This article has been written by Yaiphabi Rajkumari. This article has been edited by Dipshi Swara (Senior Associate, Lawsikho).
Table of Contents
Introduction
Personal data privacy and protection is a constitutional and fundamental right in Colombia. Data Protection Regulations are applicable to all individuals, private and public companies, and government entities regardless of nationality if they carry out the processing of personal data. Two fundamental personal data rights that are recognized by Colombia are Article 15 and 20 of its Constitution. Data Protection Authority, namely the Superintendence of Industry and Commerce (“SIC”) has the power to investigate ex officio and based on complaints, alleged violations of data privacy, and data protection rights of Colombian data subjects and of data subjects domiciled in Colombia. SIC also promotes the rights of individuals related to the processing of personal data and implements educational campaigns for training and informing citizens on how to exercise their rights and their fundamental rights to data protection.
In Colombia, the data protection regime is based on consent, and processing can occur without consent only by way of limited exceptions. So data controllers and data processors must obtain prior, informed, and express consent from the data subject in order to process personal data.
Article 15 and 20
There are two fundamental rights recognized by Colombia in regards to personal data and that is Article 15 and 20 of its Constitution; Article 15 talks about the right to privacy, and Article 20 mentions the right to data rectification. Personal data that is being processed is regulated by two statutory laws and several decrees that set out the data protection obligations. The two statutory laws are as follows:
Law 1266
It regulates the processing of the data, credit records, and commercial information which are collected inside Colombia and also abroad, it also defines the habeas data and establishes the data processing principles, data subject rights, data controllers obligations, and specific rules of financial data. According to this law:
- ‘Data Subject’ is the owner of the information;
- ‘Data Source’ is a person or entity who shares a commercial relationship with the Data Subject. The information is received by the data source by virtue of this relationship, which is thereby shared with the Data Operator;
- ‘User of Data’ is a person or entity who uses the information gathered by the Data Operator and has access to the database;
- ‘Data Operator’ is a person who manages a database. The information in the database is provided by the Data Sources and shared with Users of Data, under the rules provided by Law 1266. For instance, Credit bureaus come under the category of Data Operators.
Regulator of data privacy and protection
The SIC (Superintendence of Industry and Commerce) is considered as the general data protection authority in Colombia. While the Superintendent of Finance has some specific facilities regarding data protection in relation to financial activities and financial entities that they regulate, the SIC has the power of surveillance over companies that process personal data to ensure compliance with the Data Protection Law and Law 1266/2008 concerning data on credit history reporting and consultation. It also surveys data processors, users, and information sources regulated by Financial Superintendence Law.
Functions and duties of the regulator
The functions and duties of SIC are as follows:
- Ensure compliance with personal data protection legislation
- Carry out investigations and orders necessary measures to ensure habeas data rights.
- In case the habeas data is at risk, SIC can order the temporary blocking of data if necessary to protect fundamental rights, this blockage is necessary as it is to protect the data while the final decision is adopted
- Promote the protection of personal data by implementing educational campaigns for data subjects to understand their fundamental rights to data protection
- Issue information request to the data processors and data controllers when needed
- Recommend adjustment or amendments to regulation related to technology, information, or communications
- Request cooperation of foreign countries or entities when the rights of data subjects outside Colombia territory are affected
- Manage the National Public Registry database
Data controllers and processor obligations
Article 17 of the Data Protection Law lists the obligations of the controllers and they are as follows:
- The Law requires them to guarantee the subject’s habeas data rights
- Obtain and keep records with consent that has been granted by the data subject
- To inform the purpose of processing data to the data subjects
- Maintain security measures and confidential standards to personal data
- Will not modify or disclose subjects data without consent
- Will only use the data for the purposes identified in a privacy policy or notice
- Rectify incomplete data and providing updates to the processors
- Report data breaches to SIC
- Comply with orders, requirements, and instructions made by the SIC
Additional obligations under the Decree 1377 of 2013.
- Limitations of data processing
- Cross-border transfer of databases and privacy warnings
- Adoption of the privacy policy and privacy note
- Recording databases containing personal data with the National database Registry
Article 18 of the Data Protection Law list the obligations of data processors and they are as follows:
- Guarantee exercise of the rights of Habeas data to the data subjects.
- Rectify, or delete and update data for the data subjects.
- Keep necessary security conditions to prevent loss, adulteration, consultation, or unauthorized use or fraudulent access.
- Update the databases or information reported by data protection officer within 5 business days from their recipient
- Process the consultations and claim made by the data subjects
- Adoption of internal manual of policies and procedures
- To refrain from the circulation of information that the data subject disputed and whose blocking has been ordered by SIC
- To allow only the authorized people to access information
- Registration of databases as claimed in the process according to law
- To comply with instructions and requirements issued by the SIC
- To inform SIC whenever there is a violation of the security code and there is risks in the administration of the information of the data subject
Data subjects rights
Under Article 8 the rights provided to the data subject are as follows
- To allow access, updates, and amends in their personal data held by either the data controller or the data processor. Situations in which this right may be exercised include when there is partial, inaccurate, incomplete, or misleading data or data whose processing is expressly prohibited or has not been authorized.
- To be able to request for proof or evidence of consent granted for the data to the data controller, except when the data doesn’t require consent for processing
- To be informed by the data controllers and processors on the use made by their personal data.
- To submit to the SIC claims for violations of the provisions that contain the Data Protection Law and other rules that modify, amend, or complement it.
- To revoke or request for deletion of data when processing is not compliant with principles, rights, and constitutional guarantee.
- Right to access their personal data that has been processed For queries whose frequency is greater than one per calendar month, the data controller may charge only the shipping costs, reproduction, and, where applicable, certification of documents. Reproduction costs may not be higher than recovery costs.
- Right to data portability
Law 1581
It regulates all the personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. Under this law, a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. This law is applicable to all of the data collected and processed in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries.
Scope of data protection
All individual, public and private entities, government entities that process personal data must comply with Law 1581/2012 (Data Protection Law). There are some exempted sectors and institutions and they are as follows:
- Information or databases in a personal or domestic context with personal and domestic aims
- Database or information or archives with national defense and security functions such as the prevention, monitoring, and inspection of money laundering and terrorist financing
- Information or databases that includes press information and editorial content
Remedies
- ADMINISTRATIVE REMEDIES
SIC can impose fines after the administrative investigation if the violation is proven
- Data controllers and processors will be subject to fine if any data protection law has been violated, the fine can be as high as 2,000minimum legal monthly salary (i.e. COP 1.8 billion (approx. €420,000))
- Successive fines could be imposed when the violation does not cease upon the order of SIC
- CIVIL REMEDIES
As Data protection is a constitutional right, any individual can come and file a complaint and claim monetary damages for the harm incurred due to the violation of the constitutional rights to privacy and habeas data, and may also demand suspension of the practice that given rise to such violation
- CRIMINAL REMEDIES
Colombian Criminal Code establishes that acts or omissions that violate the personal data protection rights such as unauthorized collection, compilation, subtraction, offer, sale, exchange, interception, disclosure, or modification of personal data, for one’s benefit or of a third party, will be subject to sanctions of imprisonment for a term between 48 to 96 months, and fine up to 1,000 minimum legal monthly salaries (equivalent to COP 644350 million or approximately USD $272914 at current rates; this cap is updated annually).
Conclusion
Data protection and privacy is a constitutional and fundamental right under Article 15 of the Colombian Political Constitution. Colombian Data Protection Authority SIC protects the data of the subject and in case of any violation of data privacy or data protection rights of Colombian data subjects and of data subjects domiciled in Colombia, the SIC takes action and provides remedies to them. The SCI collects data, processes them, then transmits personal data. The guarantee of the protection of the subject’s data is provided in the Constitution.
References
- https://www.dlapiperdataprotection.com/index.html?t=law&c=CO
- https://www.lexology.com/library/detail.aspx?g=966541e8-1c34-48cb-8c61-69610f561e40
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.