Parra Rodríguez Abogados
What law(s) specifically govern personal data / information?
The national data protection act is the Law 1581 of 2012 regulated by Decree 1074 of 2015.
Finance sector: Law 1266 of 2008.
Health sector: Resolution 1995 of 1999; Law 1751 of 2015; and Law 23 of 1981.
Information and Communication Technologies sector: Law 1341 of 2009; and Law 1978 of 2019.
Security and justice sector: Law 906 of 2004; and Law 1621 of 2013.
Kids and underage sector: Law 1098 of 2006.
Consumer sector: Law 1480 of 2011; and Decree 587 of 2016.
What are the key data protection principles in this jurisdiction?:
Legality
Purpose
Freedom (requires prior, express, and informed consent)
Truthfulness or Quality
Transparency
Restricted Access and Circulation
Security
Confidentiality
What is the supervisory authority / regulator in charge of data protection?
The competent authority in matters of data protection is the Superintendency of Industry and Commerce (SIC), through its Delegation for the Protection of Personal Data.
The regulator of data protection is the Congress of Colombia. The Congress is the main entity entitled to issue laws.
Is there a requirement to register with a supervisory authority / regulator?
No.
In any case, if “controllers” exceed certain assets threshold, they must register their databases in the National Public Registry of Databases (RNBD) administered by the Superintendency of Industry and Commerce (SIC).
Is there a requirement to notify the supervisory authority / regulator?
Yes. Besides the National Public Registry of Databases, security breaches must be reported to the Superintendency of Industry and Commerce (SIC).
Is it possible to register with / notify the supervisory authority / regulator online?
Yes. The security breaches and the register of the National Public Registry of Databases can be done online in the platform designed by the Superintendency of Industry and Commerce (SIC).
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to know, update, and rectify data
Right of access to proof of authorisation
Right to be informed about the use given to their data
Right to file complaints before the SIC (Superintendence of Industry and Commerce)
Right to revoke authorisation and request the deletion of data
Right to access their data freely
Is there a requirement to appoint a data protection officer (or equivalent)?
Colombian regulations do not establish a general obligation to designate a DPO.
In any case, in the privacy policy an area or person in charge of claims and requests must be included.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
There is no explicit requirement to conduct an impact assessment in the general regulations.
However, it is good practice to align with international standards when the process involves advanced technologies, such as AI.
Does this jurisdiction have any specific data breach notification requirements?
Yes. Security breaches must be reported to the Superintendency of Industry and Commerce (SIC).
What restrictions apply to the international transfer of personal data / information?
Data transfers to countries without an adequate level of protection are prohibited. There are some exceptions, such as:
- With the data subject's authorisation.
- For health reasons.
- Performance of contracts.
- Bank and stock market transfers in accordance with the applicable law.
- International treaties.
- Public interest.
- Judicial requirements.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. The law applies to both processing carried out in Colombia and those carried out outside the country, provided that the data controller or processor is subject to Colombian law by international standards or treaties.
What rules specifically deal with marketing?
Although Law 1581 does not specifically regulate marketing, its principles (consent, purpose, etc.) will apply to any type of commercial communication. There is no separate regulation for B2B vs. B2C marketing.
There are no specific regulations on e-marketing or cookies in the general law, general rules apply.
Do different rules apply to business-to-business and business-to-consumer marketing?
There is no separate regulation for B2B vs. B2C marketing.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
There are no specific regulations on e-marketing in the general law, general rules apply.
What rules specifically deal with cookies?
There are no specific regulations on cookies in the general law, general rules apply.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The SIC may impose sanctions for non compliance, require corrective measures, and conduct administrative proceedings in accordance with the Administrative Contentious Code.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Yes. If the activity of the company implies processing of personal data in Colombia, they must comply with Colombian data protection rules.
What upcoming data protection developments should multinational organisations be aware of?
External Circular No. 2 of 2024 issued by the SIC, addressing the processing of personal data in artificial intelligence systems.
At the opening of the 12th International Congress on Personal Data Protection, the Superintendent of Industry and Commerce, Cielo Rusinque, accompanied by the Minister of Science, Technology and Innovation, Yesenia Olaya, announced the national government’s initiative to reform Law 1581 of 2012.