Ana María Calero Pinero, an associate with Brigard & Urrutia, a Colombian law firm, contributed to this article.
The Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) has issued regulations requiring all data controllers that are (i) private legal entities registered in Chambers of Commerce in Colombia (i.e., incorporated in Colombia) or (ii) partially government owned corporations (“sociedades de economía mixta”) to register their databases by November 8th, 2016. The regulations were issued on November 3, 2015, and the National Database Registry (the “Registry”) required by Colombian data protection laws was enabled on November 9, 2015. In this post, we describe the registration requirements and potential penalties for noncompliance.
The SIC issued suggested time periods for data controllers incorporated in Colombia to register. The time periods are based on the last two digits of data controllers’ Tax Identification Numbers (“TINs”) without the confirmation numbers:
00-24: November 9, 2015 – February 8, 2016 25-49: February 9, 2016 – May 10, 2016 50-74: May 6, 2016 – August 8, 2016 75-99: August 9, 2016 – November 8, 2016
Databases created after November 8, 2016, must be registered within two (2) months of the date of creation.
Registration involves reporting the following:
- Name and purpose of the database.
- Identification, location, and contact information of the data controller.
- Identification, location, and contact information of any Data Processors involved in processing the database.
- The channels through which data subjects may exercise their rights.
- Form of processing of the database (manual and/or automatized).
- The types of information stored in the database, classified into the categories and subcategories defined in the Registry.
- Information security measures.
- Source of the personal data. Data controllers must report if the personal data contained in databases was obtained directly from data subjects or obtained from third parties. And data controllers must report that they have obtained the prior, express and informed consent from data subjects or are processing personal data pursuant to an exception under Law 1581 of 2012.
- International transfers of personal data processed in the database (from either a data controller or a data processor to a data controller).
- International transmissions of personal data performed (from a data controller to a data processor).
- Information about assignments or domestic transfers of personal data.
Registration must be performed online via the following link: http://rnbd.sic.gov.co/sisi/login. The “Registry User Manual” provides additional information about how to register and the information that data controllers must provide.
After registration, data controllers are required to update information submitted to the Registry:
- if there is a substantial modification of the information submitted (within the first 10-business days of each month);
- if there is a modification of the information provided (annually between January 2 and March 31);
- if there are any claims filed by data subjects (biannually within the first 15-business days of February and August). The first report should be made in February 2017; and
- if there is a breach of security or a compromise of information contained in the database (within 15-business days).
The failure to register or update registration information would constitute a violation of Colombia’s Data Protection Laws. Such a violation could result in administrative sanctions, including (i) fines of up to COP$1,288,000,000 (approx. US$ 450,000) (for 2015), (ii) suspension of the activities related to processing of personal data for up to six (6) months in order to implement corrective measures, (iii) temporary closing of operations or activities related to processing of personal data if corrective measures are not implemented, or (iv) definitive closing and/or termination of operations or activities related to processing of personal data. We anticipate that the SIC will use the Registry as a benchmark for investigating and issuing sanctions related to breaches of the Data Protection Laws.