Colombia's data protection law of 2012 recently went into full effect, following a six-month phase-in period. The law covers consumer databases used for marketing or telemarketing purposes, those containing medical records, and those that contain information about minors. Among the law's requirements – which closely mirror those found in European countries – companies will typically need to obtain consent from consumers to use their information, and must register databases containing personal information with Colombia's Data Protection Authority. Companies are also required to give consumers the right to access update their personal information, and to have it removed from the company's databases. The law provides for fines for violations. Similar to the EU's data protection laws, companies may only transfer personal information overseas to countries deemed to have data protection frameworks at least as stringent as those that exist in Colombia, except in certain limited situations. The law is enforced by the country's Data Protection Authority within the Superintendency of Industry and Commerce, who will implement regulations under the law in the coming months.
TIP: We will continue to monitor this new law, including the upcoming regulations, to see what impact it will have on non-Colombian companies. Of particular interest will be the consumer notice provisions, the requirement to register as a data collector with Colombian authorities, and the restrictions on transfers to entities outside of Columbia.