On October 17, 2012, Colombia enacted a new Data Protection Law which will regulate data collection and processing of personal data both within the Colombian territory and extraterritorially.

The law generally follows the EU approach including, amongst other provisions, cross-border data transfer restrictions where the destination country’s data protection is not deemed “adequate”, as well as the requirement for express and informed consent prior to processing of personal data.

The new law also prohibits processing special categories of data, including sensitive personal data, which has the same definition as within the EU, but adds a new category of ‘Minors and Teenage’ data, unless that data is deemed to be in the public domain.

Organisations have a period of six months from the date of enactment before they must be compliant with Colombia’s new data protection law.