Data protection in Colombia: overview

A Q&A guide to data protection in Colombia.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Luz Helena Adarve, Juanita Acosta and Lina Cala, Dentons Cárdenas & Cárdenas
Contents

Regulation

 

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The collection and use of personal data is mainly regulated by Law 1581 of 2012 and Decree 1377 of 2013. However, Colombia has a wider legal framework, comprising of:

  • The Colombian Constitution. This establishes fundamental legally guaranteed rights, including freedom of speech, privacy and habeas data (that is, a remedy that allows any person to request any data held about them on a data register).

  • Law 594 of 2000. This defines the rules and general principles that must be followed by the Colombian State when archiving data.

  • Law 1273 of 2009. This outlines criminal offences and penalties relating to data protection.

  • Decree 886 of 2014. This regulates the National Registry of Databases.

Sectoral laws

The main sectoral laws on data protection are:

  • Law 1266 of 2008. This establishes general rules on habeas data and data management in the financial sector.

  • Decree 1727 of 2009. This defines how the operators of financial, credit, commercial, and foreign databases must present the information such as the financial, commercial or credit data related to a natural or a legal person that is being processed by the operator of financial databases.

  • Resolution 3066 of 2011. This provides rules for data protection in the telecommunications sector.

 

Scope of legislation

2. To whom do the laws apply?

Both Law 1581 of 2012 and Decree 1377 of 2013 apply to data processing conducted by public or private entities. Colombian legislation only applies to data processing performed inside Colombia, or outside Colombia, if the data controller is subject to Colombian law through international treaties and standards. Under Colombian privacy law, a data controller is any natural or legal person, who by itself or in association with others, decides over the data processing and/or the databases.

Colombian privacy law also applies to data subjects, as it establishes their rights regarding their personal data. Furthermore, Colombian privacy law imposes obligations on thirds parties that process data, through the transfer and transmission of personal data.

 
3. What data is regulated?

Colombian law regulates personal data. Personal data is any information that relates directly or indirectly to a living individual. Moreover, sensitive data is also recognised and regulated by Colombian legislation. Sensitive data is any information that affects the privacy of a data subject, the misuse of which may lead to discrimination, including:

  • Ethnicity or race.

  • Political views.

  • Religious or philosophical convictions.

  • Union memberships.

  • Memberships to social organisations.

  • Health data.

  • Data related to sexual orientation.

  • Biometric data.

The processing of sensitive data can only be performed under certain exceptions provided by Law 1581 of 2012 and additionally, Decree 1377 of 2013.

 
4. What acts are regulated?

Law 1581 of 2012 and Decree 1377 of 2013 regulate the:

  • Processing of personal data. The processing of personal data is understood as any operation that involves data (for example, its storage, use, circulation or removal).

  • Transmission of personal data. Data transmissions occur when a data controller sends data to a processor.

  • Transfer of personal data. Data transfers occur when a data controller sends data to another controller, whether national or international.

 
5. What is the jurisdictional scope of the rules?

Colombia is not currently subject to any specific international legislation regarding data protection (see Question 2).

 
6. What are the main exemptions (if any)?

Law 1581 of 2012 does not apply to databases that:

Law 1581 of 2012 does not apply to databases that:

  • Are maintained exclusively for personal or household use.

  • Are used for the country's national security and defence, and for the prevention, detection, monitoring and the controlling of money laundering and terrorist financing.

  • Contain information related to intelligence and counter-intelligence.

  • Are related to journalistic information and other editorial contents.

  • Are regulated by:

    • Law 1266 of 2008 (data protection and habeas data in the financial sector); or

    • by Law 79 of 1993 (population and housing censuses).

 

Notification

7. Is notification or registration required before processing data?

Data controllers must register their databases in the National Registry of Databases, which is administered by the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio).

Data controllers can register their databases on the National Registry of Databases online, through a webpage controlled by the Superintendence of Industry and Commerce (from 9 November 2015). The following information must be provided:

  • The number of databases with personal data.

  • The number of data subjects for each database.

  • Detailed information on the mechanisms and procedures designed to address queries and/or claims formulated by data subjects.

  • The types of personal data contained in all databases.

  • The physical location of the databases.

  • Contact details of the data processors, if applicable.

  • The security measures implemented by the data controller to protect all databases.

  • Information about how the data was collected (if directly from the data subject or from third parties).

  • Information about how the data is being processed (if physically or computerised).

  • Information about international data transfers and transmissions.

  • Information about the transferees/importers of data.

  • Information on the authorisations given by the data subjects.

  • The data processing policy of all data controllers and processors.

The registration must be made no later than 9 November 2016.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

In Colombia, data controllers must:

  • Guarantee the full and effective exercise of the data subject's right of habeas data.

  • Request and maintain a copy of the authorisation provided by the data subject.

  • Inform the data subject of the purpose of the data collection and his rights.

  • Maintain the information under the necessary security conditions.

  • Guarantee that the information submitted to data processors is truthful, complete, exact and comprehensive.

  • Update the information provided, inform data processors of any developments on the data, and adopt adequate means to ensure that the information provided is kept updated.

  • Correct wrong information and inform it to data processors.

  • Provide data processors with data that has been previously authorised in accordance with Law 1581 of 2012.

  • Demand that data processors respect the security and privacy of the data.

  • Register its databases in the National Registry of Databases (see Question 7).

  • Process any queries and complaints as provided by Law 1581 of 2012.

  • Adopt internal policies and procedures in accordance with Law 1581 of 2012.

  • Inform the national data protection authority of any security violations or data breaches.

  • Comply with instructions and orders given by the Superintendence of Industry and Commerce.

 
9. Is the consent of data subjects required before processing personal data?

The consent of data subjects is required before processing personal data (Article 9, Law 1581 of 2012). Moreover, the authorisation must be obtained through a format that can be subject to further consultation.

According to Decree 1377 of 2013, the authorisation will be adequate if it is either:

  • Put in writing.

  • Given orally.

  • Given through unequivocal conduct that can be reasonably interpreted as giving rise to the subject's consent. Silence cannot be construed as unequivocal conduct.

Colombian law requires parental consent for the processing of personal data of minors under the age of 18. In Colombia, children are subject to special constitutional protection. Children's prevalent rights must always be respected while processing their personal data. All the fundamental rights of a minor are considered prevalent rights in the Colombian legal system (including, the rights to life, to education, to justice and to health, among others).

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

The consent of the data subject is not required when (Article 10, Law 1581 of 2012):

  • The information is required by a public or administrative entity to exercise its legal functions or by a judicial order.

  • The data is publically available.

  • In a medical or sanitary emergency.

  • The information is authorised for historical, statistical, or scientific purposes.

  • The data is available on the Civil Registry.

 

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Articles 5, 6, and 7 of Law 1581 of 2012 establish specific conditions for the processing of sensitive data (see Question 2).

The processing of sensitive personal data is in principle prohibited, except under the following circumstances:

  • The data subject has given his consent.

  • If it is necessary to protect a data subject's life that may be physically or legally disabled.

  • If the information is provided to non-profit organisations, with a political, philosophical or religious motive, in the course of their legitimate operations. In this case, the data cannot be provided to third parties without the data subject's consent.

  • If the processing has a scientific, statistical or historical purpose. In this case, the data must be anonymous.

  • The data is necessary for the recognition, exercise or defence of a right in a judicial process.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

The information that must be provided to the data subjects no later than at the moment of the collection of personal details includes the:

  • Purpose of the processing.

  • Data processing that will be performed.

  • Data subject's rights.

  • Contact information of the data controller.

  • Optional nature of any questions related to sensitive data or minors' data.

 
13. What other specific rights are granted to data subjects?

Data subjects have the right to (Article 8, Law 1581 of 2012):

  • Update and rectify personal data that is incorrect, incomplete, or expressly prohibited or unauthorised.

  • Request proof of the granted authorisation.

  • Request information about how their data has been used.

  • File complaints before the Superintendence of Industry and Commerce.

  • Revoke their authorisation and/or request the removal of their data from processing.

  • Access the personal data, for free. Importantly, data subjects cannot be required to provide sensitive data (see Question 11).

 
14. Do data subjects have a right to request the deletion of their data?

Data subjects can request the deletion of their data when the processing of the data does not observe the principles, rights and guarantees established by the Constitution and the law. This has been verified by the Superintendence of Industry and Commerce. Additionally, the Colombian Constitutional Court established that any data subject can request the deletion of its data if there is no contractual duty that requires the processing, storage or use of the data.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

Based on the accountability principle, both data controllers and data processors must implement data collection and management policies that assure the security of the data. Therefore, they must be able to identify, measure, control, monitor, and respond to a security breach.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

Both data controllers and processors must notify the Superintendence of Industry and Commerce of any security breach that can lead to a risk in the management of data.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

The data controller must provide the data subject's authorisation to the data processor and indicate the following:

  • The scope of the data processing.

  • Activities that the processor will complete on behalf of the data controller.

  • Obligations in relation to both the data subject and the data controller.

  • Any internal policies relating to the processing of data.

A contract is required for the international transmission of personal data. The agreement must meet the standards provided in Article 25 of Decree 1377 of 2013. Neither consent nor previous authorisation from the data subject is required when a data transmission agreement exists between the data processor and the data controller.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

There is no applicable legislation in Colombia regarding storing cookies or equivalent devices on the data subject's terminal equipment.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Sending unsolicited e-mails (spam) requires prior authorisation from the data subject, in the same terms as the processing of personal data (see Question 9).

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

In principle, Colombian law prohibits data transfers to countries that do not offer an adequate level of data protection. The Superintendence of Industry and Commerce requires an adequate level of protection. An "adequate level of protection" refers to the standards given by the Superintendence of Industry of Commerce regarding data protection, which can never be lower than those established by Colombian privacy law.

However, the Superintendence of Industry and Commerce can approve transfers to countries that do not offer an adequate level of data protection. Currently, the Superintendence of Industry and Commerce has not defined a specific process.

This prohibition will not apply:

  • If the data subject gives unequivocal consent for the data transfer.

  • If the exchange of medical data is required for public hygiene or health reasons.

  • In bank or stock transfers, in accordance with the applicable legislation.

  • In transfers agreed in the framework of international treaties in which Colombia is a party.

  • In transfers that are required for the execution of a contract agreed between the data subject and the data controller.

  • In transfers that are legally required for the protection of a public interest, or the recognition, exercise or defence of a right in a judicial process.

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is currently no requirement to store any type of personal data inside Colombia.

 

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

There are no standard forms or precedents that have been approved by the national authorities.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

If the transfer is made to a country with inadequate levels of data protection, the controller must obtain an authorisation from the Superintendence of Industry and Commerce or must be covered by one of the exemptions established in the law (see Question 20).

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The approval of the Superintendence of Industry and Commerce is not required if the data transfer is made to a country with an adequate level of protection or if the transfer is covered by one of the exemptions established in the Law 1581 of 2012 (see Question 20).

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The Superintendence of Industry and Commerce can:

  • Carry out investigations, ex officio or upon a request and order any necessary measure to protect the right to habeas data.

  • Order temporary blockings of data, if data subjects prove that there is a risk to their fundamental rights.

  • Provide instructions, measures or procedures to data controllers and processors in order to safeguard data protection.

  • Impose sanctions for non-compliance with the data protection legislation.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

The Superintendence of Industry and Commerce can:

  • Impose monetary sanctions. Fines up to the equivalent of 2000 the statutory monthly minimum wage (about US$450,000) can be imposed. The fine can be successive until the breach is remedied. The sanction will be calculated, taking into account the following criteria:

    • the extent of the damage;

    • the economic benefit obtain by the infringer or other third parties, for the commission of the offence;

    • the recidivism in the commission of the offence;

    • the resistance, refusal or obstruction to the investigation and/or monitoring by the Superintendence of Industry and Commerce;

    • the reluctance to comply with orders given by the Superintendence of Industry and Commerce; and

    • the express recognition or acceptance of the commission of the offense, prior to the imposition of the sanction.

  • Order the suspension of the processing activities for up to six months.

  • Order the temporary closure of the processing operations.

  • Order the definitive closure of the processing operations.

 

Regulator details

Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio)

W www.sic.gov.co

Main areas of responsibility. The main areas of responsibility of the Superintendence of Industry and Commerce (Superintendencia de Industria y Comercio) are as follows:

  • Intellectual property.
  • Consumer protection.
  • Control and verification of technical regulations and legal metrology.
  • Anti-trust.
  • Surveillance of the Chambers of Commerce.
  • Habeas data protection.
  • Jurisdictional matters.


Online resources

W www.sic.gov.co

Description. Official up-to-date website of the Superintendence of Industry and Commerce.

Wwww.sic.gov.co/recursos_user/documentos/normatividad/Leyes/2012/Ley_1581_2012.pdf

Description. Law 1581 of 2012, on the official website of the Superintendence of Industry and Commerce.

Wwww.sic.gov.co/drupal/sites/default/files/normatividad/DECRETO%2B1377%2BDEL%2B27%2BDE%2BJUNIO%2BDE%2B2013.pdf

Description. Decree 1377, 2013, on the official website of the Superintendence of Industry and Commerce.



Contributor profiles

Luz Helena Adarve, Partner

Dentons Cardenas & Cardenas

T +57-313-7800
F +57-312-2420
E luz.adarve@dentons.com
W http://dentons.cardenas-cardenas.com/

Professional qualifications. Lawyer, Colombia, 1976

Areas of practice. Consumer protection, intellectual and industrial property, IT and entertainment.

Non-professional qualifications.  Italian, History and Literature. Universitá Degli Studi di Firenze, Florence, Italy, 1980; Juris Doctor, Universidad de Los Andes, Bogotá, Colombia, 1976

Languages. Spanish, French, English, Italian

Professional associations/memberships

  • International Trademark Association (INTA).

  • National delegate for the Interamerican Intellectual Property Association (ASIPI).

  • International Association for the protection of Intellectual Property Association (Internationale pour la Protection de la propriété intellectuelle) (AIPPI).

  • Industrial Property Committee of the Chamber of Commerce (ICC).

  • Colombian Center Copyright (CECOLDA).

Juanita Acosta, Partner

Dentons Cardenas & Cardenas

T +57-313-7800
F +57-312-2420
E juanita.acosta@dentons.com
W http://dentons.cardenas-cardenas.com

Professional qualifications. Lawyer, Colombia, 1994

Areas of practice. Consumer protection, intellectual and industrial property, IT and entertainment.

Non-profesional qualifications. Masters in industrial and intellectual property and IT, Universidad de Alicante, Alicante, Spain, 2001; International Contracts Regime Specialist, Universidad de Los Andes, Bogotá, 1988

Languages. Spanish, English

Lina Cala, Associate

Dentons Cardenas & Cardenas

T +57-313-7800
F +57-312-2420
E lina.cala@dentons.com
W http://dentons.cardenas-cardenas.com

Professional qualifications. Lawyer, Colombia, 2016.

Areas of practice. Privacy; IT; intellectual and industrial property.

Languages. Spanish, English


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248253636728", "objName" : "Data protection in Colombia overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/2-619-4326?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "223c8752:15b16ee82fa:4657", "analyticsSessionCookie" : "223c8752:15b16ee82fa:4658", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }