Category Archives: Colombia

New regulation in Colombia

Prof. Nelson Remolina data protection blog informed us that the Presidency of Colombia has enacted the Regulation of the Data Protection Act (see Decree 1377 of 2013). The Regulation supplements the Colombian Data Protection Act, that was enacted on the year 2012 (Law n. 1581 of 2012). The Law followed closely the European regulatory model on data protection matters. With this Regulation, Colombia is ready to apply its data protection law. The main characteristics of this new Regulation are:

–       Databases only for internal or domestic use are exempted from the data protection act when they are created by natural persons (thus, this exception does not apply to corporations).

–       Privacy notice is defined. This is important because this is the document to inform the data subject of his/her rights and for companies to demonstrate compliance with the data protection law.

–       Public data is defined as data that is not data that is not sensitive, nor private, nor semiprivate. This may include data obtained from public registries, official bulletins or judicial decisions. The definition is important because the Authorization (consent) from the data subject is not required for public data under the Data Protection law.

–       A new definition of sensitive data, that includes biometric data.

–       Companies must preserve the evidence to prove that they have obtained Authorization from the data subject.

–       Data should be preserved according to the purpose of the collection and later erased unless there is a legal or contractual duty to preserve it.

–       A special provision when data of children is collected provides that the superior interest of the child should be taken into account. Under the Data Protection Act, personal data from children is considered together with sensitive data as a special kind of personal data.

–       The Regulation requires to have a Privacy Policy and to make it available to individuals. The document should contain the purpose of the collection, name and other information of the data controller, rights of the data subject, and explain how to request access and correction.

–       The Regulations clearly provides that no consent is necessary from the data subject if there is an international transfer agreement. The registration of international transfer agreements is not regulated yet, although they are a requirement to transfer personal data.

–       The Regulation clearly established that companies must be able to show the DPA that all requirements of the Data protection Act are in place.

In sum, one more country in Latin America completes its regulation on data protection issues and is ready to be part of the data protection club. With this regulation, Colombia is on board with Argentina, Mexico, Uruguay, Peru, Costa Rica and Nicaragua as countries that have been following closely the EU model.