Data Protection in Colombia

Transfer in Colombia

Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, ie, a data controller.

Cross-border data transfers are prohibited unless the country where the data will be transferred to provides at least equivalent data privacy and protection standards and adequate safeguards to those provided by Colombian law. In this regard, adequate levels of data protection will be determined in accordance with the standards set by the SIC. 

This restriction does not apply in the following cases: 

  • If the Data Subject expressly consented to the cross-border transfer of data
  • Exchange of medical data
  • Bank or stock transfers
  • Transfers agreed to under international treaties to which the Colombia is a party
  • Transfers necessary for the performance of a contract between the Data Subject and the controller, or for the implementation of pre-contractual measures, provided the data owner consented, and
  • Transfers legally required in order to safeguard the public interest

Therefore, the data controller requires the authorization of the Data Subject for transferring the personal data abroad, unless such transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels. 

Authorized countries for international transfer of personal data

  • Albania
  • Argentina
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Costa Rica
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungry
  • Iceland
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Mexico
  • Netherlands
  • New Zealand
  • Norway
  • Perú
  • Poland
  • Portugal
  • Republic of Korea
  • Romania
  • Serbia
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • United States
  • United Kingdom
  • Uruguay

The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers to meets its standard for levels of protection.

Transfer of personal data 

The transfer of personal data takes place when the data controller provides personal data to a data processor, in Colombia or abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s consent is required for the transfer of data, unless an adequate data transfer agreement between the data processor and the data controller is in place. 

In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:

  1. The extent and limitations of the data treatment
  2. The activities that the data processor will perform on behalf of the data controller, and
  3. The obligations the data processor has to data subjects and the data controller 

The data processor has three additional obligations when processing personal data: 

  • Process data according to the legal principles established in Colombian law
  • Guarantee the safety and security of the databases
  • Maintain strict confidentiality of the personal data  

A data controller transferring data to a data processor must identify the data processor in the National Database Register for each database transferred. Finally, the data processor must process the personal data in accordance with the data controller’s privacy policy and the authorization given by the data subject.

Continue reading

  • no results

Previous topic
Back to top