header_logo
cancel1

Colombia

Published on Tuesday 22nd January 2019

    • Colombia

      Yes. Articles 1, 2, and 3 of both Law 1266 of 2008 and Law 1581 of 2012, stemming from article 15 of the Colombian Constitution, establish the scope for financial and personal data protection in Colombia based upon the fundamental rights to privacy and information. These provisions set Colombia’s legislation in terms of privacy and data protection.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. Article 15 of the Colombian Constitution establishes a fundamental right to privacy that places significant constraints on the collection of personal information by both public and private entities which store personal data in databases and/or other types of archives. In accordance with this provision, private correspondence and other forms of personal communications are inviolable, except by court order authorisation, in the cases established by law. However, this constitutional provision also authorises the interception of private communications without a court order when national security is deemed at risk. Colombian privacy and data protection in force legislation derive from this constitutional provision.

      Arising from the fundamental right to privacy, extensive constitutional jurisprudence from the Colombian Constitutional Court (Decisions T-414 of 1992, T-729 of 2002, C-748 of 2011) has also shaped the autonomous fundamental right of Habeas Data, which grants various remedies for data subjects in terms of access, inclusion, rectification, erasure, cancellation, opposition, addition and certification of their data, in addition to limiting the possibility to use, publish, disclose, transfer and release this data from controllers and processors.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. As decribed above, Law 1266 of 2008 and Law 1581 of 2012 provide the general legal framework for the protection of financial data and personal data. This legislation provides habeas data remedy and regulates the use of personal information collected by public and private entities stored in databases and other types of archives.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. The Colombian government has recently enacted Law 1928 of 2018 (24 of July), by which the 2001 Convention on Cybercrime of the Council of Europe (CETS No. 185), known as the Budapest Convention, has been officially approved and adopted to our country’s legislation.

      Being the only binding international instrument on the matter, its adaptation represents an outstanding effort to comply with international legal standards against cybercrime and provides a unified policy in detecting, investigating, and punishing illegal behaviour on the web, which previously had not been in unison with the 62 parties to the Convention.

      Thus, the comprehensive guidelines contained in this instrument provide an advanced legal framework for Colombia, by which domestic legislation aligns with international crime policy devised for guaranteeing international cooperation against cybercrime, a pending matter of the outmost importance; since in 2011, the Colombian National Council for Economic and Social Policy, through guideline CONPES 3701 warned that Colombia was yet to develop an uniform strategy on cybersecurity that included coordination between domestic and foreign agencies to face cybercrime, and, only in 2016, through CONPES 3854, the Colombian government adopted internal guidelines for implementing a legal and institutional framework that gave birth to Law 1928 of 2018 as a binding regulation on cybersecurity matters.

      The structure of the Convention adopted to Colombian legislation is composed of three provisions: substantive legislation, rules of procedure and international cooperation.

      In terms of substantive legislation, Colombia agrees to adapt Convention requirements to crimes regarding illegal access and interception of data, cyberattacks compromising data integrity, cyber falsification and fraud, child pornography, copyright infractions and liability of legal entities.

      As regards rules of procedure, Colombia agrees to:

      • adopt measures in order to guarantee (i) the expedited preservation of stored computer data and (ii) the partial disclosure of traffic data;
      • grant powers to competent authorities for them to request from service providers and other individuals the disclosure of stored data in their possession;
      • develop suitable means to intercept and summarise traffic data associated with communications in real time; and
      • issue regulation enabling competent authorities to access and seize any computer storage system or support.

      Regarding international cooperation, Colombia through Law 1928 compromises to process requests for assistance in the investigation and collection of evidence in the fight against cybercrimes, acquire obligations to preserve and communicate stored computer data, assist in terms of cross-border access, in addition to setting a permanent contact point, all in favour of parties to the Convention. 

      This legal framework brings Colombia to a new chapter on cybersecurity matters and implies new and great challenges in terms of institutional coordination and cooperation regarding crime policy legislation and execution, along with empowering individuals to safeguard and act against cybercrime.

      Prior to Law 1928 of 2018, Colombia had issued public policies for subjects in relation to cybersecurity, some of which interplay or serve as grounds for Colombia’s current framework. The most important regulations are the following:

      Regulations

      Subject

      Political Constitution of 1991

      • Essential principles of the state (article 2)
      • Personal privacy (article 15)
      • Electromagnetic space (article 75)
      • Consumer regulations (article 78)

      Law 527 of 1999

      Electronic commerce

      Law 599 of 2000

      Amended by Law 1273 of 2009 (includes crimes against the confidentiality, integrity and availability of data and computer systems)

      Law 603 of 2000

      Software legality in companies

      Law 962 of 2005

      Simplification and rationalisation of processing (security in the electronic information of public entities)

      Law 1150 of 2007

      Security in electronic public procurement (article 3)

      Law 1266 of 2008

      Habeas data (financial)

      Law 1341 of 2009

      Information and organisation of information and communication technologies (ICTs)

      Decree 2952 of 2010

      Regulatory provision

      Law 1581 of 2012

      Personal data protection

      Decree 2693 of 2012

      General guidelines of the Online Government Strategy

      Decree 1377 of 2013

      Regulatory provision of Law 1581 in terms of sources of information and permanence of the information

      Decree 1704 of 2012

      Retention of information for criminal procedures and investigation

      Law 1621 of 2013

      Strengthens the legal framework applicable to intelligence agencies and stablishes security criteria

      Regulates the retention of information for national security purposes

      Law 1712 of 2014

      Transparency in access to public information

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Law 1581 of 2012 defines personal data as any information that pertains or may eventually be associated to a given individual. The data protection regime, therefore, is only applicable to the sole protection of the personal information of individuals (data subjects). The Superintendency of Industry and Commerce (SIC or Data Protection Authority), has clarified on several occasions that data protection laws do not protect legal entities. Instead, the SIC has established that when legal entities process the personal data of individuals (workers, clients, suppliers, etc) they must comply with Colombian data privacy laws to guarantee the rights of the data subjects.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. According to Law 1581 of 2012, article 5, sensitive personal data refers to personal data that affects the privacy of a data subject and whose improper use may give rise to discrimination based on race, ethnicity, political, religious or philosophical convictions, sexual orientation, or (ii) reflects the subject belonging to labour unions or social or human rights organisations; (iii) reflects the subject promoting interests of any political party or guaranteeing the rights of opposition political parties, or (iv) data related to health, sexual life and biometric data. Article 6 of this same charter prohibits the processing of sensitive data except in the following cases:

      • when the data subject has given his or her explicit authorisation to such processing;
      • when the processing of this data is necessary to safeguard the vital interest of a data subject that is physically or legally incapacitated; under these circumstances, legal representatives must authorise the use of this data; 
      • when the processing of this data is done by foundations, non-governmental organisations or non-profit–foundations with political, philosophical, religious or labour purposes and relate exclusively to members of the organisation or to individuals who maintain contact with the organisation;
      • when the processing of this data is necessary within a judicial proceeding; and 
      • when the processing of this data has historical, statistical or scientific purposes.

      According to article 6 of Decree 1377 of 2013, whenever sensitive data is to be processed, in addition to fulfilling the general legal requirements for processing authorisation for personal data, the data subject must be made aware of the following information:

      • data subjects are not obliged to authorise the processing of their sensitive data;
      • which of the personal data that will be processed is considered sensitive; and
      • the purpose of the processing of the sensitive data.

      Also, it is mandatory to obtain the express consent of the data subject authorising the processing of his or her sensitive data.

      On the other hand, data that is not considered sensitive is distinguished in Colombian legislation as public, semi-private and private data.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      In Colombia, the processing of personal data should be done by any legal entity or individual whenever the principles set forth in article 4 of Law 1581 of 2012 are fulfilled.

      The following are the basic principles in force under Colombian law for the processing of personal data that establish a general limitation for the processing of personal data.

      • Legality

      Personal data processing must be done in accordance with the rule of law and its principles.

      • Purpose

      Personal data processing must serve a specific purpose. Personal data can only be used for a purpose known by the data subject at the time he or she was asked to disclose it.

      • Temporary limitation of personal data processing

      According to Colombian law, personal data cannot be processed indefinitely. Therefore, data controllers and processors must suppress personal data from their databases when the purpose for its collection is accomplished and/or when the period of time for its authorised use expires.

      • Pertinence and proportionality

      In Colombia, only necessary and pertinent data required for specific purposes shall be collected and processed.

      For example, there is no need to process authorisations to collect an individual’s sensitive data information for purposes beyond those established by law.

      • Authorisation

      Data subjects must consent or expressly authorise the collection and use of their personal data. Hence, with the exceptions established in article 10 of Law 1581 of 2012, the processing of personal data cannot be done without explicit consent from the data subjects. Breach of this principle constitutes a violation of the data subject’s fundamental rights.

      • Quality and veracity of information provided

      Personal data processing must be: certain, complete, updated, precise, measurable and understandable for data subjects.

      The Colombian Constitutional Court forbids the collection of data that includes information suspected to be: (i) false or partial; (ii) incomplete; (iii) unfulfilled; or (iv) sensitive (whenever it is not authorised by the law).

      • Transparency

      This principle guarantees to data subjects that their personal data is going to be responsibly processed and used for the purpose it was set out to be collected and processed.

      • Access and restricted disclosure

      The processing of personal data should only be done by data controllers or processors authorised by data subjects and by those authorised by law or by court order.

      • Security

      The collection of personal data should avoid: (i) adulteration; (ii) loss; (iii) prohibited consultation; and (iv) non-authorised access to personal data.

      • Confidentiality

      Personal data shall be processed confidentially. Hence, personal data shall not be made public unless it is authorised or provided by law or a court order.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Law 1581 of 2012 provides the general legal framework for the protection of personal data for every industry excluding financial services. Law 1266 of 2008 regulates financial data processing by financial entities under the control of Colombia’s Superintendency of Finance.

      The processing of personal data on the internet is not specifically provided for in Colombian legislation. However, the SIC recently conceptualised through a recent pronunciation (Rad No. 18-94066, 23 of April 2018) that personal data that is not considered public cannot be published on the internet except if its access is technically controlled to provide restricted disclosure to authorised individuals according to Law 1581 of 2012. As a general guideline, the SIC determines that the processing of personal data in public access mediums such as the internet must be done guaranteeing the right of habeas data and in accordance with the basic principles contained in article 4 of Law 1481 of 2012.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. According to Law 1581 of 2012, article 7, the processing of the personal data of minors is prohibited, except for data that, due to its nature, needs to be made public.

      The Colombian Constitutional Court (Decision C-748 of 2011) ruled that the processing of the personal data of minors must protect their fundamental rights. From this decision follows that the processing of the personal data of minors can be made with the authorisation of their legal guardians is given and, if possible, taking into consideration the minor’s opinion.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      According to the aforementioned Law 1928 of 2018, in terms of substantive legislation, Colombia compromised to adapt Convention requirements to crimes regarding illegal access and interception of data, cyberattacks compromising data integrity, cyber falsification and fraud, child pornography, copyright infractions and liability of legal entities.

      Along with this newly devised criminal liability standards, Law 1928 of 2018 also carries the adoption of rules of procedure that Colombia must implement to establish remedies by means of injunctive reliefs in the expedited preservation of stored computer data, the disclosure of stored data in possession of service providers and other individuals, the interception and collection of traffic data associated with communications in real time and the access and seizure of computer storage systems by competent authorities, all with the international cooperation of parties to the Convention of Budapest.

      Until this legislation is fully adopted, Colombia’s Criminal Code (Law 599 of 2000 amended by Law 1273 of 2009) has provided the following criminal liabilities for crimes against confidentiality, integrity and data availability through information systems:

      Article reference

      Crime

      Punishment

      269A

      Abusive access to a computer system

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      269B

      Illegitimate obstruction of computer system or telecommunication network

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      269C

      Interception of informatic data

      Prison sentence of 36 to 72 months

      269D

      Informatic damage

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      269E

      Use of malicious software

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      269F

      Violation of personal data

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      269G

      Impersonation of websites to capture personal data

      Prison sentence of 48 to 96 months and in a fine of 100 to 1,000 minimum wages (US$260,414 approx)

      In terms of regulation of Colombian data protection, sanctions and penalties for non-compliance with this legal regime are foreseen in Law 1581 of 2012, coupled with remedies to trigger investigation proceedings from the SIC that, after due process, may lead to the aforementioned sanctions.

      • Sanctions for non-compliance with Law 1581 of 2012

      According to article 23 of Law 1581 of 2012, the SIC, as the Colombian data protection authority, is responsible for the enforcement of sanctions and penalties to data controllers and processors that may vary between: (i) penalties up to 2,000 minimum wages (US$572,900 approx); (ii) suspension of data protection activities up to a six-month term; (iii) temporary closure of data processing activities; and/or (iv) definitive closure of sensitive data processing.

      The aforementioned sanctions are solely applicable for corporations and other private individuals and entities. In the case of infractions by public entities and/or authorities, investigation and sanction proceedings must be carried out by the Office of the Inspector General of Colombia in accordance with Law 734 of 2002 and its regulations and amendments, which in turn may impose sanctions that may vary between dismissal of the position and general disqualification, suspensions, fines and warnings.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Authorities in charge of cybersecurity Colombia are composed by a national commission composed of four main authorities: as follows:

      With the enactment of Law 1928 of 2018, the Colombian government has established a national cybersecurity and cyber defence plan in which the creation of a cybersecurity and cyber defence specialised authority is contemplated. This new authority shall be responsible for regulating cybersecurity and its creation is still pending. However, the aforementioned authorities have enforcement powers to fight cybercrime by investigating, prosecuting and dealing with criminal and terrorist acts as a whole.

      Regarding data protection, the SIC is the Colombian authority responsible for regulating the matter (www.sic.gov.co/ Carrera 13 No. 27 – 00 Bogotá DC - (+ 57 1) 592 0400) and has the following enforcement powers under article 21 of Law 1581 of 2012:

      • to ensure compliance with data protection laws;
      • to pursue investigations, ex officio or per request of any individual and to order the measures that are necessary to enforce the right of habeas data;
      • to restrain access to data upon the request of an individual, when evidence of a violation of fundamental rights is provided. This measure applies if it is necessary to protect the rights of the individual, while a final decision is made;
      • to promote and disseminate the rights of individuals regarding personal data processing and implement educational campaigns to train and inform citizens about their fundamental right of habeas data;
      • to provide instructions on the measures and procedures that should be complied with by the data controller and processors regarding the provisions of the data protection laws;
      • to request information from data controller and processors;
      • to issue statements of conformity on international data transfers;
      • to manage the National Public Registry of Databases and issue the orders and acts necessary for its administration and operation;
      • to suggest adjustments and corrections to data protection regulations according to technological changes; and
      • to request the collaboration of international or foreign entities when data subject’s habeas data rights are affected outside Colombian territory.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      The general rule of receiving previous authorisation before collecting, processing and transferring personal data in accordance with Law 1581 of 2012 must be complied with by all public and private individuals, in the terms and exceptions established by law. However, in accordance with Decree 090 of 2018, data controllers that under Colombian law are considered as medium-sized or large companies must register corporations and non-profit organisations with assets higher than 100,000 Tax Value Units (US$1.1 million approx.) must have registered with the National Data Base Registry all those databases in their possession containing personal data as follows:

      • Corporations and non-profits with assets higher than 610,000 Tax Value Units (US$6.9 million approx.) should have registered their databases with the National Data Base Registry on the thirtieth of September 2018 at the latest; and
      • Corporations and non-profits with assets higher than 100,000 Tax Value Units and until 610,000 Tax Value Units should have registered their databases with the National Database Registry on 30 November 2018 at the latest.

      For newly created databases after the aforementioned deadlines, the registration must be done within a period of two months after the particular database is created.

      Finally, all legal entities of public nature should register their databases with the National Datbase Registry by 30 January 2019 at the latest.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      According to article 17 of Law 1581 of 2012, the main obligations of data controllers are:

      • Guarantee to the data subject, at any time, the full and effective exercise of the right of habeas data.
      • Request and keep a copy of the authorisation granted by the data subject. 
      • Inform the data subject about the purpose of the collection of his personal data and the rights that assist him or her by virtue of the granted authorisation.
      • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorised or fraudulent access.
      • Ensure that the information provided to the data processor is truthful, complete, accurate, up to date, verifiable and comprehensible.
      • Update information, communicating in a timely manner to the data processor, any the news regarding the data previously provided to him or her and to take the necessary measures to grant the information provided to him or her is kept up to date.
      • Rectify the information when it is incorrect and communicate it to the data processor.
      • Only provide the data processor with personal data whose treatment has been previously authorised by the data subject.
      • Require the data processor at any time respect the security and privacy conditions of the data subject’s information.
      • Process the consultations and claims formulated by data subjects.
      • Adopt an internal policy and procedures manual to ensure proper compliance with Law 1581 of 2012 and, in particular, for consultation and complaints processes.
      • Inform the data processor when certain information is being discussed by the data subject, and the respective claim procedure has not been completed.
      • Inform the data subject, on request, of the use made by their data.
      • Inform the data protection authority (SIC) the occurrence of data security breaches.
      • Comply with the instructions and requirements issued by the SIC as the data protection authority.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. According to article 18 of Law 1581 of 2012, data processors on behalf of data controllers should comply with the following obligations:

      • guarantee data subject the exercise of their right of habeas data;
      • make a timely updates, rectification or suppression of the personal data being processed;
      • update the information reported by the data controller;
      • process consultations and claims in favour of data subjects;
      • register claims and status updates in their databases;
      • refrain from circulating information that is being disputed by the data subject;
      • inform the data protection authority (SIC) about data security breaches; and
      • comply with the instructions and requirements issued by the SIC as the data protection authority.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      In Colombia the consent authorisation is the cornerstone of the data protection legal regime. To allow personal data processing, data collectors and data processors (when applicable) must obtain data subjects’ consent and prior authorisation to process their personal data.

      However, in accordance with article 10 of Law 1581 of 2012, in the following main events, data processing can be done without the data subject’s authorisation:

      • when personal data is required by a public entity in the exercise of its legal functions or by court orders;
      • events of medical or health emergency; and
      • when personal data processing has historical, statistical or scientific purposes.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Law 1581 of 2012 (article 8) grants several rights to data subjects on their information, mainly to keep them informed of their personal data processing and also in terms of access, rectification, erasure and opposition of their data. The following are the data subjects' main rights:

      • know, update and rectify their personal data;
      • request proof of the authorisations granted to data controllers;
      • be informed by data controllers and/or processors, upon request, of the use that is given to their personal data;
      • submit complaints to the SIC for violations of Colombian data protection laws;
      • revoke the authorisation and/or request the suppression of personal data in databases; and
      • have free access to their personal data.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Article 26 of Law 1581 of 2012 prohibits international transfer of personal data except in the following cases:

      • when the data subject has given its explicit and unequivocal authorisation;
      • in cases of the exchange of medical data;
      • in cases of bank or stock exchange transfers;
      • transfers agreed upon under international treaties to which Colombia is a party.
      • transfers needed for the execution of an agreement between the data subject and the data controller, or for the execution of pre-contract measures when the authorisation of the data subject has been given; and
      • transfers required to safeguard public interest, or for the recognition, exercise or defence of a right in a judicial proceeding.

      In cases of international data transfers different from those mentioned above, data controllers shall inform the SIC in advance and request a “conformity declaration”. Data controllers must then deliver to the SIC general information on the operation and the destination of the data transfer.

      The SIC has established the information that data controllers shall submit whenever they request a conformity declaration, which consists of:

      • name and purpose of data controller’s (sender) database that contains personal data that will be transferred internationally;
      • processing of personal data contained in the databases to be transferred internationally;
      • type of data that will be transferred internationally, specifying whether sensitive data or a minor’s personal data will be transferred;
      • copy of data controller’s privacy policy (receiver);
      • legal name and copy of the document that certifies the existence and legal representation of the data controller (sender);
      • copy of the agreement that contains the terms, conditions and guarantees of the international transfer and processing of the personal data;
      • security and confidentiality measures that will be taken in the transfer process;
      • processing that will be carried out by the data controller (receiver) to the transferred databases;
      • purpose of the databases in which the databases transferred from Colombia will be stored;
      • copy of data controller’s (sender) privacy policy (if applicable);
      • data controller’s (receiver) security data policy;
      • service channels provided by data controller (receiver);
      • time period in which the transferred personal data will be stored by the data controller (receiver);
      • identification and title of persons who will have access to transferred databases;
      • copy of non-disclosure agreement provisions and/or confidentiality provisions applied by the data controller (receiver);
      • copy of the data protection laws of the country of destination;
      • copy of the latest accountability report issued by the data protection authority of the country of destination; and
      • evidence of the existence of legal mechanisms to protect the data subject’s habeas data rights in the country of destination.

      The SIC will assess, on a case-by-case basis, whether the country in which personal data is being transferred has adequate data protection regulations that fulfil or exceed the protection standards of Colombian data protection laws.

      In 2017, the SIC issued the following list of countries with adequate levels of data protection:

      Germany; Australia; Austria; Belgium; Bulgaria; Cyprus; Costa Rica; Croatia; Denmark; Slovakia; Slovenia; Estonia; Spain; United States of America; Finland; France; Greece; Hungary; Ireland; Iceland; Italy; Japan; Latvia; Lithuania; Luxembourg; Malta; Mexico; Norway; Netherlands; Peru; Poland; Portugal; the United Kingdom; the Czech Republic; Republic of Korea; Romania; Serbia; Sweden; and the countries that have been declared as having an adequate level of protection by the European Commission.

      International data transfers to the above-mentioned countries do not require the request of a “conformity declaration” before the SIC. However, in international data transfers to these countries data controllers must prove they have implemented appropriate and effective measures for guaranteeing adequate processing measures for the transferred personal data.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Law 1581 of 2012 established the security principle as one of the fundamental bases of personal data processing in Colombia. However, this law and its regulatory decrees did not establish a specific way, or set of requirements, that data controllers and processors must fulfil in order to ensure security of personal data.

      The SIC as the data protection authority established guidelines with general recommendations and instructions to data controllers and processors to grant an adequate level of security in data processing. This authority has identified the following main activities that data controllers and processors must fulfil to ensure the compliance with accountability and security principles:

      • implement administrative procedures in accordance with their data protection policies;
      • have a personal data inventory that allows the classification of personal data that is being processed (sensitive, confidential, public information, etc);
      • identify which of the processed personal data fulfil their purpose;
      • create a detailed protocol that identifies the circulation of the personal data being processed;
      • implement systems and guidelines to keep verifiable proof of data subjects;
      • apply reinforced security systems in cases of sensitive data processing;
      • establish internal data protection policies and publish them for employees or collaborators who are directly or indirectly related to the organisation's personal data processing (data controller or data processor); and
      • identify and manage risks associated with personal data processing.

      However, according to SIC, there are no “unique” or “correct” means of complying with accountability and security principles. The completion of the aforementioned activities shall be different in every data controller and processor’s case because they shall be proportional to their organisational structures and the amounts of personal data under their responsibility. 

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. According to article 23 of Decree 1377 of 2013, data controllers and processors have the obligation to appoint a department or an individual responsible for the compliance of the data protection laws.

      According to SIC’s Accountability Principle Guidelines, DPOs’ main responsibilities are:

      • to elaborate a system to reduce the risk of personal data processing;
      • to promote compliance with data protection laws and policies;
      • to have an inventory of databases;
      • to register databases in the National Database Registry;
      • to request conformity declarations (if applicable);
      • to study and approve international transmission agreements (if applicable);
      • to lead internal training sessions on data protection regulation and policies;
      • to follow and evaluate the compliance of privacy policies;
      • to answer SIC requests; and
      • to develop and evaluate an Integral Data Protection Programme.

      Finally, any individual, can incur in criminal liability if he or she processes personal data for his or her own benefit or that of a third party without authorisation (Colombian Criminal Code, article 269F) or if he or she creates false websites to capture personal data illegally (Colombian Criminal Code, article 269G). However, this liability is not strictly related to the DPO title and is yet to be determined by pending regulation stemming from the adoption of the Budapest Convention through Law 1928 of 2018.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. According to Law 1581 of 2012, data controllers and processors must notify to the data subjects and to the SIC of any event of data security breach event. This notification must be addressed to the SIC within 15 business days of the occurrence of the incident.

      According to the guidelines issued by the SIC regarding the accountability principle, in these events data controllers and processors must explain and report the following information:

      To affected data subjects:

      • the nature and characteristics of the data security breach event; and
      • alternatives to mitigate damages.

      To the SIC:

      • type and nature of the data security breach event;
      • date of occurrence and date in which the event was known by the data controller and/or processor;
      • causes of the security data breach event;
      • type of personal data involved;
      • number of affected data subjects;
      • procedure by which the data breach event was managed; and
      • corrective measures that will be applied to prevent similar incidents in the future.

      The SIC will analyse the reported information according to the complexity of the event. If in the SIC’s opinion the incident could imply the responsibility of data controllers or processors, the SIC will start an investigation proceeding that can result in the imposition of different sanctions.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Currently Colombia has no specific law, regulation or guidance on the use of tracking technologies such as cookies. However, according to the SIC (Concept Rad. No. 16-172268 of 2016), cookies may eventually conform a database according to Law 1581 of 2012 due to its nature of recollecting personal data, as long as they meet the following criteria:

      • they are referred to exclusive aspects of an individual for it to be classified as personal data under in force law;
      • they allow the individual to be identified, to a greater or lesser extent, due to the overall identification achieved with it and with other data;
      • its property belongs to the subject; and
      • its processing is subject to the rules contained in Law 1581 of 2012.

      In these events, the data controller must comply with the provisions contained in Law 1581 of 2012, with special application to the principles of legality, transparency, quality and veracity, security and confidentiality contained in article 4 of the aforementioned statute.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      According to the Colombian Ministry of Finance and Colombia Fintech (Colombian Fintech Associations), Colombia is the third country in Latin America in terms of fintech companies, after Mexico and Brazil. However, currently there is no specific  regulation or guidance in force regarding fintech and data protection and cybersecurity.

      As was announced in last year’s entry, the draft of the decree published by the Superintendency of Finance and the Ministry of Finance to regulate crowdfunding activities through digital platforms (fintech companies) was approved last July through Decree 1357 of 2018. Article 2.41.2.1.8 of this statute refers to the Habeas Data Regulation (contained in Law 1266 of 2008) in terms of the obligation by crowdfunding companies of reporting to financial information operators the information contained in the aforementioned regulation and to send this financial data from users to operators within a maximum term of three days from the moment of the reception or knowledge of the particular information.

      In 2017, the Superintendency of Finance created the fintech department, a specialist unit that will seek to promote the creation and development of apps to support regulatory compliance in the financial sector. Notwithstanding the above, neither the Superintendency of Finance nor the SIC has announced new data protection regulation other than Decree 1357 of 2018.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Currently, there is no specific regulation in Colombia that imposes requirements for “privacy by design”, “privacy by default” and “privacy impact assessment”.

      However, through its Accountability Principle Guide, the SIC established guidelines with general recommendations and instructions to data controllers and data processors to:

      • grant an adequate level of security in personal data processing; and
      • implement procedures within its organisation that identify and mitigate risks in personal data processing throughout the data's life cycle.

      Notwithstanding the above, the SIC, as a member of the Ibero-American Data Protection Network, collaborated in the draft of general guidelines called “Data Protection Standards of the Ibero-American States”. Among other things, this document establishes recommendations to create a homogeneous public policy on data protection in the region.

      Regarding “privacy by design” and “privacy by default”, these standards establish that data controllers must apply preventive procedures that allow the fulfilment of local data protection laws and minimum personal data processing.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      In Colombia, sending spam must be authorised expressly by the data subjects. Furthermore, in the telecommunication industry, Resolution 3066 of 2011 of Colombia’s Regulatory Communications Commission establishes that all communications services providers shall respond to users’ requests to restrict or suppress sending spam.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      No. However, the SIC has issued several guidelines alerting users as to how cloud computing services can process and use their personal data and how entering into an agreement with cloud computing providers should be an informed decision taking into consideration factors such as (i) the parties involved in the service (client or data controller, provider or data processor in behalf of the controller and the user or the data subject); (ii) the type of data that will be provided for the service (public, private, semiprivate, sensitive, etc); and (iii) the law applicable to the agreement.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. The scope of Law 1581 of 2012 also applies in its entirety to personal data under the control of all types of government agencies. However, as noted with sanction powers from the SIC as the data protection authority, in the case of infractions to Law 1581 by public entities and/or authorities, investigation and sanction proceedings must be carried out by the Office of the Inspector General of Colombia in accordance with Law 734 of 2002 and its regulations and amendments.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Colombia’s legal framework regarding personal data protection is based upon previous consent authorisation from data subjects. In this regard, as rule, the right to access data is limited by prior consent. However, the cases in which data access and processing can be made without prior authorisation are established in article 10 of Law 1581, as follows: 

      • when personal data is required by a public entity in the exercise of its legal functions or by court orders;
      • in the case when the data that is being accessed is of public nature;
      • events of medical or health emergency; and
      • when personal data processing has specific historical, statistical or scientific purposes.

      Hence, Colombian regulation allows the right to access data under the control of government agencies when personal data is required by a public entity for exercising its legal functions (case in which its activity is overseen by the Office of the Inspector General of Colombia in accordance with Law 734 of 2002) or by other controllers in the aforementioned circumstances (where their activity is overseen by the SIC), all in accordance with Law 1581 of 2012.

      Last verified on Tuesday 22nd January 2019

    • Colombia

      Yes. In accordance with Law 1581 of 2012, article 17, data controllers are under the obligation to adopt an internal policy and procedures manual to ensure proper compliance with Law 1581 of 2012, emphasising for consultation and complaints processes. This provision provides for self-regulation as data controllers can adopt unique procedures in accordance with the nature of their organisation and how they process personal data.

      Although internal guidelines must align with Law 1581 of 2012, the internal policy and procedures manual enables singularisation on (i) how consultations and complaints are processed within the organisation to various degrees of control, (ii) how personal data is collected, classified and processed, (iii) how personal data circulates within the organisation and its related parties, (iv) how security measures are applied in terms of the personal data being processed, (v) how different roles within the organisation impact the processing of personal data and to what degree their post must comply with personal data policies, etc.

      Last verified on Tuesday 22nd January 2019

Latin Lawyer gives you a fantastic platform to promote your legal expertise to our extensive readership base

Become an author

Contributing editors

Authors