Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data can be processed once data subjects have granted their prior, express and informed consent under the general principle contained in:

  • the statutory law that regulates Article 15 of the Constitution (concerning the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus); and
  • Law 1581/2012 (Colombia’s most comprehensive statutory general data protection law, which governs all processing of personal data of private individuals).

Law 1581/2012 provides that consent is not required for:

  • information needed by a public or administrative entity or judicial order;
  • public data;
  • medical or health emergencies;
  • data processing authorised by law for historical, statistical or scientific purposes; or
  • data relating to an individual’s civil status.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The general principle contained in Law 1581/2012 is that personal data can be stored for as long as the reason for which it was collected remains relevant.

Special laws establish document retention periods, which can affect the general principle regarding:

  • medical records;
  • documents pertaining to retirement payments made by employers to the general social security system for the benefit of their employees; and
  • trade or commercial documents.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. This right is expressly provided for by Article 15 of the Constitution and Article 8(a) of Law 1581/2012.

Do individuals have a right to request deletion of their data?

Yes. This right is expressly provided for by Article 15 of the Constitution and Article 8(e) of Law 1581/2012.

Consent obligations

Is consent required before processing personal data?

Yes. Prior, informed and express consent is required for the lawful processing of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

Law 1581/2012 provides that consent is not required for:

  • information required by a public or administrative entity or judicial order;
  • public data;
  • information required in medical or health emergencies;
  • data processing authorised by law for historical, statistical or scientific purposes; or
  • data relating to an individual’s civil status.

What information must be provided to individuals when personal data is collected?

The following information must be provided to individuals when their personal data is collected:

  • the data controller’s name or business name and contact details;
  • the reasons for which the data will be processed;
  • details of the rights to which the data subject is entitled;
  • details of the data controller’s mechanisms to inform the data subject about its privacy policies and any substantial changes that occur thereto. In all cases, the data controller must inform the data subject how he or she can access or consult its privacy policies; and 
  • in the case of sensitive personal data, a data controller’s privacy notice must provide details of the optional nature of answering questions relating to this type of data.

Click here to view the full article.