any case, silence will be deemed as a reasonable means of obtaining authorization for personal or sensitive data processing.

Furthermore, when collecting personal data of children the data controller and the data processor shall ensure that personal data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes, the authorization for processing a child’s data shall be provided by his or her legal representative.

Privacy policy and privacy notice

Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written; Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:

  • Name, address, email and phone number of the data controller
  • Processes and handling of data and the purpose of such processing
  • Rights of the data subject
  • Individual or department within the data controller that is responsible for the attention to requests, consultations and claims to update, rectify or suppress data and to revoke authorization
  • Procedure to exercise the abovementioned rights, and
  • Date of creation and effective date

The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the manner to access them and the purposes of the treatment.

Last modified 28 Jan 2019
Transfer

Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, ie, a data controller.

Cross-border data transfer is prohibited unless the country where the data will be transferred meets at least the same data privacy and protection standards as those in Colombian regulation. In this regard, adequate levels of data protection will be determined in accordance with the standards set by the SIC. 

This prohibition does not apply in the following cases: 

  • When the data subject has expressly consented to the cross-border transfer of data
  • Exchange of medical data
  • Bank or stock transfers
  • Transfers agreed under international treaties to which the Colombia is a party
  • Transfers necessary for the performance of a contract between the data subject and the controller, or for the implementation of pre-contractual measures, provided the data owner consented, and
  • Transfers legally required in order to safeguard the public interest

Therefore, the data controller requires the authorization of the data subject for transferring the personal data abroad, unless such transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels. 

Authorized countries for international transfer of personal data

  • Austria 
  • Belgium              
  • Bulgaria              
  • Costa Rica          
  • Croatia 
  • Cyprus  
  • Czech Republic
  • Denmark             
  • Estonia 
  • Finland 
  • France  
  • Germany             
  • Greece 
  • Hungry 
  • Iceland 
  • Ireland 
  • Italy      
  • Japan    
  • Latvia   
  • Lithuania            
  • Luxembourg      
  • Malta   
  • Mexico 
  • Netherlands       
  • Norway
  • Perú      
  • Poland  
  • Portugal              
  • Republic of Korea
  • Romania
  • Serbia
  • Slovakia              
  • Slovenia              
  • Spain    
  • Sweden
  • United States 
  • United Kingdom

The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers to meets its standard for levels of protection.

Transmission of personal data 

The transmission of personal data takes place when the data controller provides personal data to a data processor, in Colombia or abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s consent is required for the transmission of data, unless there is an adequate data transfer agreement in place between the data processor and the data controller. 

In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:

  1. The extent and limitations of the data treatment
  2. The activities that the data processor will perform on behalf of the data controller, and
  3. The obligations the data processor has to data subjects and the data controller 

The data processor has three additional obligations when processing personal data: 

  • Process data according to the legal principles established in Colombian law
  • Guarantee the safety and security of the databases
  • Maintain strict confidentiality of the personal data  

The data controller that transmits data to a data processor must identify the data processor in the National Database Register for each database transmitted. Finally, the data processor must process the personal data in accordance with the data controller’s privacy policy and the authorization given by the data subject.

Last modified 28 Jan 2019
Security

Data controllers have the legal duty of guaranteeing that the information under their control is kept under strict security measures. For this reason, they shall ensure that such information will not be manipulated or modified without the authorization of the data subject. Indeed, the data controller shall develop an information security policy that prevents the unauthorized access, the damage or loss of information, including personal data.

Last modified 28 Jan 2019
Breach Notification

Under section 17. and section 18. of Law 1581, both the data controller and the data processor shall notify the authority (SIC) if there is a breach of security, a security risk, or a risk for data administration. 

Last modified 28 Jan 2019
Enforcement

Since privacy and proper maintenance of personal data are fundamental constitutional rights in Colombia, every citizen is entitled to pursue protection before any Colombian judge, via constitutional action. Any judge may order a private or public entity to modify, rectify, secure or delete personal data if it is kept under conditions that violate constitutional rights. Constitutional actions can take up to ten days to be resolved and an order issued and failure to comply may result in imprisonment of the legal representative of the violating entity.

The Criminal Code of Colombia sets out in section 269F that anyone who, without authorization, seeking personal or third party gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of (approximately US$20,000 to US$200,000).

Finally, since SIC is an administrative and jurisdictional authority, it is allowed to investigate (as mentioned above), request information, initiate actions against private entities, and impose fines up to approximately US$400,000, and order or obtain temporary or permanent foreclosure of the company, entity or business.

Last modified 28 Jan 2019
Electronic Marketing

Law 527 of 1999 (Law 527) regulates e-commerce and electronic marketing. Authorization of the data subject is required for types of marketing, whether electronic or other.

Last modified 28 Jan 2019
Online Privacy

Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized user is restricted.

The use of cookies in web pages is forbidden unless the data subject has given an authorization for usage which may be obtained by a pop-up informing the user about the privacy policy and the way to disable cookies. All the other tracking systems need proper authorization from the data subject.

Last modified 28 Jan 2019
Contacts
Maria Claudia Martinez Beltrán
Maria Claudia Martinez Beltrán
Associate Director
DLA Piper Martinez Beltrán
T +57 3174720
Daniela Huertas
Daniela Huertas
Junior Associate
DLA Piper Martinez Beltrán
T +57 3174720
Last modified 28 Jan 2019