Financial Crime World

Data Protection Laws and Regulations in Colombia

Colombia has implemented various laws and regulations to protect personal data, specifically through the Personal Data Protection Law (Ley 1581 de 2012) and Decree 1377 of 2013. This article provides an overview of the key points in these regulations.

General Principles

The Colombian data protection law is based on several general principles:

  • Processing: The collection, storage, and processing of personal data must be done with a legitimate purpose.
  • Security: Data controllers must implement measures to protect personal data from unauthorized access or misuse.
  • Confidentiality: Personal data must be kept confidential and not disclosed without the consent of the data subject.
  • Accountability: Data controllers are responsible for ensuring compliance with these principles and regulations.

Accountability Principle

The Accountability Principle is established in Article 26 of Decree 1377, which requires data controllers to implement measures to ensure compliance with Colombian data protection law. This includes:

  • Implementing policies and procedures for the collection, storage, and processing of personal data.
  • Training personnel on data protection principles and procedures.
  • Establishing mechanisms for responding to queries, requests, and complaints from data subjects.

Controller and Processor Obligations

Notification

Data controllers are not required to notify the authorities about their data processing activities.

Data Transfers

International transfer of personal data is restricted unless:

  • The data subject has given express and unequivocal authorization.
  • The transfer is for medical purposes or public hygiene.
  • The transfer is related to bank or stock transactions.
  • The transfer is in accordance with international treaties.
  • The transfer is necessary for contract execution or pre-contractual measures, with the data subject’s authorization.
  • The transfer is required to safeguard the public interest or for judicial process recognition, exercise, or defense of a right.

Data Processing Records

Data controllers must maintain records of their data processing activities and submit them to the Superintendencia de Industria y Comercio (SIC) through the Registro Nacional de Bases de Datos (RNBD).

Security Measures

Data controllers must implement effective security measures, including:

  • Designing and implementing internal policies.
  • Establishing an administrative structure proportional to their size and business.
  • Adopting mechanisms for implementation tools, training, and education programs.
  • Implementing procedures for attending and responding to queries, requests, and complaints.

International Transfers

When performing international data transfers with high risks, data controllers should perform a Privacy Impact Assessment (PIA). The PIA should include:

  • A detailed description of operations processing personal data for international transfer.
  • An assessment of specific risks to the rights and freedoms of data subjects.
  • Identification and classification of risks, as well as measures necessary to mitigate them.

Conclusion

The Colombian data protection law emphasizes accountability, security, and confidentiality in handling personal data. Data controllers must demonstrate compliance with these principles and regulations to avoid potential sanctions for non-compliance.