Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The legislative framework for the protection of personally identifiable information in Colombia can be summarised as follows:

  • Article 15 of the Constitution, which establishes the fundamental right to data privacy;
  • Law 1266/2008, which is the statutory law that regulates Article 15 of the Constitution with regard to the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus;
  • Law 1273/2009, which added the crime of unlawful and unauthorised personal data processing to the Criminal Code;
  • Law 1581/2012 (the Data Protection Law), which is the most comprehensive statutory general data protection law in Colombia and governs all personal data processing;
  • Decree 1377/2013, which is the Data Protection Law's most extensive and comprehensive secondary regulation;
  • Decree 886/2014, which regulates the National Database Registry administered by the data protection authority;
  • Decree 1759/2016, which extended the deadline for Colombian data controllers that are legal entities to register with the National Database Registry to 30 June 2017; and
  • Decree 1115/2017, which extended the deadline for Colombian data controllers that are legal entities to register with the National Database Registry to 31 January 2018.
Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Superintendence of Industry and Commerce (SIC) is Colombia’s data protection authority. The SIC has powers of surveillance over companies that process personal data to ensure compliance with the Data Protection Law and Law 1266/2008 concerning data on credit history reporting and consultation.

The SIC has powers of surveillance over data processors, users and information sources regulated by the Financial Superintendence Law.

According to the Data Protection Law, the SIC must:

  • ensure compliance with the Data Protection Law;
  • carry out the investigations and order the necessary measures to ensure protection of habeas data rights. If a habeas data right is at risk, the SIC may order the temporary blocking of data if necessary to protect fundamental rights;
  • promote the protection of personal data by developing educational campaigns for data subjects to understand their rights;
  • order data processors to adopt security measures to ensure the protection of personal data;
  • issue information requests for data processors when needed; and
  • manage the National Public Registry of Databases.
Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

While there are no legal obligations in this regard, the SIC is not restricted from doing so.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The SIC can start administrative investigations ex officio or following a request from a data subject. Collecting and processing personal data without complying with the Data Protection Law can result in the following penalties:

  • fines of up to approximately $523,080;
  • suspension of activities relating to the processing of personal data for up to six months; and
  • the immediate and definite closure of operations that involve the processing of personal data.

In addition, the Criminal Code specifically provides for Title VIIbis regarding the protection of information and data. According to Articles 269A to 269J, cybercrimes can be punished with imprisonment of between four and 10 years and fines of between $27,000 and $270,000. Potentially infringing action includes:

  • the unauthorised access of computer data and networks;
  • denial-of-service attacks;
  • the interception of computer data;
  • the unlawful damage of computer data;
  • the use of malicious codes;
  • personal data breaches; and
  • phishing and financial theft.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

In general, all public and private entities that process personal data must comply with Law 1581/2012 (the Data Protection Law). However, the following are exempt from its application:

  • databases or information in a personal or domestic context with personal or domestic aims;
  • databases or archives with national defence and security functions (eg, the prevention, monitoring and inspection of money laundering and terrorist financing);
  • databases that have intelligence or counterintelligence functions or that contain information in that regard; and
  • information or databases containing press information and editorial content.
Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Data protection laws apply to any activity that involves personal data. However, these activities have the following specific regimes:

  • the surveillance of individuals – Decree-Law 356/1994;
  • electronic marketing – Law 1480/2011; and
  • the interception of communications – Decree-Law 1704/2012 and Law 599/2000 (the Criminal Code).
Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Laws or regulations that provide specific data protection rules for related areas include:

  • Article 15 of the Constitution, which establishes the fundamental right to data privacy;
  • Law 1266/2008, which is the statutory law that regulates Article 15 of the Constitution with regard to the data privacy rights of individuals and legal entities exclusively as they pertain to credit history reporting and consultation with credit bureaus;
  • the Criminal Code; and
  • Resolution 2881, which establishes transparency rules for reporting data on payments and transfers of value.
PII formats

What forms of PII are covered by the law?

The data protection law covers all types of personal data, meaning any information that can relate to or identify a specific person.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

No. The data protection law applies to any private or public entity that processes data of Colombian residents irrespective of whether they are located in Colombia.  

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The owners of personal data, regardless of whether it will be shared or transferred, are always the parties with whom such data is identifiable.

Other parties may have control over and process such data; however, they will never be classified as the owners of such data. The obligations on data controllers and processors may differ slightly, but the main requirements are the same. For example, data processors must ensure that information is up to date following a notification from data controllers of any changes in that regard. Similarly, data controllers must notify data processors of any changes to the information being processed. In addition, data processors must guarantee data controllers that they will apply all necessary security measures to ensure that data is protected.

The main obligations for data processors and controls are:

  • guaranteeing that data subjects can effectively exercise their rights over personal data;
  • adopting an internal manual on data privacy policies and procedures to protect such data;
  • guaranteeing that information will be used only following authorisation by data subjects;
  • guaranteeing the security of data and protecting it from unauthorised access, use or modification and from the loss of information and deletion; and
  • informing the Superintendence of Industry and Commerce of any data breaches or incidents that could pose a risk to personal data.

In addition, data controllers must inform data subjects regarding what information will be collected, the purposes for the collection of that information and the way it will be processed. Data controllers must keep copies of authorisation from data subjects. 

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Article 9 of Law 1581/2012 (the Data Protection Law) determines that data subjects must provide prior and express consent for the collection and processing of their personal data. Article 12 of the law states that in order to provide consent, data subjects must be informed of:

  • the purposes for which their personal data will be used;
  • how their data will be processed; and
  • the data controller’s contact details.

Since this information must be present in privacy policies, data subjects must have access to it before providing consent.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Yes. Article 5 of the Data Protection Law defines ‘sensible data’ as data that may result in discrimination (eg, ethnical, racial, philosophical, political or religious convictions, or data relating to an individual’s sexual orientation or health). The processing of this data is prohibited, unless data subjects have accepted the processing of this specific information.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Data subjects must always provide prior, informed and express consent for anyone to process their information. Therefore, notifications do not apply under Colombian law unless to inform data subjects of a change in a data privacy policy for which they would need to provide updated consent.

Exemption from notification

When is notice not required?

N/A.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Article 9 of Law 1581/2012 (the Data Protection Law) determines that data subjects must provide prior and express consent for the collection and processing of their personal data. Article 12 of the law states that in order to provide consent, data subjects must be informed of:

  • what their personal data will be used for;
  • how their data will be processed; and
  • the data controller’s contact information.

This information must be present in privacy policies and data subjects must have access to it before providing consent.

In this sense, data subjects must always be in control of how their information is used and it must never be used for purposes different than those that they have authorised.

In addition, data subjects can always request the deletion of their personal data and revoke consent for its processing.

 

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Personal information must always be accurate. Data subjects can request to update, modify or delete their information when needed. Hence, data processors and controllers must update their databases when changes to personal data occur.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no specific time limit for holding personal information. However, it can be stored only for the duration of the purpose for which it was processed. Data subjects can request the deletion of their data before this time.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Personal data can be used only for the purposes authorised by data subjects.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

If new purposes arise after data subjects have provided consent for the use of their personal data, data processors must request a new authorisation for the new specific purposes. If data subjects do not provide consent, processors will be unable to use it for the new purposes.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Data processors must guarantee that all of the reasonable measures needed to protect personal information from being modified, lost, accessed or used without authorisation have been established. They must also issue a procedural plan or manual on how to act or manage situations in which information may be at risk.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

According to Articles 17 and 18 of Law 1581/2012 (the Data Protection Law), data processors and controllers must inform the Superintendence of Industry and Commerce of any data breaches or incidents that may put personal information at risk, regardless of whether the data subjects have been affected.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Yes. According to Article 32 of Decree 1377/2013, a data officer or party that acts as a data officer must be appointed in order to process any requests for information, deletion or modification from data subjects and guarantee the rights of data subjects over their personal information.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Data processors and controllers must have a privacy policy and security manual to ensure compliance with Law 1581/2012 (the Data Protection Law), including the procedures for requests from data subjects.

In addition, data controllers must always keep a copy of the authorisation provided by data subjects.

New processing regulations

Are there any obligations in relation to new processing operations?

Yes. All obligations previously explained apply to the processing of personal data. 

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

Yes. Under Decree 90/2018, companies with a total income of 100,000 tax value units (approximately  $1,014,225) must register their databases in the National Registry of Databases.

Formalities

What are the formalities for registration?

Registration is done on the Superintendence of Industry and Commerce’s (SIC’s) website. In order to register, data controllers must provide details of their internal policies for the treatment and processing of personal data. According to Chapter 26 of Decree 1074/2015, registration applications must include the following information:

  • personal and contact information of the person responsible for processing data and the person in charge of the database;
  • the contact points for data subjects to exercise their rights over their personal data;
  • the name and purpose of the database;
  • details of how data will be processed; and
  • details of the policy for the treatment of personal information.

Information on the SIC’s registry must always be up to date and data processors must update any relevant information when changes occur in that regard.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Failure to comply with the obligation to register or update a database can lead to the following penalties:

  • fines of up to approximately $523,080;
  • a suspension of activities relating to the processing of personal data for up to six months; and
  • the immediate and definitive closure of operations involving the processing of personal data.
Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

The SIC cannot block changes to the registry, as it is obliged to keep it up to date. 

Public access

Is the register publicly available? How can it be accessed?

Yes. According to Article 25 of Law 1581/2012 (the Data Protection Law), the registry is public and can be accessed by anyone via the SIC’s website. However, database content is not included in the registry, only information regarding registered databases.

Effect of registration

Does an entry on the register have any specific legal effect?

The aim of the registry is for the SIC to control and monitor the processing of personal data. In order to use the registry, data controllers and processors must provide their internal data processing policies with which they must comply.  

Other transparency duties

Are there any other public transparency duties?

There are no additional transparency rules other than those already outlined.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

In order to transfer personal data, data subjects must have provided previous, express and informed consent to do so.

If a company to which data is being transferred applies the same data privacy policy, the initial and express consent provided by data subjects to transfer data to other parties is sufficient (this is legally known as ‘transmission’). However, if a company to which data is being transferred applies a different data privacy policy or uses data for different purposes, the new data privacy policy must be disclosed to data subjects and new prior, express and informed consent must be provided (this is legally known as ‘transfer’). 

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Personal data can be disclosed only if the data subject has provided prior, informed and express consent to do so.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

Personal data can be transferred to jurisdictions that have appropriate privacy protections levels according to the Superintendence of Industry and Commerce (SIC). However, if data subjects have provided prior, express and informed consent to transfer their data to jurisdictions that apply different data privacy policies, it can still be transferred.

Further, if a company to which data is being transferred applies the same data privacy policy as the company to which initial and express consent was provided this is sufficient for the transfer of data to other parties. However, if a company to which data is being transferred applies a different data privacy policy or uses the data for different purposes than those agreed to by data subjects, the new data privacy policy must be disclosed and new prior, express and informed consent must be provided.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The data protection authority does not need to be informed of or authorise such data transfers.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Yes. Data subjects can always request access to their personal data. Such requests are processed by data protection officers or company departments.

Other rights

Do individuals have other substantive rights?

Yes. Data subjects have the right to correct, modify and know what information is being processed and to request its deletion and revoke the authorisation to process said data.

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

If data subjects can demonstrate damages that resulted from the misuse of their data, they may claim compensation.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

These rights are enforced by the  Superintendence of Industry and Commerce, which is the main data protection authority.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

N/A.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Data processors and controllers can appeal Superintendence of Industry and Commerce (SIC) orders. The appeal will be reviewed by the head of the SIC delegation that issued the original order.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

All users and consumers must be informed when accessing a website or platform that uses cookies.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

In order to contact a consumer for marketing purposes by email, fax or phone, the consumer must have provided prior, informed and express consent for the company to use its data in that regard for marketing purposes.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

Regardless of the platform on which data is stored, data processors or controllers must guarantee that personal information is protected from unlawful or unauthorised access, use, manipulation or loss. In this sense, Law 1581/2012 also applies to data stored in the cloud. 

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

N/A. 

Law stated date

Correct on

Give the date on which the information above is accurate.

21 June 2019.