Login to MyACC
ACC Members

Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC


With the globalization and the new forms of commerce, data protection has become an issue for most of the law makers and an interesting matter for companies. Therefore, personal data is now taken into account by companies and even states when taking decisions. Personal data and information are even considered as "the new petroleum from Internet and the new currency from the digital world"1. The European Union has developed regulation on data protection from long before. Spain for example has a strong data protection system.

Latin-American countries have started to worry about data protection matters, because of the importance of protecting the rights from the data subjects. Also companies see an interesting market to be developed: data storage, but in order to be a suitable market for that business, the country needs to have strong regulations on data protection. This Quick Counsel will focus on commenting the new data protection regulation in Colombia and its implications for the companies that handle data. It is worth saying that almost all companies and public offices manage data and therefore have data bases, which makes them subjects of the applicability of the regulation. It is important to mention that Colombian regulation is strict and requires that companies and public sector comply with it and that they adapt its internal procedures to the new regulation. This has implied a change in the corporate culture and in the behavior of its employees and all people related with the data handling.


The habeas data right in Colombia was recognized as a fundamental right by article 15 of the Colombian Constitution, and its protection has been guaranteed by judgments from constitutional courts, since there was no other binding regulation that protected the habeas data right. The habeas data right includes the right of the people to know, rectify and actualize its personal information.

On 2008 the National Government considered that it was necessary to issue a law that protected the rights related to the use of personal data on financial services, this was materialized by issuing Law 1266 of 2008. Law 1266 included general provisions of habeas data, focused on financial and credit services. It did not apply to the handling of data performed in order to offer services, personal data used in commercial relations, personal data handled by the public sector, etc.

Relevant Aspects Of Law 1581 Of 2012

On October 18, 2012 the Government issued Law 1581 of 2012 (hereinafter referred as the "Data Protection Regulation") in which the general provisions for personal data protection were established, in order to protect principally the data subject and guarantee its rights. It is worth mentioning that the discussion in order to issue the law was preceded by a judgment from the Constitutional Court regarding the constitutionality of the law, and many of the matters regulated by it were interpreted by the constitutional judges (Sentence C- 748 of 2011). Some of those matters are the handling of children's data, the applicability of the law to a legal person, among others. The Constitutional Court established that children and adolescents' personal data can be treated by those in charge or responsible for data bases, as long as it does not jeopardize the prevalence of rights and unequivocally pursuits a superior interest.

The Data Protection Regulation establishes that its dispositions will be of no application to the personal data contained in the following databases: (i) personal or domestic, (ii) security and national defense, and the prevention, detection, monitoring, and control of money laundering and terrorism financing, (iii) intelligence and counter-intelligence, (iv) journalistic information, (v) financial and credit information (Law 1266 of 2008), and (vi) population censuses (Law 79 of 1993).

As we mentioned before, there is also a regulation regarding data protection for the financial sector (Law 1266 of 2008), the Data Protection Regulation, being the general disposition on data protection, established that its general principles will in any case apply to the financial and credit information databases.

Law 1581 includes the rights from the data subjects and the duties from data controllers and data processors. Data subjects are able to exercise its rights at any time, even those related with requiring its elimination from the data base, regardless of the authorization that she/he gave for handling the personal data. Regarding sensitive data (such as data related with gender, sexual orientation, political and religious views, clinical history, among others), it is established that sensitive data can only be handled in the cases contemplated by the law, which include, among others, that the data subject authorizes its use. The authorization given in this regard must be express and previous and it is important that it establishes the data to which the authorization applies to. A great variety of aspects regarding data protection were left to be regulated by specific rules which we will comment.

Specific Regulation Of Law 1581 Of 2012

As it was pointed out the Data Protection Regulation is a general document that established the basis to protect personal data, and some aspects, such as international data transfers, consent from the data subject, privacy policy and privacy notice, data subject's rights, accountability, children's data, Binding Corporate Rules, National Registry of Data Bases, were left to be regulated. On June 27, 2013 the National Government issued Decree 1377 of 2013 (hereinafter the "Regulatory Decree"), in which the regulation of some of the aspects mentioned above was taken care off.

One of the aspects regulated by the Regulatory Decree was the one related with obtaining consent from the data subject. Since data collection is limited to only the necessary and adequate information required to accomplish the purpose of the database, which must be established either in the privacy notice or in the privacy policy the authorization given by the data subject must establish that his/her data can be handled in order to accomplish that purpose. Data cannot be used for purposes not authorized expressly by the data subject.

Therefore, if any substantial change to the purpose occurs, it must be informed to the data subject in order to obtain a new authorization that suits the new purpose, nonetheless when dealing with sensitive data, as it was mentioned before, the authorization must identify the sensitive data that the subject is authorizing to handle and the purpose must be express.

The Regulatory Decree brought into attention the matter related with data bases that were in operation before June 27 of 2013, and the way authorization for the use of such data should be obtained by the data controllers. According to the Regulatory Decree, the data base controllers could choose either of the following options, in order to obtain the authorization from data subjects included in those databases:

(i) To ask for an individual authorization from each of the data subjects, using mechanisms normally used in this type of relationship (i.e. emails); or

(ii) In case the previous option implies high costs, or it is impossible to contact the data subject alternative communication mechanisms may be used (such as newspapers, company's web page, and magazines). This option could be used only until July 27, 2013.

Once the Regulatory Decree was issued many companies decided to publish a communication using the alternative mechanisms in order to continue handling the data of those subjects which data was collected before June 27, 2013. Also, people saw their emails flooded with communications from many companies informing about the existence of the company's privacy policies, letting them know that its data was being handled according to the privacy policy and that in case they wish to be excluded from the data base they could require that to the company by sending a communications. This caused that some sectors raised arguments related to the not recognition of the new Data Protection Regulation and the violation of data privacy and habeas data right. Nonetheless, the Regulatory Decree is still applicable and the Superintendence of Industry and Trade (SIC) authority in charge of applying the Habeas Data Regulation is enforcing the law.

The basis and requirements on what should contain a privacy policy document where established by the Regulatory Decree. According to it, the privacy policy must be kept in electronic or written records, and must have at least the following elements: i) Identification of the controller; ii) Description of the purpose and the way for processing data; iii) The rights of the data subject; iv) Identification of the person or area responsible for processing the data; v) Procedure for exercising the rights of the data subject; vi) Term of applicability. Also companies could have a privacy notice, which is a shorter document in which the company informs about the existence of the privacy policy, the rights of the data subject and the procedure to exercise them.

One of the most important aspects regulated by the decree was the international transfer and transmission of data, since most companies have its head office or subsidiaries outside of Colombia or some of them have hired data processors outside the country since here they do not have all the technical capacity. Therefore the Regulatory Decree requires that in order to transfer or perform the international transmission of personal data; the data controller has an express authorization from the subject to do so. The decree allows that in order to not require an authorization from the subject, the data controller and the processor subscribe a data transmission agreement in which the purposes of the treatment are clearly established.

Data transfer will take place when the data is sent from a controller or a processor to another controller out of the country, for example when the subsidiary sends personal data to its controller out of the country. Transmission of data happens when the processor uses or sends data in order to process it, in this case the data will not be sent to a controller, and the processor will be performing activities related with processing the data. The figure of the data transmission agreement will allow companies belonging to a corporate group to perform the data transfer without the need of a specific authorization from the data subject, when the companies from the group subscribe the agreement, and until the regulation regarding Binding Corporate Rules is issued.

The Regulatory Decree also dealt with the accountability matters and it established obligations for controllers in order to guarantee compliance with the Habeas Data Regulation. Therefore, controllers must be able to give SIC information about the procedures of collecting data, description of the purpose and an explanation about the relevance of the collected data.

Data Protection Authority

According to Law 1581 of 2012, the SIC will be the authority in charge of enforcing the Habeas Data Regulation. These functions will be carried out specifically by the Delegate for Data Protection. Law 1581 of 2012 establishes that the SIC will be in charge of the National Registry of Databases once the registry is created. Currently there is a project of regulatory decree under study regarding the creation of the National Registry of Databases.

Since the SIC is the authority that makes the Habeas Data Regulation enforceable, they will be responsible for ensuring the compliance with the Habeas Data Regulation, and are able to impose sanctions in case of breach of the regulation. The applicable sanctions are the following:

* Personal and institutional fines up to 2000 monthly legal minimum Colombian wages at the time of the sanction (for year 2013, COP$ - approximately US$594,000).

* Suspension of activities related to the processing of data for up to six (6) months.

* Temporary closure of the operations related to data processing, once the term of suspension has been completed and no corrective measures were taken.

* Immediate and definitive closing of the operation involving sensitive data.

What Is Missing?

As we mentioned before the implementation of the National Data Base Registry has not been regulated, also the authority is still trying to develop the regulation related with the implementation of Binding Corporate Rules, being this an important development in order to certify Colombia as country with an appropriate level of protection and to allow corporate groups to perform international data transfers inside the group to other countries in which there is companies from the group even if those countries do not meet appropriate levels of protection. Also the implementation of Data Protection Regulation requires a big effort from the companies. Since we mentioned that the Data Protection Regulation is very strict, companies are starting to implement measures in order to avoid sanctions.


The Data Protection Regulation implies big changes in the companies, starting by changing its internal policies, and the behavior of its employees when dealing with personal data. Therefore, the biggest challenge for companies will be to instruct its employees in the compliance with all the duties that companies have regarding data protection, an especially those related to security and confidentiality of data, since the breach of those duties will be the ones that could cause more risk to the companies. Also, the new regulation implies that the data subject is more aware of its rights and therefore requires more protection from the data controllers and processor and demands for more privacy of its rights, and in it will demand from the data subject more knowledge of its data and the way it has been given away; and since Colombia did not had a culture regarding data protection which needs to be created, this will be a huge obstacle since the understanding of regulation and its application will be different for each company, employees, authorities and data subjects.

Additional Resources

1 Meglena Kuneva, European Consumer Commissioner. Roundtable: Keynote Speech. Brussels, march 31st, 2009. Cited on "Nelson Remolina-Angarita, ¿Tiene Colombia un nivel adecuado de protección de datos personales a la luz del estándar europeo? , 16 International Law, Revista Colombiana de Derecho Internacional, 489-524 (2010).

The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.

This site uses cookies to store information on your computer. Some are essential to make our site work properly; others help us improve the user experience.

By using the site, you consent to the placement of these cookies. For more information, read our cookies policy and our privacy policy.