A New Precedent for Data Protection in Colombia

Statutory Law 1581 of 2012 (October 17) is a data privacy law that was passed in the country of Colombia in 2012. Statutory Law 1581 of 2012 (October 17) was passed for the purposes of developing the “constitutional right that all people have to know, update and rectify the information that has been collected about them in databases or files, and the other rights, freedoms, and constitutional guarantees referred to in the Article 15 of the Political Constitution.”
As such Statutory Law 1581 of 2012 (October 17) establishes the legal basis upon which personal data may be collected and processed within Colombia, as well as the potential punishments that may be imposed as a result of non-compliance with the law.

How are data controllers and processors defined?

Statutory Law 1581 of 2012 (October 17) does not provide a definition for the terms data controller or processor. Alternatively, the law uses the phrase “responsible for the treatment of data” to refer to concepts of data controlling and processing. To this point, the law defines the term treatment as “any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion.” Moreover, an individual for an organization that is responsible for the treatment of data is defined as “a natural or legal person, public or private, that by itself or in association with others, carries out the Treatment of personal data on behalf of the Person Responsible for the Treatment”, or a “Natural or legal person, public or private, that by itself or in association with others, decides on the database and/or the Treatment of the data.”

What are the requirements of individuals and organizations?

Under Statutory Law 1581 of 2012 (October 17), individuals and organizations who are responsible for the treatment of personal data within Colombia are responsible for adhering to the following data protection principles when collecting or processing personal data:

• Principle of legality regarding data processing- Individuals and organizations are responsible for ensuring that any personal data they process is done so on the basis of legality.
• Principle of purpose- Individuals and organizations are responsible for ensuring that personal data is only collected or processed for legitimate and legal purposes, and said purposes must be in accordance with law and be informed to the applicable holder (data subject).
• Principle of freedom- The treatment of personal data can only be “exercised with the prior, express, and informed consent of the Holder. Personal data may not be obtained or disclosed without prior authorization, or in the absence of a legal or judicial mandate that relieves consent.”
• Principle of truthfulness or quality- All personal data that is subject to treatment must be complete, exact, verifiable, updated, and understandable. The processing of personal data that is partial, fractional, incomplete, or misleading is strictly prohibited.
• Principle of transparency- During the course of the treatment of personal, data holders have the right to request information concerning such processes, at any time and without restrictions/.
• Principle of access and restricted circulation- The treatment of personal data is “subject to the limits that derive from the nature of the personal data, the provisions of this law and the Constitution. In this sense, the Treatment can only be done by persons authorized by the Holder and/or by the persons provided for in this law.”
• Security principle- All personal data that is to undergo treatment must be handled in accordance with appropriate technical, administrative, and human measures for the purposes of protecting said data from alteration, damage, loss, unauthorized access, or misuse.
• Principle of confidentiality- All individuals and organizations who engage in processes relating to the treatment of personal data must do so in accordance with the principle of confidentiality.

What are the rights of Colombian citizens under the Law?

Under Statutory Law 1581 of 2012 (October 17), Colombian citizens have the following rights as it relates to the protection of their personal data:

• The right to access.
• The right to be informed.
• The right to erasure.
• The right to rectification.
• The right to object or opt-out.
• The right to file a complaint.

In terms of the enforcement of the law, the “Superintendency of Industry and Commerce, through a Delegation for the Protection of Personal Data, will exercise vigilance to guarantee that in the Processing of personal data the principles, rights, guarantees, and procedures provided for in this law are respected.” To this end, individuals and organizations within Colombia who violate the provisions of the law are subject to a variety of penalties and punishments, including “fines of a personal and institutional nature up to the equivalent of two thousand (2,000) legal monthly minimum wages”, and the “suspension of the activities related to the Treatment up to a term of six (6) months”, among others.

Through the passing of Statutory Law 1581 of 2012 (October 17), the country of Colombia was able to effectively guarantee the data protection and personal privacy rights of their respective citizens. As such, Colombia has joined the ranks of other nations within South American that have taken to legislative measures to protect the personal data of its citizens, as illustrated by laws such as Brazil’s General Data Protection Law or LGPD and Ecuador’s Personal Data Protection Law. More importantly. However, Colombian citizens can have the peace of mind that their personal data is being protected at all times.