Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

While Colombia’s existing data protection legislation is among the most developed in Latin America, it was drafted by taking elements from the EU Data Protection Directive (95/46/EC) – which has since been replaced by the EU General Data Protection Regulation (2016/679) – and to that extent does not consider existing trends, such as legitimate interest and other alternatives to consent for the lawful processing of personal data.

Are any changes to existing data protection legislation proposed or expected in the near future?

At present, Congress is discussing a draft bill, which introduces novel concepts such as privacy by design and further obligations concerning privacy officers. However, given the upcoming congressional and presidential elections in the first half of 2018, it is unclear whether this draft will succeed in passing into statutory law.

From a regulatory perspective, the Colombian government is still pending from regulating the conditions under which binding corporate rules are implemented. 

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

The following legislation governs the collection, storage and use of personal data:

  • Article 15 of the Constitution, which establishes the fundamental right to habeas data or data privacy;
  • Law 1266/2008, which is the statutory law that regulates Article 15 of the Constitution with regard to the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus;
  • Law 1273/2009, which added the crime of unlawful and unauthorised personal data processing to the Criminal Code;
  • Law 1581/2012, which is the most comprehensive statutory general data protection law in Colombia and governs all personal data processing;
  • Decree 1377/2013, which is Law 1581/2012’s most extensive and comprehensive secondary regulation;
  • Decree 886/2014, which regulates the National Database Registry administered by the Data Protection Authority;
  • Decree 1759/2016, which extended the deadline for Colombian data controllers that are legal entities to register with the National Database Registry to June 30 2017;
  • Decree 1115/2017, which extended the deadline for Colombian data controllers that are legal entities to register with the National Database Registry to January 31 2018; and
  • Various Superintendence of Industry and Commerce circulars and guidelines concerning:
    • the implementation of the accountability principle;
    • conformity declarations for cross-border transfers of personal data;
    • adequacy standards for cross-border transfers of personal data;
    • notification systems for CCTV; and
    • the contracting of cloud services.

Scope and jurisdiction

Who falls within the scope of the legislation?

Individuals and legal entities fall within the scope of Law 1266/2008, while individuals who reside or whose personal data is stored or processed in Colombia fall within the scope of Law 1581/2017.

What kind of data falls within the scope of the legislation?

Data concerning an individual’s credit history falls within the scope of Law 1266/2008 and all personal data which identifies or is susceptible to identify an individual falls within the scope of Law 1581/2017.

Are data owners required to register with the relevant authority before processing data?

No. However, data controllers must record with the National Database Registry information regarding how they process the personal data of individuals in each database in which such data is stored.

The deadline for data controllers which are entities incorporated in Colombia (or mixed economy entities) to register existing databases is January 31 2018. The registration deadline for data controllers who are individuals is January 31 2019. For databases created after these deadlines, there is a two-month registration deadline from the date on which the database is established.

Data controllers incorporated and located outside Colombia must also comply with this obligation. However, the Superintendence of Industry and Commerce has not made the registry platform accessible for this type of data controller.

Is information regarding registered data owners publicly available?

Under Law 1581/2012, ‘data subjects’ are defined as the owners of personal data. If ‘data owners’ is used mean to data controllers (which are the custodians, but never the owners of personal data), such information is publicly available in the National Database Registry. The only information included in the registry which is not publicly available concerns:

  • security measures;
  • complaints submitted by data subjects; and
  • details of security incidents (ie, data breaches).

Is there a requirement to appoint a data protection officer?

Yes.

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The Superintendence of Industry and Commerce is the most important data protection authority for the enforcement of:

  • Law 1266/2008 (a statutory law that regulates Article 15 of the Constitution with regard to the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus); and
  • Law 1581/2012 (Colombia’s most comprehensive statutory general data protection law, which governs all processing of personal data of individuals).

Under Article 17 of Law 1266/2008, the Superintendence of Industry and Commerce must:

  • issue instructions and orders under the law concerning the administration of financial, credit and commercial services (including those originating in third countries) and establish the criteria that enables compliance therewith and the procedures for their application;
  • ensure that Law 1266/2008 is upheld;
  • ensure that data processing operators and sources have a security system and any other technical capabilities needed to protect and update records and avoid their adulteration, loss, consultation or unauthorised use;
  • order data processing operators, sources or users to undertake external audits of systems to verify their compliance with Law 1266/2008;
  • order ex officio, or by petition of a party, the correction, update or removal of personal data when appropriate, in accordance with Law 1266/2008. When requested by a party, it must be certified before the superintendence that a claim process has been completed using the same facts and that this process was not tampered with unfavourably; and
  • initiate ex officio or by petition of a party an administrative investigation against data processing operators, sources or users of financial, credit or commercial services (including those originating in third countries) in order to establish whether administrative liability arises from non-compliance with Law 1266/2008 or the orders and instructions issued by the surveillance agency and impose penalties or order pertinent measures if applicable.

Under Article 21 of Law 1581/2012, the Superintendence of Industry and Commerce must:

  • ensure compliance with personal data protection legislation;
  • carry out investigations ex officio or on request of a party and, as a result, order relevant measures to enforce the habeas data right. If this right has been breached, the superintendence may order the correction, update or deletion of the data subject’s data;
  • order the temporary blocking of data when, through evidence provided by the data subject, an actual risk of violation of his or her fundamental rights is identified and the data block is required to protect such data until a final decision has been made;
  • promote and disseminate details of the rights of individuals concerning the processing of personal data and implement educational campaigns to train and inform citizens on how to exercise their rights and guarantee their right to data protection;
  • provide instructions concerning the measures and procedures required to adapt the operations of data controllers and processors to comply with the law;
  • request that data controllers and processors provide the required information for the effective exercise of their duties;
  • provide statements about international data transfers;
  • monitor the National Database Registry and issue the required orders and acts to enable its operation and administration;
  • suggest or recommend adjustments, corrections or amendments to regulations concerning technological, information or communication developments;
  • request the cooperation of international or foreign entities when the rights of data subjects outside Colombia are affected due to the international collection of personal data; and
  • carry out any other duties assigned by law.

The Superintendence of Finance enforces Law 1266/2008 as regards data protection for financial institutions. For all other entities, the Superintendence of Industry and Commerce enforces data protection under Law 1266/2008.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data can be processed once data subjects have granted their prior, express and informed consent under the general principle contained in:

  • the statutory law that regulates Article 15 of the Constitution (concerning the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus); and
  • Law 1581/2012 (Colombia’s most comprehensive statutory general data protection law, which governs all processing of personal data of private individuals).

Law 1581/2012 provides that consent is not required for:

  • information needed by a public or administrative entity or judicial order;
  • public data;
  • medical or health emergencies;
  • data processing authorised by law for historical, statistical or scientific purposes; or
  • data relating to an individual’s civil status.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The general principle contained in Law 1581/2012 is that personal data can be stored for as long as the reason for which it was collected remains relevant.

Special laws establish document retention periods, which can affect the general principle regarding:

  • medical records;
  • documents pertaining to retirement payments made by employers to the general social security system for the benefit of their employees; and
  • trade or commercial documents.

Do individuals have a right to access personal information about them that is held by an organisation?

Yes. This right is expressly provided for by Article 15 of the Constitution and Article 8(a) of Law 1581/2012.

Do individuals have a right to request deletion of their data?

Yes. This right is expressly provided for by Article 15 of the Constitution and Article 8(e) of Law 1581/2012.

Consent obligations

Is consent required before processing personal data?

Yes. Prior, informed and express consent is required for the lawful processing of personal data.

If consent is not provided, are there other circumstances in which data processing is permitted?

Law 1581/2012 provides that consent is not required for:

  • information required by a public or administrative entity or judicial order;
  • public data;
  • information required in medical or health emergencies;
  • data processing authorised by law for historical, statistical or scientific purposes; or
  • data relating to an individual’s civil status.

What information must be provided to individuals when personal data is collected?

The following information must be provided to individuals when their personal data is collected:

  • the data controller’s name or business name and contact details;
  • the reasons for which the data will be processed;
  • details of the rights to which the data subject is entitled;
  • details of the data controller’s mechanisms to inform the data subject about its privacy policies and any substantial changes that occur thereto. In all cases, the data controller must inform the data subject how he or she can access or consult its privacy policies; and 
  • in the case of sensitive personal data, a data controller’s privacy notice must provide details of the optional nature of answering questions relating to this type of data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes. Articles 17(d) and 18(b) of Law 1581/2012 provide that data controllers and processors must maintain personal data under the required conditions to prevent its use, adulteration, loss or unauthorised or fraudulent consultation.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

No. However, the Data Protection Authority’s accountability guidelines regarding the processing of personal data state that data controllers and processors must establish a management system for any potential security incidents involving personal data stored in their databases. This system should require that any such breach (and details of any measures taken to minimise its impact) be reported to the Superintendence of Industry and Commerce and the data subjects in question.  

While notifying data subjects is not mandatory, it is suggested best practice under the accountability guidelines. There are no penalties for non-compliance with the accountability guidelines. However, if the Superintendence of Industry and Commerce finds during an investigation that the data controller or processor under review has followed the accountability guidelines, more lenient penalties must be applied.

Are data owners/processors required to notify the regulator in the event of a breach?

Yes. Articles 17(n) and 18(k) of Law 1581/2012 provide that any security breach and risk to the management of data must be reported to the Data Protection Authority.

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

No. General data protection laws apply (ie, Law 1581/2012 and Decree 13377/2013) and the delivery of unsolicited electronic marketing therefore breaches such laws.

Cookies

Are there rules governing the use of cookies?

No. General data protection laws apply (ie, Law 1581/2012 and Decree 13377/2013) and the unauthorised use of cookies therefore breaches such laws.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

Personal data cannot be transferred to countries which fail to provide adequate levels of protection, unless one of the following exceptions applies:

  • the data subject has expressly and clearly granted consent for the transfer of the data in question;
  • the data transfer of medical information is required for public health reasons;   
  • the data transfer involves the exchange of financial information in connection with transfers or banking operations according to the applicable legislation;
  • the data transfer complies with an international treaty to which Colombia is a party, on the basis of the reciprocity principle;
  • the transfer of personal data is required for the execution of a contract between the data subject and the data controller or for the execution of pre-contractual activities, provided that the data subject has granted consent;
  • the transfer of personal data is required for the execution of a contract between the data subject and the data controller; or
  • the transfer of data is legally required to protect the public interest or for the recognition, exercise or defence of rights in the course of a legal action. 

Are there restrictions on the geographic transfer of data?

Yes. Personal data cannot be transferred to countries which fail to offer adequate levels of protection. Through Circular 5/2017, the Superintendence of Industry and Commerce issued the criteria for a country to be considered to have adequate levels of protection. These include the existence of:

  • laws applicable to the processing of personal data;
  • laws or rules of principle applicable to the processing of personal data;
  • laws or rules regarding the rights of data subjects;
  • laws or rules of obligation for data controllers and processors;
  • administrative and judicial mechanisms for data subjects to exercise their rights and for data protection laws to be enforced; and
  • public authorities that effectively supervise compliance with and the enforcement of data protection laws and the rights of data subjects.

Circular 5/2017 includes a preliminary list of countries which have been deemed to meet such criteria:

  • Germany;
  • Austria;
  • Belgium;
  • Bulgaria;
  • Cyprus;
  • Costa Rica;
  • Croatia;
  • Denmark;
  • Slovakia;
  • Slovenia;
  • Estonia;
  • Spain;
  • the United States;
  • Finland;
  • France;
  • Greece;
  • Hungary;
  • Ireland;
  • Iceland;
  • Italy;
  • Latvia;
  • Lithuania;
  • Luxembourg;
  • Malta;
  • Mexico;
  • Norway;
  • the Netherlands;
  • Peru;
  • Poland;
  • Portugal;
  • the United Kingdom;
  • the Czech Republic;
  • South Korea;
  • Romania;
  • Serbia;
  • Sweden; and
  • countries that the European Commission has declared to have an adequate level of protection.

Circular 5/2017 highlights that even if a country is included in the above list, data controllers must be able to show the Superintendence of Industry and Commerce that they have taken effective measures to process personal data:

  • adequately and in an accountable way; and
  • through the application of the accountability principle.

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Yes. Prior, express and informed consent must be obtained. Alternatively, the data controller can enter a data transmission agreement that meets Decree 1377/2013’s content requirements.

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

A breach of Law 1266/2008 may result in the following penalties:

  • Personal and institutional fines may be imposed up to the equivalent of 1,500 times the legal monthly wage at the time that the penalty is imposed for a violation of the law and the non-observance of the corresponding orders and instructions provided by the Superintendence of Industry and Commerce or Finance. These fines may be repeated if the non-compliance persists.
  • The activities of the data controller in question may be suspended for up to six months if information management is carried out in serious violation of the law and the corresponding instructions provided by the Superintendence of Industry and Commerce or the Superintendence of Finance are not observed.
  • Data controllers may have their operations shut down at the end of the suspension period if they have failed to adapt their technical and logistical operations and rules and procedures to meet the law’s requirements, in accordance with the resolution that ordered the suspension. The immediate and definitive shutdown of the operations of data controllers which administer prohibited data may also be ordered.

A breach of Law 1581/2012 can result in the following penalties:

  • Personal and institutional fines as high as 2,000 times the monthly legal minimum may be imposed. Fines can be repeated if the violation is not remedied.
  • Data processing activities may be suspended for six months. In this context, the Data Protection Authority will inform the data controller of the corrective measures that must be taken.
  • Operations concerning data processing may need to be shut down temporarily if, after the suspension term, the data controller has failed to satisfy the corrective measures ordered by the Superintendence of Industry and Commerce.
  • The immediate and definitive shutdown of data processing operations may be ordered where a breach of Law 1581/2012 involves the processing of sensitive data.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

A data subject can submit a civil action for damages caused as a consequence of a data controller's breach of data protection laws. However, no compensation can be claimed for administrative investigations conducted by the Data Protection Authority.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Yes. The Criminal Code was amended by Law 1273/2009 to include a cybercrime chapter.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

N/A.

Which cyber activities are criminalised in your jurisdiction?

The following cyber activities are criminalised in Colombia.

Abusive access to a computer system Under Article 269A of the Criminal Code, accessing a computer system, either totally or partially, without authorisation or the required security clearance or against the will of whomever has the legitimate right to exclude the accessor is subject to criminal prosecution.

Illegitimate impairment of a computer system or telecommunication network Under Article 269B of the Criminal Code, preventing or impairing the function of or normal access to a computer system, the data contained therein or a telecoms network without authorisation to do so is subject to criminal prosecution.  

Computer damage Under Article 269D of the Criminal Code, destroying, damaging, deleting, weakening, altering or suppressing computer data or a data processing system (or its parts or logical components) without authorisation to do so is subject to criminal prosecution .

Malware use Under Article 269E of the Criminal Code, producing, trafficking, purchasing, distributing, selling, delivering, introducing or extracting malware is subject to criminal prosecution.

Personal data violation Under Article 269F of the Criminal Code, obtaining, compiling, subtracting, offering, intercepting, disclosing, modifying or using personal codes, personal data contained in indexes, files, databases or similar media without authorisation to do so and for personal benefit or the benefit of a third party is subject to criminal prosecution.

Website impersonation to capture personal data Under Article 269G of the Criminal Code, designing, developing, trafficking, selling, executing, programming or delivering electronic pages, links or pop-up windows with illicit purposes and without the authorisation to do so – as well as modifying the domain name resolution system so that the user believes he or she is entering his or her bank or another personal or trusted site – is subject to criminal prosecution.

Theft through computer mechanisms or similar Under Article 269I of the Criminal Code, theft by breaching computer security measures, manipulating a computer system or an electronic, telematics or similar system network or impersonating a user without authorisation to do so is subject to criminal prosecution.

Unauthorised transfer of assets Under Article 269J of the Criminal Code, transferring data in an unauthorised manner that damages a third party through computer manipulation or a similar mechanism for profit – as well as the manufacture, introduction, holding or facilitation of computer software to commit an unauthorised transfer of assets or fraud – are subject to criminal prosecution.

Which authorities are responsible for enforcing cybersecurity rules?

The general prosecutor's office and the criminal courts are responsible for enforcing cybersecurity rules.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Yes, but this is uncommon.

Are companies required to keep records of cybercrime threats, attacks and breaches?

No.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Yes. Where a cybersecurity event involves personal data, it will be considered to be a data breach under Law 1581/2012 and will therefore need to be reported to the Superintendence of Industry and Commerce.

Are companies required to report cybercrime threats, attacks and breaches publicly?

No.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Abusive Access to a computer system Under Article 269A of the Criminal Code, the penalty for the unlawful access to a computer system is 48 to 96 months in prison and a fine ranging from 100 to 1000 minimum legal monthly salaries (the minimum monthly salary is indexed annually). The minimum salary for 2017 is Ps737.717 (approximately $246).

Illegitimate impairment of a computer system or telecommunication network

Under Article 269B of the Criminal Code, the penalty for unauthorised impairment of a computer system or telecoms network is 48 to 96 months in prison and a fine ranging from 100 to 1,000 minimum legal monthly salaries if the behaviour does not constitute a felony that requires a higher penalty.

Computer damage Under Article 269D of the Criminal Code, the penalty for computer damage is 48 to 96 months in prison and a fine ranging from 100 to 1,000 minimum legal monthly salaries.

Malware use Under Article 269E of the Criminal Code, the penalty for malware use is 48 to 96 months in prison and a fine ranging from 100 to 1,000 minimum legal monthly salaries.

Personal data violation Under Article 269F of the Criminal Code, the penalty for personal data violation is 48 to 96 months in prison and a fine ranging from 100 to 1,000 minimum legal monthly salaries.

Website impersonation to capture personal data Under Article 269G of the Criminal Code, the penalty for website impersonation in order to capture personal data is 48 to 96 months in prison and a fine ranging from 100 to 1,000 minimum legal monthly salaries if the behaviour does not constitute a felony that has a higher penalty. The described penalty will be increased from one-third to 50% if the perpetrator has recruited victims to commit the felony in question.

The criminal penalties under Article 269A to G of the Criminal Code will be increased by three-quarters if the criminal conduct is carried out:

  • by a domestic or foreign state official or with regard to a financial system computer or communications network or system;
  • by a public officer in the exercise of his or her duties;
  • to take advantage of the holder’s trust or that of someone who has a contractual relationship with the latter;
  • to reveal or disclose the content of the information in order to damage a third party;
  • to obtain a personal benefit or a benefit for a third party;
  • for terrorist purposes or to cause risk to national security or defence; and
  • to use a bona fide third party as a tool.

If the party involved in the behaviour is responsible for the administration, management or control of said information, it will also be disbarred from practising any profession relating to data processing for up to three years.

Theft through computer mechanisms or similar Under Article 269I of the Criminal Code, the penalty for theft through computer mechanisms is six to 14 years in prison.

Unauthorised transfer of assets Under Article 269J of the Criminal Code, the penalty for the unauthorised transfer of assets is 48 to 120 months in prison and a fine of 200 to 1,500 monthly legal minimum salaries if the behaviour requires no higher penalty.

The penalty for the felonies described in Articles 269I and J will be increased by 50% if the amount in question is more than 200 minimum legal monthly salaries.

What penalties may be imposed for failure to comply with cybersecurity regulations?

N/A.