June 2023

1. Governing Texts

The main legislation related to data protection in Colombia is Law 1581 of 2012 (October 17) Which Issues General Provisions for the Protection of Personal Data (only available in Spanish here) ('the Personal Data Protection Law'). The Personal Data Protection Law was enacted to guarantee the constitutional right of individuals to know, update, and rectify the information that has been collected about them in databases, and to ensure that their personal data is processed in accordance with their privacy rights.

The Personal Data Protection Law applies to every public or private individual and/or corporation who carries out any type of activity that involves the processing of personal data, whether the data is collected in Colombia or abroad. Failure to comply with the Personal Data Protection Law can result in fines, penalties, and other sanctions. It is important for organizations that process personal data in Colombia to ensure that they are in compliance with the law and have appropriate measures in place to protect personal data.

1.1. Key acts, regulations, directives, bills

The fundamental right to privacy and intimacy is protected in the first chapter of the Colombian Political Constitution (only available in Spanish here) ('the Constitution')  in Article 15, which states that all individuals have the right to personal and family intimacy, the protection of their good name, as well as to know, update and rectify information that has been recollected in public and private databases. Under this definition, protection is associated with the notion of individual freedom, good name, honor, and inviolability of correspondence.

The Colombian legal system recognizes the right to intimacy as a fundamental human right, which is protected under the International Covenant on Civil and Political Rights and the American Convention on Human Rights 1969, both of which Colombia is a party. This right includes the right to control access to one's personal space and information, the right to engage in consensual sexual activity without interference, and the right to form intimate relationships with others without fear of discrimination or persecution. However, it is important to note that the exercise of this right must also be balanced with the public interest and the protection of other fundamental rights, such as the right to life, health, and public safety.

Statutory Law 1266 of 2008 (December 31) Establishes General Provisions of Habeas Data and Regulates the Management of Information Contained in Personal Databases, specifically Financial, Credit, Commercial, and Services and Derived from Third Countries and Other Provisions (only available to download in Spanish here) ('Law No. 1266 of 2008') established for the first time in Colombia the right to habeas data. Accordingly, it protects the constitutional right that every Colombian citizen has to know, update, and rectify the information that was recollected in databases, in addition to the freedom and constitutional warranties related to the recollection, treatment, and circulation of personal data.

In 2012, the Congress of the Republic of Colombia enacted the main data protection regulation by passing the Personal Data Protection Law. The Personal Data Protection Law has a comprehensive guideline of data protection and privacy law, defining the collection, use, storage, and protection of personal data in Colombia, both in the public and private sectors, the territorial application, guiding principles, types of personal data, rights of the owners of the data, procedures, among other relevant topics. The Personal Data Protection Law had automatic control by the Colombian Constitutional Court ('Constitutional Court') and was declared constitutional in the Sentence C-748 of 2011 (only available in Spanish here).

The Data Protection Law has also been further developed in the following regulations:

• Decree 1377 of 2013 (June 27) (only available in Spanish here) which Partially Regulates the Personal Data Protection Act ('Decree 1377');
• Decree 1081 of 2015 (only available in Spanish here), which regulates the Presidency of Colombia and includes data protection law dispositions; and
• Decree 255 of 2022 (only available in Spanish here), which regulates corporate binding laws in order to certify good practices in data protection law and its transfer to third countries.

It's also worth mentioning that there are other laws and regulations that apply to specific industries or types of data, such as the Health Information Protection Law (only available in Spanish here) ('Law 1438 of 2011'), and the Financial Information Protection Law (only available in Spanish here) ('Decree 2555 of 2010').

1.2. Guidelines

The main authority of data protection in Colombia, the Superintendence of Industry and Commerce ('SIC'), has produced an exhaustive list of guidelines in order to provide clarity to organizations in the implementation of the Data Protection Law. Accordingly, the following are the main guidelines in Colombia:

• The Guide for the Implementation of the Demonstrated Responsibility Principle (Accountability) (only available in Spanish here) establishes that the comprehensive personal data management program must include a risk management component that allows data controllers to identify their vulnerabilities in time and focus their resources on the adoption of risk mitigation measures, both for themselves and for data processors. Thus, having a response protocol will make it easier for organizations to act quickly and in an effective manner when any incident that affects the confidentiality, availability, and integrity of personal data arises.
• The guide named risks related to data protection treatment of kids, infants, and adolescents (only available in Spanish here) approaches the rights of kids, infants, and adolescents and what must be granted by organizations that collect their data, especially social media platforms and gaming platforms, in order to protect their rights. Other guidelines related to children's rights include a Guide to personal data treatment by private and public education entities (only available in Spanish here) and the Development of online content for adolescents (only available in Spanish here).
• The Guide for security incidents management in personal data treatment (only available in Spanish here) looks after the implementation of the security principle in order to prepare organizations for data security breaches.
• The Model for international data transfer between data controllers (only available in Spanish here) establishes model contractual clauses for the organizations to comply with the Colombian data protection law during the implementation of international data transfers.

1.3. Case law

Constitutional Court - Sentence T-260-2012 (only available in Spanish here)

The case was filed by the mother of a four-year-old, for whom the father created a profile on the social network Facebook for the minor. In the mother's opinion, the father failed to comply with the conditions indicated in the social network, especially those that prescribe that false personal information cannot be provided, creating accounts for other people without authorization, and, not using the network if they are under 13 years of age. Likewise, the mother asserted that the plaintiff not only supplants the identity of their daughter but also uses their daughter's page to discredit her as a person and hinder family peace.

The Constitutional Court ordered the defendant to cancel the aforementioned account and warned the defendant to not create a new one on any digital social network analogous to Facebook, with the personal and sensitive data of their youngest daughter. Thus, the fundamental rights of the represented minor are protected, in the context of the creation of an account in a social network of which she is unaware and which has been used to publicize a family dispute.

Constitutional Court - Sentence T-020-2014 (only available in Spanish here)

In this case, the Supreme Court of Justice maintained information on its website about a criminal sentence imposed against the plaintiff. The plaintiff argued that the post had led to acts of discrimination since they have seen several job and business opportunities frustrated as a result of those records.

The Constitutional Court specified that judicial rulings are a public document, but when they incorporate data that must be protected, as is the case with sensitive information or semi-private data, a restricted circulation rule must apply in order not to generate a disproportionate burden on the data subject. Therefore, the defendant was ordered to replace the sentence so that the name of the plaintiff cannot be identified.

Constitutional Tribunal of Colombia - Sentence T-277-2015 (only available in Spanish here)

This decision is related to the data subject’s right to erasure. In this case, there was a publication of a journalistic note in the Colombian newspaper El Tiempo which reported the capture and connection of the plaintiff to a criminal organization responsible for human trafficking, although they were never found guilty. Furthermore, the article could be found on the search engine Google.com. Therefore, the plaintiff alleged a violation of their fundamental rights to a good name, privacy, due process, and work.

The Court granted the claim and ordered the Newspaper El Tiempo to update the information published on its website, deleting any information that relates the plaintiff to human trafficking. Moreover, El Tiempo was also ordered to neutralize on the Internet search engines the possibility of access to news related to the plaintiff's name.

2. Scope of Application

2.1. Personal scope

Article 2 of the Personal Data Protection Law establishes the scope of application by stating that the principles and provisions contained in the law will be applicable to personal data registered in any database that makes them susceptible to treatment by entities of a public or private nature. Therefore, any personal data that is transferred and registered in a database will be subject to the Personal Data Protection Law. Thus, it applies to all individuals and entities that collect, process, store, or transfer personal data in the country, regardless of their nationality or legal status. The law covers both public and private sectors and applies to all types of personal data, including sensitive data related to an individual's race, ethnicity, political views, religious beliefs, sexual orientation, health status, and criminal record, among others.

2.2. Territorial scope

Article 2 of Personal Data Protection Law affirms it will apply to:

• the personal data processed in Colombian territory; or
• when the data controller or data processor is not established in Colombian territory but its law is applicable due to international standards and treaties.

2.3. Material scope

The material scope of application of the Personal Data Protection Law includes:

• the collection and processing of personal data: The Personal Data Protection Law regulates the collection and processing of personal data by any means, including electronic and physical records. It requires the consent of the data subject, establishes obligations for data controllers, and requires transparency and accountability in the processing of personal data.

In addition, Article 2 of the Data Protection Law provides that the personal data protection regime established in the same shall not apply:

• to databases or archives maintained exclusively for personal or domestic purposes. However, when these databases or files are to be supplied to third parties, the data subject must be informed beforehand and their authorization must be obtained. In this case, the controllers and processors of the databases and files shall be subject to the provisions contained in the Personal Data Protection Law;
• databases and archives for the purpose of national security and defense, as well as the prevention, detection, monitoring, and control of money laundering and the financing of terrorism; 
• databases for the purpose of containing intelligence and counterintelligence information; 
• databases and archives of journalistic information and other editorial content; 
• databases and archives regulated by Law No. 1266 of 2008; and 
• to the databases and archives regulated by Law 79 of 1993 (only available in Spanish here).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

Article 19 of the Personal Data Protection Law establishes the SIC, specifically its Delegation of Personal Data Protection (DPDP), as the authority responsible for enforcing data protection laws in Colombia. The DPDP oversees compliance with Colombia's data protection laws, including the Personal Data Protection Law and its related regulations. It has the power to investigate and sanction individuals and organizations that violate data protection laws and impose fines and other penalties that will be reviewed in the section on penalties below.

The DPDP also provides guidance and support to individuals and organizations on how to comply with data protection laws, and it is responsible for maintaining the National Register of Databases ('RNBD'), which is a list of all databases that contain personal data in Colombia.

3.2. Main powers, duties and responsibilities

Article 21 of the Personal Data Protection Law established the functions of the SIC as follows:

• ensure compliance with the personal data protection law;
• advance investigations, ex officio or at the request of a party and, as a result of them, order the necessary measures to make the right of habeas data effective;
• dispose for the temporary blocking of data when there is an assured risk of violation of fundamental rights, based on the request and the evidence the data subject provides, and the blocking is necessary to protect them while a final decision is made;
• implementation of educational campaigns to train and inform citizens about the exercise and guarantee of the fundamental right to data protection in order to promote and publicize the rights of individuals in relation to personal data treatment;
• give instructions to the data controllers and data processors on the measures and procedures necessary to adapt their operations to the provisions set forth in the data protection law;
• request from data controllers and data processors the necessary information for the effective exercise of their functions;
• issue declarations of conformity over international data transfers;
• manage the RNDB and issue the orders and acts necessary for its administration and operation;
• suggest or recommend the necessary adjustments or corrective measures to adapt the data protection regulations to the technological evolution;
• require the collaboration of international or foreign entities when the rights of data subjects are affected outside the Colombian territory on the occasion, among others, of the international collection of personal data; and
• the others that are assigned by law.

4. Key Definitions

Data controller: Article 3(e) of the Personal Data Protection Law defines 'data controller' as any natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the data treatment.

Data processor: Article 3(d) of the Personal Data Protection Law defines 'data processor' as any natural or legal person, public or private, that by itself or in association with others, performs the personal data treatment on behalf of the data controller.

Personal data: In accordance to Article 3(e) of Law No. 1266 of 2008 personal data is defined as any piece of information linked to one or several identified or identifiable persons or that could be associated with an individual or corporation. Personal data can be public, semi-private, or private. Furthermore, Article 3 of the Personal Data Protection Law redefines personal data by assuring that it is any information linked or that can be associated to one or several one or several identified or identifiable persons. As a consequence, it leaves aside corporations as data subjects.

Sensitive data: According to Article 5 of the Personal Data Protection Law sensitive data is the one that affects the intimacy of the data subject or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, membership to unions, social organizations, human rights or that promote interests of any political party or that grant the rights and guarantees of political parties members of the opposition as well as data related to health, sexual life, and biometric data.

Health data: Article 5 of the Personal Data Protection Law affirms that health data in Colombia is considered as sensitive data, therefore it has the same legal treatment.

Biometric data: Article 5 of the Personal Data Protection Law affirms that biometric data in Colombia is considered as sensitive data, as a consequence it has the same legal treatment.

Pseudonymization: The Ministry of Technology and Information in Resolution 000924 of 2020 (only available in Spanish here) affirms that 'anonymous data' is not personal data because it does not reasonably establish which natural person it refers to, links or associates. However, if personal data is presented with a pseudonym due to encryption processes or that by any means, technology or process is separated or disassociated from a natural person, but that can be used to re-identify that person, continue to be personal data.

Data subject: Article 3(f) of the Personal Data Protection Law defines 'data subject' as any natural person whose personal data is subject of treatment.

5. Legal Bases

5.1. Consent

Article 5 of the Personal Data Protection Law establishes the scope of consent in Colombian data protection law. Accordingly, it affirms that the data controller must adopt procedures to request, at the latest, at the time of data collection, the authorization of the data subject for the data processing and inform them of the personal data that will be collected as well as all the specific purposes for which consent is obtained.

In case there are substantial changes in the content of the data processing policies regarding the identity of the data controller and the purpose of treatment which may affect the authorization, the data controller must communicate these changes to the data subject at the latest when implementing the new policies and must obtain a new authorization from the data subject.

5.2. Contract with the data subject

Article 25 of Decree 1377 regulates the contract with the data subject. Overall, it affirms that the contract signed between the data controller and the data subject for the processing of personal data will indicate the scope of the processing, the activities that the processor will carry out on behalf of the controller, and the obligations of the processor with regard to the controller and the data subject.

5.3. Legal obligations

According to Article 10 of the Personal Data Protection Law consent of the data subject is not necessary where the information is required by a public or administrative entity in the exercise of its legal functions or by court order.

5.4. Interests of the data subject

According to Article 10 of the Personal Data Protection Law consent of the data subject is not necessary In cases of medical or health urgency.

5.5. Public interest

According to Article 10 of the Personal Data Protection Law consent of the data subject is not necessary In cases of medical or health urgency.

5.6. Legitimate interests of the data controller

Data treatment requires the prior and informed authorization of the data subject, which must be obtained by any means that can be subject to subsequent consultation. However, if there is an express exception to this general principle, the data treatment by the data controller and/or the data processor will be authorized.

5.7. Legal bases in other instances

According to Article 10 of the Personal Data Protection Law consent of the data subject is not necessary in the following instances:

• data of public nature;
• processing of information authorized by law for historical, statistical, or scientific purposes; and
• data related to the Civil Registry.

6. Principles

Article 4 of the Personal Data Protection Law outlines the following principles of the data protection law:

• Legality in terms of data processing: Data treatment is a regulated activity that is subject to what is established in the Personal Data Protection Law;
• Lawful processing: Personal data must be collected and processed with the consent of the data subject and for a specific and legitimate purpose;
• Purpose: Data treatment must have a legitimate purpose in accordance with the Constitution and the Personal Data Protection Act, which must be informed to the data subject;
• Freedom: Data treatment can only be exercised with the previous, expressed, and informed consent of the data holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent;
• Veracity or quality: The information subject to treatment must be truthful, complete, exact, updated, verifiable, and understandable. The processing of partial, incomplete, fragmented, or misleading data is prohibited;
• Transparency: The right of the data holder to obtain from the data controller or the data processor, at any time and without restrictions, information about the existence of data that concerns them;
• Restricted access and circulation: Data treatment is limited to the nature of the data. Thus, the processing can only be done by persons authorized by the data holder. Personal data, except for public information, may not be available on the Internet or other means of dissemination or communication unless access is technically controllable to provide restricted knowledge to data holders or authorized third parties;
• Security: The information subject to processing by the data controller or the data processor must be handled with technical, human, and administrative standards necessary to grant security to the records, avoiding their tampering, loss, unauthorized, or fraudulent consultation, use, or access;
• Confidentiality: All persons involved in the processing of personal data that are not public in nature are obliged to guarantee the confidentiality of the information, even after the end of their treatment; and 
• Access and rectification: Data subjects have the right to access their personal data, and to request its rectification, updating, or deletion.

Accountability

Article 26 of Decree 1377 imposes the principle of accountability for data controllers and data processors. Decree 1377 states that they must be able to demonstrate, at the request of SIC, that they have implemented appropriate and effective measures to comply with the obligations established in Colombian data privacy law, in relation to:

• the legal nature of the data controller and, when applicable, its business size, taking into account whether it is a micro, small, medium, or large company;
• the nature of the personal data subject to processing;
• the type of treatment; and
• the potential risks that the treatment could cause to the rights of the data subjects.

The data controller must provide in response to a SIC request a description of the procedures used to collect personal data, as well as a description of the purposes for which this information is collected and an explanation of the relevance of personal data in each case.

Moreover, a response to a SIC requirement must provide evidence of the effective implementation of the appropriate security measures, such as the design, implementation, and verification of effective internal policies. These policies must guarantee:

• the existence of an administrative structure proportional to the structure and business size of the data controller;
• the adoption of mechanisms to make effective internal policies such as implementation tools, training, and education programs; and
• the adoption of procedures for the attention and response to queries, requests, and complaints by data subjects.

An incentive is provided by the data protection law for the implementation of the accountability principle in case the data controller has appropriate security measures for the handling of personal data. Thus, SIC will take this circumstance into account when evaluating the imposition of sanctions for violation of duties and obligations.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no obligation to notify data processing activities.

7.2. Data transfers

The international transfer of personal data is forbidden to countries that cannot provide adequate levels of data protection. However, the international transfer of personal data is permitted solely in the following cases (Article 26 of the Personal Data Protection Law):

• information where the data subject has granted their express and unequivocal authorization for the transfer;
• exchange of medical data for reasons of health or public hygiene when required by the processing of the data subject;
• bank or stock transfers, in accordance with the legislation that is applicable to them;
• transfers agreed within the framework of international treaties to which the Republic of Colombia is a party, based on the principle of reciprocity;
• transfers necessary for the execution of a contract between the data subject and the controller, or for the execution of pre-contractual measures as long as the data subject's authorization is obtained; or
• transfers legally required to safeguard the public interest or for the recognition, exercise, or defense of a right in a judicial process.

In addition, the Guide for the Implementation of the Responsibility Principle in the International Transfers of Personal Data (only available in Spanish here) ('the Responsibility Guidelines') recommends organizations perform a Privacy Impact Assessment ('PIA') before the international transfer of data which is likely to involve a high risk of adversely affecting the rights of the data subject (Page 11, Recommendation I of the Responsibility Guidelines). The Responsibility Guidelines state that a PIA should include, at the minimum, the following (Page 11, Recommendation I of the Responsibility Guidelines):

• a detailed description of the operations of processing personal data that involves the international transfer of such data;
• an assessment of the specific risks to the rights and freedoms of the data subjects; and
• the identification and classification of risks as well as the measures necessary to mitigate them.

7.3. Data processing records

Administered by the SIC, the RNBD is the public directory of databases subject to processing that operate in Colombia. Article 25 of the Personal Data Protection Law, further developed by regulations such as Decree 866 of 2014 and Decree 1074 of 2015 Chapter 26 (only available in Spanish here), regulates the minimum information that the RNBD must contain and the terms and conditions under which databases subject to the application of the Personal Data Protection Law must comply.

Through Decree 090 of January 18, 2018 (only available in Spanish here), the National Government of Colombia modified the scope of application of the RNBD and created new deadlines for the subjects that are obligated to register their databases. The controllers and processors that continue with the duty to register their databases are non-profit companies and entities that have total assets greater than 100,000 Tax Value Units (UVT) and public entities.

7.4. Data protection impact assessment

Not applicable.

However, the Ibero-American Data Protection Network's ('RIPD') Standards for Personal Data Protection for Ibero-American States ('the Standards for Personal Data Protection') recommends a PIA be undertaken (Page 30, Paragraph 41 of the Standards for Personal Data Protection). Furthermore, the  Standards for Personal Data Protection recommends the conducting of a PIA in the following circumstances (Page 30, Paragraph 41 of the Standards for Personal Data Protection):

• when the person responsible intends to perform any type of processing of personal data that due to its nature, context, or purposes probably entails a high risk of affecting the rights of the data subject, it shall perform, prior to the processing, a PIA; and
• national legislation of the Ibero-American States that is applicable to the matter shall, among other things, state that such processing requires a PIA on the protection of personal data; the contents thereof, the assumptions under which the result must be submitted to the supervisory authority, as well as the requirements of said submission.

7.5. Data protection officer appointment

Article 23 of Decree 1377 mandates data controllers and data processors to appoint a data protection officer (DPO) or create an area that assumes the function of personal data protection.

7.6. Data breach notification

Article 17 of the Personal Data Protection Law regulates the duties of data controllers, ordering them to 'inform SIC when there are violations of the security codes and there are risks in the administration of the data subject's information […].' In the same sense, Article 18 of the Personal Data Protection Law imposes a similar duty to data processors ordering them to inform SIC when there are violations of the security codes and there are risks in the administration of the data subject's information.

Moreover, Chapter II, Title V of the Personal Data Protection Law provided by SIC establishes that organizations that are obliged to register their databases in the RNDB must report the security incident within 15 business days after they are noticed and are brought to the attention of the DPO or the area in charge of attending them. Furthermore, data controllers who are not obliged to register their databases in the RNBD must comply with the exact same procedure mentioned above.

Article 15 of the Personal Data Protection Law regulates claims by the data subjects whenever there is a data privacy breach. Accordingly, it establishes that the data subject or their heirs may file a claim with the data controllers or the data processors whenever they consider that the information contained in a database must be corrected, updated, or deleted, or when they notice a breach of any of the duties contained in the Personal Data Protection Act. The following rules will apply to the claim:

• The claim will be a request addressed to the data controllers or the data processors, including the identification of the data subject, the description of the facts that give rise to the claim, the address, and the documents that support the claim. If the claim is incomplete, the interested party will be required within five days following receipt of the claim to amend it. If the data subject does not submit the amendment information after two months from the date of submission, it will be understood that he has withdrawn the claim. In the event that the person who receives the claim is not competent to resolve it, she will notify the competent person within a maximum term of two business days and will inform the data subject of the situation.
• Once the complete claim is received, within a term of no more than two business days, the database where the information is held must include a legend that states "claim in process" and the reason for it until it is decided.
• The maximum term to address the claim will be 15 business days counting from the day following the date of receipt. When it is not possible to address the claim within said term, the data subject will be informed of the reasons for the delay and the date on which their claim will be addressed, which in no case may exceed eight business days following the expiration of the first term.

Internal record keeping of data controllers and data processors

A key element in any risk management system associated with personal data processing is the documentation of every single aspect related to security incidents in the internal records of the organizations. These records will not only allow demonstrating compliance with the Personal Data Protection Law in case of an investigation but will be useful to prevent such incidents from happening again in an organization

Therefore, in accordance with the SIC’s Accountability Report, a data controller and a data processor must have:

• a general description of the circumstances around the security incident (including the RNDB and the type of data - sensitive, private, etc. - compromised);
• the type of data subjects affected;
• the date and time of the security incident and its discovery;
• preliminary inquiries and investigations conducted by the organization during the incident;
• corrective measures;
• the data controller and/or data processor responsible agents for managing the data breach;
• evidence of the report presented to SIC, as well as the communication given to the data subject, if necessary;
• the evaluation of the level of risk derived from the security incident; and
• the inclusion of personal details, when necessary.

Data controllers and data processors should be aware that the information stored in records must:

• contain enough details for the data protection authority to assess whether the security incident management was diligent; and
• be protected from any threat with the necessary security and confidentiality measures.

7.7. Data retention

Article 11 of Decree 1377 provides that controllers and Processors of personal data may only collect, store, use, or disclose personal data for a reasonable and necessary period, in accordance with the purposes that justified the Processing, taking into account the applicable provisions in the relevant field and the administrative, accounting, fiscal, legal, and historical aspects of the information. Once the purpose(s) of the processing has been fulfilled, and without prejudice to any legal provisions to the contrary, the controller and the processor must proceed with the deletion of the personal data in their possession. However, personal data must be retained when required to fulfill a legal or contractual obligation.

In addition, Article 11 of Decree 1377 highlights that controllers and processors of personal data must document the procedures for the processing, retention, and deletion of personal data in accordance with the applicable provisions in the relevant field, as well as any instructions issued by the SIC regarding these matters.

7.8. Children's data

Article 7 of the Personal Data Protection Law regulates the rights of children and adolescents, affirming that respect for the prevailing rights of children and adolescents must be ensured in their data treatment. Therefore, it prohibits the processing of personal data of children and adolescents, except for data that is of public nature.

Both the state and educational entities must provide information and train legal representatives and guardians on the risks that children and adolescents could face regarding the improper management of their personal data, and provide knowledge about the responsible and safe use of personal data by children and adolescents, their right to privacy and protection of their personal information.

7.9. Special categories of personal data

According to Article 3 of Law No. 1266 of 2008, the following are the main categories of personal data:

• Public data: It is the data classified as such according to the law or the Constitution and all those that are not semi-private or private. The data contained in public documents, duly executed judicial rulings that are not subject to confidentiality and those related to the civil status of people are public, among others. When it comes to criminal conviction data, it will be public data when there is a duly executed ruling, however, when the data is used as evidence by the prosecutor during the investigation, it will be protected and confidential.
• Semi-private data: Semi-private data is data that is not of an intimate, reserved, or public nature and whose knowledge or disclosure may be of interest not only to the data subject but also to a certain sector or group of people or to society in general, such as financial and credit data.
• Private data: It is the data that due to its intimate or reserved nature is only relevant to the data subject.
• Sensitive data: It is the data that affects the privacy of the owner or whose improper use can generate discrimination.

7.10. Controller and processor contracts

The contract between the controller and processor must include the obligation of the processor to comply with the data policies established by the controller and to carry out the data treatment in accordance with the purpose that the holders have authorized and with the applicable laws. In addition, the following obligations must be included by the processor:

• processing data on behalf of the controller in accordance with the principles established in the law;
• safeguard the security of the databases containing personal data; and
• maintaining confidentiality regarding the processing of personal data.

8. Data Subject Rights

Article 4 of the Personal Data Protection Law establishes the different principles that apply to data protection treatment in Colombia.

8.1. Right to be informed

Article 12 of the Personal Data Protection Law provides for the right to be informed. In addition, Articles 13 to 17 of Decree 1377 address the information to be provided in a controller's data processing policies and privacy notices.

The controller must clearly and expressly inform the data subject of the following when requesting consent for the processing (Article 12 of the Personal Data Protection Law):

• the processing for which the personal data will be used and the purpose thereof;
• the optional nature of the answer to the questions that are asked, when these relate to sensitive data or the data of children;
• the rights of the data subject; and
• the identification, physical or electronic address, and telephone number of the controller.

Data processing policies must include at least the following information (Article 13 of Decree 1377):

• name or company name, address, email, and telephone number of the controller;
• the processing to which the data will be subject and its purpose;
• the rights of the data subject;
• the person or department responsible for receiving the requests, inquiries, and claims of a data subject who wants to exercise their rights to know, update, rectify, and delete their data, or to withdraw their consent;
• the procedure for the data subjects to exercise their rights; and
• the date of entry into force of the information processing policy and the period of validity of a database.

Similarly, the procedures for accessing, updating, deleting, and rectifying personal data and for revocation of consent must be made known or easily accessible to the data subjects and included in the data processing policy (Article 18 of Decree 1377).

Privacy notices must contain at least the following (Article 15 of Decree 1377):

• the name or company name and contact details of the controller;
• the purpose of the processing;
• the rights of the data subject; and
• the mechanisms provided by the controller so that the data subject is aware of the data processing policy and the substantial changes that occur in it or in the corresponding privacy notice. In all cases, the data subject must be informed on how to access or consult the data processing policy.

When sensitive personal data is collected, the privacy notice must expressly indicate the optional nature of the answer to the questions regarding this type of data (Article 15 of Decree 1377).

8.2. Right to access

Articles 8 and 14 of the Personal Data Protection Law provide for the right of access or the right to 'consult.' Procedures for the right are set out in Article 11 of the Personal Data Protection Law and Articles 20, 21, and 23 of Decree 1377.

Data subjects have the right to know what personal data has been collected by a controller or processor, the right to request proof of the consent granted, the right to be informed by the controller or processor regarding the use of their personal data, and the right of access to their personal data (Article 8 of the Personal Data Protection Law).

More specifically, data subjects or their successors in title may consult their personal data that resides in any database, whether in the private or public sector. In turn, the controller or processor must provide them with all the information contained in the individual record or that is linked to the identification of the data subject (Article 14 of the Personal Data Protection Law).

8.3. Right to rectification

Articles 8(a) and 15 of the Personal Data Protection Law provide for the right to rectification. Procedures for the right are set out in Articles 18, 20, 22, and 23 of Decree 1377. This right may be exercised against partial, inaccurate, incomplete, fractioned, or misleading data, or in relation to information whose treatment is expressly prohibited or has not been authorized.

8.4. Right to erasure

Data subjects have the right to revoke their consent and/or request the deletion of data when the treatment does not respect the constitutional and legal principles, rights, and guarantees (Article 8(e) and 15 of the Personal Data Protection Law and Article 9 of Decree 1377). The revocation and/or deletion will proceed when the SIC determines the data controller and/or data processor have not complied with data treatment under the Personal Data Protection Law and the Constitution. Procedures for the right are set out in Articles 18, 20, 22, and 23 of Decree 1377.

8.5. Right to object/opt-out

Data subjects have the right to object to the processing of their personal data if it is being used for direct marketing or if the processing is based on legitimate interests.

8.6. Right to data portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format.

8.7. Right not to be subject to automated decision-making

The SIC has adopted guidelines produced by the 'Iberic-American Network of Data Protection' (only available in Spanish here), specifically the one related to the processing of personal data in artificial intelligence. In the aforementioned document, they make the following recommendations to organizations who intend to implement artificial intelligence ('AI') in their data protection treatment:

• comply with the local regulation on the treatment of personal data;
• conduct a privacy impact assessment;
• embed privacy, ethic, and security by design and by default;
• materializing the principle of accountability;
• design appropriate governance structures in organizations developing AI products;
• adopt measures to guarantee the observance of data protection principles;
• respect the holder’s rights and implement effective mechanisms for the exercise of said rights;
• ensure data quality;
• use anonymization tools; and
• increase holders’ trust and transparency.

Clearly, due to the recent developments in AI such as ChatGPT, these recommendations must be updated and shall provide guidance to legislators in order to regulate the industry and guarantee data subjects’ rights when using AI tools.

8.8. Other rights

Right to complaint

Data subjects have the right to file complaints to the SIC for non-compliance with data protection law by data controllers and/or data processors.

9. Penalties

In accordance with Article 22 of the Personal Data Protection Lawthe procedure for data protection sanctions will be held by SIC, who will adopt measures or impose sanctions when non-compliance with the provisions of the Personal Data Protection Act is established. Article 23 of the Personal Data Protection Act imposes sanctions that can be enforced by the SIC on data controllers and data processors, as follows:

• fines of a personal and institutional nature of up to 2,000 legal monthly minimum wages at the time the sanction is imposed (approx. $440,000). The fines may be successive while the non-compliance subsists;
• suspension of activities related to data treatment for up to a term of six months. In the act of suspension, the corrective measures that must be adopted will be indicated;
• temporary closure of operations related to data treatment once the term of suspension has passed without the adoption of the corrective measures ordered by the SIC. These measures can include the implementation of new policies, procedures, or controls, the publication of rectifications or apologies, the notification of the data breach to the affected individuals; and
• immediate and definitive closure of the processing of sensitive data operation.

Accordingly, the Personal Data Protection Law provides a paragraph regarding the sanctions provided above, establishing that they only apply to persons of a private nature. In the event the SIC notices an alleged non-compliance by a public authority, it will refer the investigation to the Office of the Attorney General so that the respective procedure can be carried out.

Moreover, the Personal Data Protection Lawin its Article 24 establishes the criteria to graduate sanctions as follows:

• the dimension of the damage or danger to the legal interests protected by the data protection law;
• the economic benefit obtained by the offender or third parties;
• recidivism in the commission of the offense;
• the resistance, refusal, or obstruction to the investigation or surveillance action by the SIC;
• the reluctance or contempt to comply with the orders issued by the SIC; and
• the express acknowledgment or acceptance made by the data controller and/or data processor under investigation before the imposition of the sanction that may apply.

It's important to note that in Colombia, data protection is considered a fundamental right, and the SIC takes it very seriously. Thus, cooperation with the data protection authority during the investigation will guarantee benefits to the offenders. Therefore, it's essential for companies and organizations that process personal data to comply with the data protection regulations to avoid significant penalties and damage to their reputation.

9.1 Enforcement decisions

SIC Resolution 53593 of 2020 (only available in Spanish here)

The SIC opened an investigation against Google LLC with the purpose to establish whether it complies with Colombian regulations regarding the collection and processing of personal data of children and adolescents.

Firstly, there was a jurisdiction issue because Google argued that they do not operate through the LLC in Colombia, and the data treatment occurs outside of Colombian territory. The data treatment must occur in Colombia or occur outside of Colombian territory but Colombian law is applicable due to international treaties and Colombian law (Corte Constitucional, Sentence C-478 of 2011). According to the SIC, the Personal Data Protection Act is applicable to Google because they recollect personal data in Colombian territory through cookies that are installed on the devices of people that reside in Colombia. Secondly, the SIC affirms that Google must comply with Colombian law and with any requirements that the SIC requests. Thirdly, the SIC affirms that the information that a data controller (such as Google) provides to the child and/or adolescent to obtain their consent must be presented in a language that is clear and simple for minors so that they are aware of the risks, consequences, guarantees, and rights concerning the processing of their personal data. Moreover, Google sustains that:

"The procedure for collecting personal data by YouTube responds to high industry standards, as well as the principles set by modern legislation applicable to the case. Express, prior, and informed consent for the relevant processing of personal data is obtained prior to the processing of personal data during the process of creating a Google Account."

In response, the SIC affirmed that Google was liable because: "[…] GOOGLE LLC -NOT children and adolescents-must obtain the authorization of the legal representative of those under 18 years of age. For this purpose, it is not enough for the minor to affirm that she has the permission of her parents. This is insufficient since GOOGLE LLC must demonstrate that it has the authorization of the legal representatives of the children or adolescents. The lack of diligence on the part of GOOGLE LLC is causing the legal representatives to lose control over the Treatment that this group of companies performs against the Personal Data of children and/or adolescents located in the Republic of Colombia, as well as the lack the necessary information about the risks, consequences, guarantees, and rights concerning the Processing of Personal Data of minors under eighteen (18) years of age, particularly when the services offered by GOOGLE imply large-scale management of categories of Personal information."

Furthermore, the SIC affirms that the accountability principle is crosscutting across all the data recollection made by data controllers and/or data processors and that they must comply with it by implementing different measures that grant the data subject a positive manifestation of their consent. In these terms, the SIC sustained that: "[…] an organization that collects Data from children and/or adolescents must implement effective procedures to determine that the legal representative expressly authorizes the Treatment, as well as ensure that that person is effectively the legal representative of the minor. In addition, in the event of substantial changes in the Data Treatment policies, such as, for example, the identification of the Responsible and the purpose of the Treatment, the Data Controller must communicate these changes to the legal representative of the minor. However, regarding the procedure to be implemented to comply with this legal requirement, the regulation is neutral because it does not require a specific mechanism, process, or technology to obtain the Authorization. Anyhow, regardless of the alternative used by the Data Controller, he must be able to demonstrate that he obtained a prior, express, and informed Authorization."

SIC Resolution 62132 of 2020 (only available in Spanish here)

TikTok (ByteDance Ltd, TikTok, Inc, and TikTok Pte. Ltd.) must comply with the rules for the collection and use of data from children and adolescents. Colombian Law does not distinguish whether the treatment must be done in a certain way or excludes any form, tool, technology, or process to collect or process data. There is a general principle of legal interpretation that states that: "where the law does not distinguish, it is not given to the interpreter to do so"; the principle, in this case, is fully applicable because Tiktok performs data processing in Colombian territory through the use of cookies. Therefore, the Personal Data Protection Act is applicable to TikTok because it collects personal data in the territory of Colombia through cookies installed on the equipment including, cell phones, tablets, computers, or any other devices that store information, of people residing or domiciled in Colombia.

SIC Resolution 83874 of 2021 (only available in Spanish here)

The company Stark Gym S.A.S must document and implement a procedure to collect the authorization of the data subjects and inform them of the purpose or purposes of the treatment. Furthermore, they must document and implement an information security policy that includes the implementation of technical, administrative, and human measures to ensure the confidentiality, integrity, and availability of personal information.

SIC Resolution 88180 of 2022 (only available in Spanish here)

It was found proven that RAPPI S.A.S. did not respond in a timely and diligent manner to the data subject's request to delete their personal data, within the term established in the Law, in order to not receive messages of a commercial nature.

SIC Resolution 20531 of 2023 (only available in Spanish here)

The Company, Distribuciones Tole S.A.S., has the duty to comply with the instructions and requirements made by the Superintendence of Industry and Commerce, related to the registration of their databases and the processing of personal data in the RNDB.