After its first data protection law came into force in April this year, Colombia has now introduced implementing regulations (Decree No. 1377). The legislation, which was released in late June, provides greater clarity on a number of areas contained in the data protection law (Statute Law No. 1581). The regulation sets out the information that must be given to data subjects, consent requirements and when cross-border transfers are allowed, which Colombia’s data protection authority José Alejandro Bermúdez Durana, has characterised as being “elastic and business-friendly”.
The regulation also requires organisations acting as a data controller to provide individual’s access to their data by providing a description of the way data is collected, stored and processed as well as the reasons for collecting the data. All privacy policies are to be written using plain language with information about how individuals can exercise their rights and setting out the purpose for which data is collected and length of time data will be kept.
The legislation clarifies the methods that can be used to obtain consent, which cover automatic means and consent obtained through unequivocal conduct. Consent may not be implied from silence nor from past conduct, so controllers must obtain consent to continue using existing data. Organisations should, however, take some solace from the regulations permitting the use of alternative methods where seeking consent would be unrealistic.
Controllers were only given 30 days to institute consent mechanisms, after which they were required to give individuals 30 days to request that their data no longer be processed. Only if controllers do not hear from individuals after the 30-day period may they continue to use the data.
Consent must also be obtained for new processing, and, of course, individuals may revoke their consent at any time, and controllers must then remove the data, unless it is required to be retained under legal or contractual obligations.
The regulation also requires that data may only be kept for as long as is “reasonable and necessary”. International transfers of data are only allowed where there is ‘adequate protection’, much like in the EU, or where the Colombia authority provides that a country’s laws provide such protection. Something unusual in the regulations, however, is that collection of data relating to minors (those under the age of 18) is banned unless the data is of a “public nature”. Non-compliance could result in a maximum fine of approximately $612,000.