Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colombia - Data Protection Overview
Back

Colombia - Data Protection Overview

December 2021

1. Governing Texts

The protection of personal data is a constitutional and fundamental right in Colombia.

Article 15 of the Colombian Political Constitution (only available in Spanish here) ('the Constitution') demands that when collecting, processing, and transmitting personal data, liberty, and other guarantees provided in the Constitution must be respected.

Before 2008, the scope of the habeas data right was developed mostly by constitutional case law but there were no specific laws regarding the matter. In 2008, the Congress of the Republic of Colombia ('the Congress') enacted Statutory Law 1266 of 2008 (December 31) which Establishes General Provisions of Habeas Data and Regulates the Management of Information Contained in Personal Databases, specifically Financial, Credit, Commercial, and of Services and Derived from Third Countries and Other Provisions (only available to download in Spanish here) ('Law No. 1266 of 2008').

In 2012, Congress enacted Statutory Law 1581 of 2012 (October 17) Which Issues General Provisions for the Protection of Personal Data (only available in Spanish here) ('the Data Protection Law'), which has a broader scope and seeks to 'develop the constitutional right of all persons to know, update, and rectify information that has been collected on them in databases or files, and other rights, liberties, and constitutional rights referred to in Article 15 of the Political Constitution.'

The Data Protection Regulations are applicable to individuals, private and public companies, and governmental entities that carry out the processing of personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia, and companies that process the personal data of people in Colombia, whether they are located/incorporated in Colombian territory.

1.1. Key acts, regulations, directives, bills

  • the Data Protection Law
  • Decree 1377 of 2013 (June 27) Which Partially Regulates Law 1581 of 2012 (only available Spanish here) ('Decree 1377')
  • External Circular No. 002 of 2015 (only available in Spanish here) ('Circular 002')
  • Decree No. 886 of 2014 (only available in Spanish here) ('Decree 886')
  • External Circular No. 007 of 2018 (only available in Spanish here) ('Circular 007')
  • Articles 15 and 20 of the Constitution, which establish the rights to privacy and data rectification

1.2. Guidelines

The Colombian Data Protection Authority, the Superintendence of Industry and Commerce ('SIC'), has issued guidelines regarding:

  • the processing of personal data in CCTV (only available in Spanish here);
  • the request for a conformity statement from the SIC regarding international transfers of personal data (only available in Spanish here);
  • the observation of obligations imposed by the Data Protection Law and its regulatory decrees (only available in Spanish here);
  • diagnostic questionnaire for the enforcement of the Data Protection Law for small and medium-sized enterprises (only available in Spanish here);
  • the processing of personal data for marketing purposes (only available in Spanish here);
  • general recommendations for the processing of personal data in artificial intelligence;
  • the implementation of accountability within the data protection regime (only available in Spanish here) ('the Accountability Guidelines');
  • the processing of personal data for purposes of electronic commerce (only available in Spanish here);
  • the processing of personal data in the horizontal property regime (only available in Spanish here);
  • personal information contained in pictures (only available in Spanish here); and
  • security Incident management (only available in Spanish here) ('the Incident Management Guidelines').

It should be noted these guidelines are educational rather than mandatory in nature and do not affect the meaning of the law.

1.3. Case law

In Colombia, the legal system is based on civil law. Although the main source of law itself are the laws and acts issued by the Congress, the judiciary has a significant power within the legal system. Any judge may seek to distinguish its present case from that of a binding precedent, to reach a different conclusion, but they should do so only with special justification. On the other hand, legal systems based in case law have their primary source of law in court rulings.

The Congress issued the Data Protection Law, but since it regulates fundamental rights, the Colombian Constitutional Court  ('Constitutional Court') must carry out an automatic constitutional control of such law, in order for it to comply with the provisions of the Constitution. Such control was exercised in Sentence C-748 of 2011 (only available in Spanish here). In addition, companies must comply with resolutions issued by the SIC and may be subject to sanctions in the event of non-compliance. Therefore, companies should understand these resolutions as providing interpretation criteria for compliance with Colombian data protection regulations.

2. Scope of Application

2.1. Personal scope

The Data Protection Law is applicable to individuals, private and public companies, and governmental entities that:

  • carry out the processing (e.g., collection, analysis, use, or storage) of personal data of data subjects domiciled in Colombia (regardless of their nationality); and/or
  • process personal data within the Colombian territory.

The SIC has considered that the use of cookies amounts to processing data in Colombia (as cookies collect information in the computers or devices of data subjects who are domiciled in the country).

At its core, Colombian data protection legislation provides that the collection, analysis, use, storage, and any other processing of the personal data of individuals residing in Colombian territory requires prior, express, and informed consent ('qualified consent') from data subjects.

Decree 1377 provides an alternative to unequivocal consent in cases where the data subject has acted in an unequivocal way that can lead to the reasonable conclusion that authorisation has been granted. This alternative was introduced for cases in which privacy notices are properly displayed and in which, due to the circumstances in which personal data is collected, it is not practical to approach each individual to seek consent (i.e., security cameras on buildings). The silence of the data subject cannot be deemed as an unequivocal behaviour.

2.2. Territorial scope

The position of the Courts and the SIC is that data processing of data subjects domiciled in Colombia, even if it is done from abroad, is subject to local data protection laws. Therefore, the application of the law extends to companies that are not located/incorporated in the Colombian territory. Whilst the enforceability of the law in these companies is debatable, the SIC has nonetheless imposed sanctions on companies that have no local presence for violating the data protection regime within the last year.

2.3. Material scope

Colombian legislation applies to all types of processing of personal data that take place in Colombia, or are carried out outside Colombia by legal entities located outside of Colombia that must comply with Colombian data protection legislation (i.e., companies which process personal data of data subjects domiciled in Colombia).

However, the Data Protection Law excludes from its application:

  • databases or records that are exclusively for personal and domestic purposes;
  • databases processed for the purpose of national security and defence, as well as for the prevention, detection, monitoring, and control of money laundering and financing of terrorism;
  • databases containing information about intelligence and counterintelligence;
  • databases and files containing journalistic and editorial information;
  • databases and files regulated by Law 1266 of 2008; and
  • databases and files regulated by Law No. 79 of 1993 on Demographic Census (only available in Spanish here).

Notwithstanding the above, the Constitutional Court confirmed that the processing of personal data contained in such databases must follow the principles contained in the Data Protection Law, including purpose limitation, data quality and proportionality, transparency, and security.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The SIC is the Colombian data protection authority, a governmental entity with many other functions, including those of consumer protection, anti-trust, and industrial property. While the Superintendent of Finance (the governmental entity in charge of the regulation of financial entities) has some specific faculties regarding data protection in relation to the entities it regulates, it is the SIC that is considered the general data protection authority in Colombia.

Whilst the financial activities of financial entities are generally supervised by the Superintendence of Finance, these entities are subject to the supervision of the SIC when processing personal data. Indeed, the SIC has imposed several sanctions against banks for the violation of the data protection regime over the past years. 

3.2. Main powers, duties and responsibilities

The SIC has the following functions and duties:

  • to ensure compliance with personal data protection legislation;
  • to carry out investigations, either ex officio or upon request of a party and, as a result, order the measures that must be taken to enforce the habeas data right, including ordering that the data subject's rights to access, correct, update, or delete their information be respected;
  • to order the temporary blocking of data when, in the evidence provided by the data subject, an actual risk of violation of their fundamental rights is identified, and this blockage is necessary to protect the data while a final decision is adopted;
  • to promote and disseminate the rights of individuals related to the processing of personal data and implement educational campaigns to train and inform citizens on how to exercise their rights and about the guarantees of the fundamental right to data protection;
  • to provide instructions on the measures and procedures necessary to adapt the operations of data controllers and data processors to the provisions contained herein;
  • to request the necessary information from data controllers and data processors for the effective exercise of its duties;
  • to provide statements about international data transfers, control the National Database Registry, and issue the necessary orders and acts for its operation and administration;
  • to suggest or recommend adjustments, corrections, or amendments to regulation related to the evolution of technology, information, or communication;
  • to request the cooperation of international or foreign entities when the rights of data subjects outside Colombian territory are affected, due to international collection of personal data, among others; and
  • any other duties assigned by the law.

4. Key Definitions

Data controller: Individual or legal entity, public, or private that either alone or in association with others, controls the database and/or the processing of the data (Article 3 of the Data Protection Law).

Data processor: Individual or legal entity, public, or private that either alone or in association with others, processes personal data on behalf of the data controller (Article 3 of the Data Protection Law).

Personal data: Any information linked to or associated with one or more identifiable individuals who are determined or determinable by the data (Article 3 of the Data Protection Law).

Sensitive data: Data that affects data subjects' private life or which could be used to discriminate against them. This includes data relating to health and sexual life, biometric data and data revealing racial or ethnic origin, political orientation, religious, or philosophical beliefs, and membership of trade unions or social, human rights organisations, or organisations that promote the interests of a political party or seek to ensure the rights and guarantees of opposition parties (Article 5 of the Data Protection Law).

Health data: The law does not contain a definition for health data. However, pursuant to Article 5 of the Data Protection Law, health data should be considered as a category of sensitive personal data.

Biometric data: The law does not contain a definition for biometric data. However, pursuant to Article 5 of the Data Protection Law, biometric data should be considered as a category of sensitive personal data. The SIC in Colombia has stated that that the collection of data on physical (face, fingerprint, palm of the hand, retina, DNA) or behavioural human characteristics (way of signing, voice tone) (i.e, biometric data), whether it is for identification purposes or not, satisfies the definition of processing personal data provided by law.

Pseudonymisation: The law does not contain a definition for pseudonymisation. However, the SIC has recognised that pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific person without the use of additional information.

Data subject: Individual whose personal data is processed (Article 3 of the Data Protection Law).

Authorisation: The prior express and informed consent of the data subject to the processing of their personal data (Article 3 of the Data Protection Law).

Database: Organised set of personal data that is subject to data processing (Article 3 of the Data Protection Law).

Data transfer: A transfer of data occurs when the data controller and/or the data processor, located in Colombia, sends personal data to a recipient that is also a data controller and is located inside or outside the country (Article 3 of the Data Protection Law).

Data transmission: Processing of personal data which implies its communication, inside or outside the territory of Colombia, when it has the purpose of data processing by a data processor on behalf of a data controller (Article 3 of the Data Protection Law).

Processing: Any operation or set of operations on personal data, such as collection, storage, use, communication, or deletion (Article 3 of the Data Protection Law).

5. Legal Bases

5.1. Consent

The data protection regime in Colombia is almost entirely consent-based, and processing can occur without consent only by way of limited exceptions. Therefore, as a general rule, data controllers and data processors must obtain prior, informed, and express consent from the data subject in order to process personal data.

These consent requires the data subject to be informed about the purpose of the processing of the personal data, as well as being provided with a link, location, or attachment that allows them to review the privacy policy of the data controller.

Data controllers must establish mechanisms to obtain the data subjects' consent and inform data subjects of the necessary information required by law to fulfil the consent requirement, namely:

  • information on how data will be processed;
  • the purposes for which the collected data will be processed;
  • data subject rights and how to exercise them;
  • contact information of the data controller; and
  • the link of the privacy policy or the email address where the data subject can request the privacy policy.

Blanket consents or opt-out mechanisms are not considered valid since they do not reflect an express decision that can evidence the data subject's intention and choice.

5.2. Contract with the data subject

Contractual necessity is not included as a legal basis for processing personal data. Please note that the exception to the general prohibition on international data transfers for contractual necessity applies as long as the data subject has granted their consent to process personal data.

Please see section on data transfers below for further information.

5.3. Legal obligations

According to the Data Protection Law, consent is not required when Colombian judicial or administrative authorities request personal information for purposes under their competence. 

5.4. Interests of the data subject

The interests of the data subject are not included as a legal basis for the processing of personal data, except in limited circumstances (i.e., when the health or life of the data subject is at risk and processing is required to mitigate it).

5.5. Public interest

According to the Data Protection Law, personal data can be collected without consent for historical, statistical, or scientific purposes or for medical or sanitary emergencies (e.g., COVID-19 related).

5.6. Legitimate interests of the data controller

Colombian laws do not provide a legitimate interests exception to the requirement for consent, nor specifically defines it. The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') approach on legitimate interest as a basis for legal process does not apply in Colombia.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The Colombian data protection authority will apply and interpret data protection laws in accordance with the following principles:

  • legality; 
  • purpose limitation;
  • liberty;
  • quality; 
  • transparency;
  • restricted access and circulation; 
  • security; 
  • confidentiality; and
  • accountability. 

7. Controller and Processor Obligations

Article 17 of the Data Protection Law lists an extensive catalogue of obligations for data controllers. Some of the main obligations include:

  • guaranteeing the exercise of a data subject's habeas data right;
  • obtaining and keeping records of the consent granted by data subjects;
  • informing data subjects of the purpose of the processing of their data;
  • applying security measures to personal data;
  • providing accurate and complete information to processors;
  • keeping processors informed of any updates to the data;
  • rectifying incomplete information and providing updates to processors;
  • requesting processors to apply security measures to the data;
  • responding to consultations and complaints from data subjects in a timely manner;
  • adopting an internal data processing manual;
  • reporting to processors when data is under discussion by the data subject;
  • reporting data breaches to the SIC; and
  • complying with and orders, requirements, and instructions made by the SIC.

In addition to the obligations contained in the Data Protection Law, there are additional obligations in Decree 1377 and Decree 866 of 2014 (only available in Spanish here), which include:

  • adopting a privacy policy;
  • using privacy notices in cases where the privacy policy cannot be fully displayed following the content requirements of Article 15 of Decree 1377;
  • delegating a division or person within the organisation (data protection officer) to attend to consultations and complaints submitted by data subjects; and
  • recording each database containing personal data with the National Database Registry.

In addition, Article 18 of the Data Protection Law lists an extensive catalogue of obligations for data processors, similar those imposed on the data controllers. Some of the main obligations include:

  • guarantee to the data subject, at all times, the full and effective exercise of the right of habeas data;
  • keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use, or unauthorised or fraudulent access;
  • update, rectify, or delete the data;
  • update the information reported by the data protection officer within five business days from their receipt;
  • process consultations and claims made by the data subjects;
  • adopt an internal manual of policies and procedures to ensure adequate compliance with this law and, in particular, for the attention of inquiries and complaints by the data subject;
  • register in the database record 'claims in process' whenever there is a claim in process according to the law;
  • insert in the database record 'information in judicial discussion' once notified by the competent authority about judicial processes related to the personal data;
  • refrain from circulating information that is being disputed by the data subject and whose blocking has been ordered by the SIC;
  • only allow authorised people to access information;
  • inform the SIC when there are violations of security codes and there are risks in the administration of the information of a data subject; and
  • comply with the instructions and requirements issued by the SIC. 

7.1. Data processing notification

The Data Protection Law has created the National Database Registry, which is a public list of databases operating in Colombia. According to the Data Protection Law, the registration of databases will be administered by SIC. All companies whose assets in the Colombian territory exceed 100,000 Tax Value Units (i.e., COP 3.6 billion (approx. €795,000) must register their databases in the National Database Registry. Registration can be done online (only available in Spanish here).

On 13 May 2014, the Colombian Government issued Decree 886. The obligations under Decree 886 became effective in November 2015 through Circular 002.

Decree 886 extensively regulates the obligation that data controllers have under Article 25 of the Data Protection Law to register, within two months of creation, in the National Database Registry information on certain characteristics of their databases containing personal data and whose processing is subject to Colombian legislation.

Circular 002 provides that as of 9 November 2015, all entities which are incorporated in Colombia and registered with the local Chambers of Commerce acting as data controllers must record certain aspects of how they process personal data in each of the databases they control in the National Database Registry managed by SIC.

The main highlights of Decree 886 include the following:

  • No registry of the database itself: Decree 886 does not require the registration of the database itself. The purpose of the National Database Registry is more focused on informing data subjects and the SIC about the databases that data controllers have and the conditions under which data controllers process personal data.
  • Separate filings must be made per database: Data controllers must make separate filings in the National Database Registry for each database in which they hold personal data that they collect and process.
  • Database information that must be recorded with the National Database Registry: For each database that is recorded with the National Database Registry, Decree 866 requires specific information and documentation to be detailed and uploaded.

In accordance with Decree 886, the following information must be submitted when recording each database in the National Database Registry:

  • identification information, location, and contact information of the database's controller;
  • identification information, location, and contact information of the database's processor or processors;
  • channels through which data subjects may exercise their rights;
  • name and purpose of the database; and
  • the way in which the database is processed (manual and/or automated) and policy for the processing of personal data.

Additionally, with Circular 002, entities that act as data controllers must record the following information before the National Database Registry:

  • information stored in the databases;
  • responses, whether affirmative or negative, as to whether certain security measures for protecting the information have been implemented;
  • the origin of the personal data;
  • information related to the international transfer of personal data;
  • information related to the international transmission of personal data; and
  • information related to the assignment of databases.

The above means that it is highly advisable for companies to conduct an internal assessment of their level of compliance with Colombian data protection laws before registering databases in the National Database Registry.

Likewise, Circular 002 establishes the permanent obligation of maintaining the National Database Registry updated with any modifications to the information. The National Database Registry's platform was also launched in order to allow for the recording of complaints submitted by data subjects and for the fulfilment of the obligation of reporting data breaches regarding databases in which personal data is stored. As of 9 November 2015, access to the National Database Registry was made publicly available for data subjects to consult the registrations made by data controllers.

Failure to comply with the obligation of recording databases with the National Database Registry may trigger the same sanctions as those that result from a breach of other obligations under the Data Protection Law.

In regard to updating the register, information contained in the register must be updated within the first ten days of each month, from the time the database was registered, if any substantial changes to the registered information occur (Section 2.3 of Circular 2/2015). Updates to the register can be made annually between 2 January and 31 March (Section 2.3 of Circular 2/2015). Moreover, data controllers are required to update information concerning data subjects' requests that they have received and that they have provided information on as part of their reports, within the first 15 working days of February and August of each year (Section 2.3 of Circular 2/2015).

7.2. Data transfers

Article 26 of the Data Protection Law prohibits the transfer of personal data to countries that do not provide adequate levels of protection.

Circular 002 listed all the countries that according to the SIC meet the standards that guarantee an adequate level of protection of personal data. An adequate level of protection is deemed to be provided if the regulations of said country meet the standards set by the SIC, which in no case can be lower than the standards established in the Data Protection Law. In accordance with Article 26 of the Data Protection Law, the Circular establishes three situations in which the transfer of personal data may occur:

  • the recipient country is able to guarantee the protection standards for personal data set forth by the SIC;
  • the SIC issues a conformity statement that permits the transfer operation; or
  • the transfer operation is permitted based on one of the following exceptions:
    • the data subject provides prior, informed, and express consent to the transfer from the data subject;
    • exchange of medical information for reasons of health and public hygiene;
    • exchange of financial information in connection with transfers or banking operations in accordance with the applicable legislation;
    • transfer of data in compliance with an international treaty to which Colombia is a party;
    • transfer of personal data necessary for the execution of a contract between the data subject and the data controller; or
    • o transfers of data legally required to protect the public interest.

With respect to the consent exception, if the data will be transferred to another country and/or company, it is important to note that, if the company will apply the same data privacy policy (or data notice), the initial consent over that policy and the express consent to transferring data to other parties is sufficient (legally known as 'transmission'). However, if the company will apply a different data privacy policy, or will use the data for different purposes, this new data privacy policy must be disclosed to the data subject and a new declaration of express and informed consent must be provided. In Colombia, this is legally known as a 'transfer'.

Among the exceptions establishing above, it is worth emphasising that the consent of the data subject authorising the transfer of their personal data allows companies to transfer such information to third countries that may not provide the security standards required by the SIC.

7.3. Data processing records

The Data Protection Law does not contain an express obligation to create and maintain a record of processing activities. 

7.4. Data protection impact assessment

The Data Protection Law contains no express requirements to conduct a Data Protection Impact Assessment ('DPIA'). However, the SIC's Accountability Guidelines establish that DPIAs must be conducted when there is a 'substantial risk of affecting the right to the protection of personal data of data subjects'. Although they are not considered mandatory, the SIC usually evaluates compliance with its guides when investigating possible violations of Colombian data protection legislation.

In addition, the Guide on the Treatment of Personal Information for Marketing and Advertising Purposes (only available in Spanish here) ('the Marketing and Advertising Guidelines') recommends that organisations that process personal data for marketing and advertising purposes, where it is likely that the processing of such data would entail a high risk of adversely affecting the rights of the data subjects should perform a PIA in respect of such data (Page 11, recommendation III of the Marketing and Advertising Guidelines).

Furthermore, under the Ibero-American Data Protection Network's ('RIPD') The Standards for Personal Data Protection for Ibero-American States ('the Standards for Personal Data Protection') it is recommended to conduct a PIA on the protection of personal data in the following circumstances (Page 30, Paragraph 41 of the Standards for Personal Data Protection):

  • when the person responsible intends to perform any type of processing of personal data that due to its nature, context, or purposes probably entails a high risk of affecting the rights of the data subject, it shall perform, prior to the processing, a PIA; and
  • national legislation of the Ibero-American States that is applicable to the matter shall, among other things, state which processing requires a PIA on the protection of personal data; moreover, the national legislation shall also regulate the contents of the PIA, the assumptions under which the result must be submitted to the supervisory authority, as well as the requirements of said submission.

On the specific content of the PIA, the Marketing and Advertising Guidelines state that a PIA should include, at a minimum, the following:

  • a detailed description of the processing operations of personal data that involves the marketing project, marketing and publicity; and
  • an assessment of the specific risks to the rights and freedoms of the data subjects, including the identification and classification of risks, as well as the adoption of measures to mitigate such risks.

Specific to data transfers, the Guide for the Implementation of the Responsibility Principle in the International Transfers of Personal Data (only available in Spanish here) ('the Responsibility Guidelines') provides that prior to the export of data, and to the extent that it entails a high risk of affecting data subjects' right to the protection of their personal data, a PIA should be conducted and should include at a minimum the following (Page 11, Recommendation I of the Responsibility Guidelines):

  • a detailed description of the operations of processing of personal data that involves the international transfer of such data;
  • an assessment of the specific risks to the rights and freedoms of the data subjects; and
  • the identification and classification of risks as well as the measures necessary to mitigate them.

7.5. Data protection officer appointment

According to Decree 1377, controllers and processors should appoint a person or function within the company that assumes responsibility over the protection of personal data, tasked with reviewing and solving claims made by data subjects. According to the Accountability Guidelines, as long as the data protection officer ('DPO') ensures compliance with Colombian laws, including providing answers to the data subjects' claims in Spanish and in a timely manner, the DPO can be located abroad.

The Accountability Guidelines provides further details on the functions of a DPO which is not binding on organisations. Specifically, the DPO's role should be to ensure the effective implementation of the policies and procedures adopted by the organisation to comply with data protection norms, as well as to implement good data protection management practices within the company (Section 1.2 of the Accountability Guidelines). In addition, the DPO should structure, design, and manage a compliance programme, as well as establish controls for such programme, their evaluation and permanent revision (Section 1.2 of the Accountability Guidelines).

The following activities, among others, should fall within the DPO's competence (Section 1.2 of the Accountability Guidelines):

  • promoting the development and implementation of a system that allows for risk management of personal data processing;
  • coordinating the delineation and implementation of the controls for the integral personal data management programme;
  • acting as a link and coordinator for other areas of the company in order to ensure a companywide implementation of the integral personal data management programme;
  • promoting a data protection culture within the organisation;
  • keeping an inventory of the personal data databases held by the organisation and classifying them according to their type;
  • registering the organisation's databases in the National Register of Databases ('RNBD') and updating them as required;
  • obtaining adequacy decisions from SIC when required; and
  • reviewing the contents of international data transfer contracts signed with data processors that are not resident in Colombia.

7.6. Data breach notification

Pursuant to the Data Protection Law, both data controllers and data processors have a duty to notify the SIC of any breaches to security codes and risks in the management of data subjects' personal data, regardless of the nature and scope of the breach. Notification to the SIC must be made within 15 business days from the time the harm was detected.

There is no obligation under the Data Protection Law to report the security breach to the data subject. However, according to the Incident Management Guidelines, data controllers should:

  • inform data subjects about the security incident and its possible consequences;
  • provide tools for data subjects to mitigate potential or caused damage (e.g., to change username and password, to monitor the billing statement, etc.); and
  • adopt a general framework with roles, responsibilities and procedures to handle security incidents.

Notification to the data subject is deemed by the SIC as an advisable practice that will be seen in a favourable light in the event that any investigations are initiated pursuant to a data breach report.

The data protection regime does not contain a harm threshold pursuant to which notification is required. Therefore, ideally, if personal data has been compromised by a security incident, it should be notified to the SIC. The notification must include the type of incident, the date of the incident, the date of the discovery of the incident, the cause, the type of data compromised, and the number of data subjects affected.

An organisation that is involved in a data breach may be subject to the suspension of its business operations, closure or cancellation of the file, register, or database, as well as an administrative fine, penalty, or sanction, including civil actions and class actions, or criminal prosecution.

7.7. Data retention

Personal data can only be retained for as long as the purpose for which it was collected subsists, or until a data subject revokes their consent to process their personal data and/or requests the deletion of their personal data.

7.8. Children's data

From a data privacy perspective, children, and teenagers (individuals under 18 years old) are subject to special constitutional protection, and therefore the processing of their personal data must always respect their prevalent rights. Article 7 of the Data Protection Law prohibits the processing of personal data of children and teenagers, unless it is 'public nature' data. However, this does not mean that the processing of minors' data is not allowed. Decree 1377 provides for the following specific requirements for the processing of personal data of children and teenagers:

  • that it responds to and respects the higher interest of boys, girls and adolescents; and
  • that the respect of their fundamental rights is guaranteed.

In addition, processing minors' personal information requires parental/guardian consent. This consent must be prior, express, and informed.

7.9. Special categories of personal data

The Data Protection Law includes two special categories of personal data: sensitive personal data and data collected from minors (individuals under 18 years old).

Sensitive personal data is defined as data that affects data subjects' private life or which could be used to discriminate against them. This includes by way of example, data relating to health and sexual life, biometric data and data revealing racial or ethnic origin, political orientation, religious, or philosophical beliefs, and membership of trade unions or social, human rights organisations, or organisations that promote the interests of a political party or seek to ensure the rights and guarantees of opposition parties.

Minors' personal data is information related or that can be related to an identified or identifiable individual younger than 18 years old.  

7.10. Controller and processor contracts

For data controllers to transmit personal data to a processor, the data subject must have previously provided express and informed consent to the controller to transmit their personal data to a processor. Additionally, the data controller and the processor must sign a data protection agreement, or data protection clause in which the data processor agrees to process the personal data, under the rules set forth in the privacy policy of the controller.

In addition to the obligations imposed by the applicable rules within such agreement, the following data processor obligations must be included:

  • process the personal data, on behalf of the data controller, in accordance with data protection and security principles;
  • safeguard the security of databases wherein personal data are contained; and
  • maintain confidentiality regarding the processing of personal data.

8. Data Subject Rights

The legislation provides for the following data subjects rights:

  • to access, update, and amend their personal data held by the data controller or data processor. The situations where this right may be exercised include when there is partial, inaccurate, incomplete, or misleading data, or data whose processing is expressly prohibited or has not been authorised;
  • to request evidence of the consent granted to the data controller, except when consent is not required for the processing;
  • to be informed by data controllers or data processors about the use made of their personal data;
  • to submit to the SIC claims for violations of the provisions contained in the Data Protection Law and other rules that modify, amend, or complement it;
  • to revoke authorisation and/or request the deletion of data when processing is not compliant with principles, rights, and constitutional guarantees. The revocation and/or deletion must proceed when the SIC determines that the processing by the data controller or data processor was contrary to the law and the Constitution; and
  • to have free access to their personal data that has been processed. For queries whose frequency is greater than one per calendar month, the data controller may charge only the shipping costs, reproduction and, where applicable, certification of documents. Reproduction costs may not be higher than the recovery costs. 

8.1. Right to be informed

Article 8 of the Data Protection Law provides for the data subject's right to be informed by data controllers or data processors about the use of their personal data.

8.2. Right to access

Article 8 of the Data Protection Law provides for the data subject to have the right to freely access their personal data that has been processed. For queries whose frequency is greater than one per calendar month, the data controller may charge only the shipping costs, reproduction and, where applicable, certification of documents. Reproduction costs may not be higher than the recovery costs. 

8.3. Right to rectification

Article 8 of the Data Protection Law provides for the data subject with a right to know, update, and amend their personal data held by the data controller or data processor. The situations where this right may be exercised include when there is partial, inaccurate, incomplete, misleading data, or data whose processing is expressly prohibited or has not been authorised.

8.4. Right to erasure

Article 8 of the Data Protection Law provides for the data subject with a right to revoke authorisation and/or request the deletion of data when processing is not compliant with principles, rights, and constitutional guarantees. The revocation and/or deletion must proceed when the SIC determines that the processing by the data controller or data processor was contrary to the law and the Constitution.

8.5. Right to object/opt-out

The data protection and privacy laws in Colombia provide data subjects with the right to object to the processing of their personal data. However, the right to opt-out is not applicable since blanket consents or opt-out mechanisms are not considered valid as the Courts have considered that these methods do not reflect an express decision that can evidence the data subject's intention and choice. In theory, data subjects do not have the right to opt-out because opt-out consents should not be used.

8.6. Right to data portability

The legal rights of a data subject do not impose on the data controller (or its processors) an express obligation to provide the data on a specific format although the data must be easily accessible and comprehensible to the user. Data portability in Colombia is understood as access rights.

8.7. Right not to be subject to automated decision-making

Not applicable.

8.8. Other rights

Article 8 of the Data Protection Law provides for the data subject's right to:

  • to request evidence of the consent granted to the data controller, except when consent is not required for the processing; and
  • to submit to the SIC claims for violations of the provisions contained in the Data Protection Law and other rules that modify, amend, or complement it.

9. Penalties

Failure to comply with the data protection legislation may cause data subjects to file complaints before the SIC and/or for the SIC to open investigations against a company.

Penalties may include the following:

  • fines of up to 2,000 minimum statutory monthly wages (i.e., COP 1.8 billion (approx. €398,000));
  • for material breaches of the Data Protection Law, more stringent decisions such as the order to temporarily close the data controller's establishment (for up to six months), or to permanently close the establishment; or
  • suspension of activities related to the processing of personal data for up to six months in the event of material breaches of the obligations of data controllers, ending any activities that are related to the processing or decommissioning the activities related to the processing.

Title VII Bis of the Colombian Criminal Code (only available in Spanish here) specifically provides for penalties for crimes regarding the protection and confidentiality of information and data. Conducts covered by this legal provision include:

  • unauthorised access of computer data and networks;
  • denial-of-service attacks;
  • interception of computer data;
  • unlawful damage of computer data;
  • the use of malicious codes;
  • personal data breach;
  • phishing; and
  • financial theft.

Such crimes may be punished with imprisonment of four to ten years, and fines ranging from COP 90.8 million to 908 million (approx. €20,000 to €200,000).

9.1 Enforcement decisions

No further information.