On January 19, 2018, the Colombian government issued Decree 90 of 2018, which extended the deadline for registration of databases in the National Database Registry (hereinafter "RNBD"). In addition to this, the regulation excluded certain parties from the obligation to register. The regulation continues to impose the registration obligation on data controllers only. Hence, processors are not compelled to register.
Who is obligated to register?
Entities which must comply with the obligation to register their databases in the RNBD are i) companies and non-for profit organizations which total assets exceed certain thresholds (as explained below) and ii) all public entities.
Deadlines to register databases Who is obligated? Threshold
Parties who have been excluded from the obligation to register databases
Individuals and companies which assets value does not meet the thresholds established in the regulation, are exempted from complying with the obligation to register databases in the RNBD.
What do obligated parties need to do?
Data Controllers, responsible for the processing of personal data, which meet the financial thresholds established in the regulation, must make an inventory of all automated and physical databases containing personal data of individuals.
The databases themselves are not to be uploaded to the website for the registration in the RNBD since the platform is designed to inform the SIC how data contained in them is processed.
Depending on the volume and number of databases, an adequate assessment may take between one and two months to complete.
Sanctions for failure to register
Failure to comply with the obligation to register databases with the RNBD, empowers the SIC to apply the same sanctions for non-compliance of the Colombian Data Protection Regime. Such sanctions may include:
- Fines up to 2,000 minimum statutory monthly wages, $1.562.484.000 Colombian Pesos (approximately USD $ 550.000, at current exchange rates).
- If the SIC considers that a party has materially breached Data Protection Laws, it may adopt more stringent measures, such as ordering the foreclosure (up to 6 months) of the activities related to the processing of personal data or the permanent foreclosure of such activities if the breach involves the processing of sensitive personal data. Up to date these sanctions have rarely been imposed and the delay in registering databases would probably not trigger these type of consequences.