Colombia: Privacy and Data Protection-related Laws

Laws Related to Data Protection and Privacy

Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection

Law “1266” reviewed by the Colombian Constitutional Court regulates the collection, use and transfer of personal information regarding monetary obligations related to credit, financial and banking services

  • This law designates two different authorities as data protection authorities: The Superintendency of Industry and Commerce (‘SIC’) and the Superintendency of Finance (‘SFC’)
  • This law defines ‘personal data’ as any information related to one or several identified or identifiable persons or which can be associated with an individual or a legal entity and private data as data that due to its sensitive or confidential nature is only relevant to the owner

Law “1581” reviewed by the Colombian Constitutional Court contains comprehensive personal data protection regulations

  • Under this law, the definition of ‘personal data’ specifically includes information related to or that may be related to one or several identified or identifiable natural or legal persons and ‘sensitive data’ as “data that relates to the intimacy of the data owner, or that, if disclosed without consent, could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade-union membership, social organizations, human rights organizations, or those organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometrics”
  • This law implements the constitutional right to know, update and rectify information gathered about them in databases or files, enshrined in Article 20 of the Constitution, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the Constitution
  • This law applies to:
    • Personal data stored in public or private database or files
    • any processing treatment of personal data in Colombia
    • operations performed by individuals who are not located in Colombia but are subject to the jurisdiction of Colombian Law under international standards and treaties
    • Under this law, the data owner must give informed consent for all activities pertaining the collection, use and transfer of personal data, except those that are specifically exempted from all or part of the Law

Decree 1377 of 2013 constitutes secondary regulation on data protection matters and regulates the following:

  • authorization given by data owners for personal data treatment
  • including processing treatment of sensitive data
  • measures to be implemented regarding data collected before the publication of the Decree
  • policies on processing treatment of personal data
  • the exercise of data owner’s rights
  • cross border transfer and transmission of personal data, and
  • liability regarding the processing of personal data through the organisational implementation of the accountability principle. More information here and here

Privacy and Protection Laws Applicability to Public Blockchains As the Colombian government is currently discussing the future implementation and regulation of blockchain and cryptocurrencies in the country, it is still unknown how the the laws above will apply to public blockchains.

This article provides an update on the Colombian government’s progress on investigating blockchain As a start the The Third Committee of the Colombian Senate convened on June 6 to discuss the future implementation and regulation of cryptocurrencies and blockchain in the country

Laws Related to Data Protection and Privacy

  • Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection
  • Law “1266” reviewed by the Colombian Constitutional Court regulates the collection, use and transfer of personal information regarding monetary obligations related to credit, financial and banking services
    • This law designates two different authorities as data protection authorities: The Superintendency of Industry and Commerce (‘SIC’) and the Superintendency of Finance (‘SFC’)
    • This law defines ‘personal data’ as any information related to one or several identified or identifiable persons or which can be associated with an individual or a legal entity and private data as data that due to its sensitive or confidential nature is only relevant to the owner
  • Law “1581” reviewed by the Colombian Constitutional Court contains comprehensive personal data protection regulations
    • Under this law, the definition of ‘personal data’ specifically includes information related to or that may be related to one or several identified or identifiable natural or legal persons and ‘sensitive data’ as “data that relates to the intimacy of the data owner, or that, if disclosed without consent, could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade-union membership, social organizations, human rights organizations, or those organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometrics”
    • This law implements the constitutional right to know, update and rectify information gathered about them in databases or files, enshrined in Article 20 of the Constitution, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the Constitution
    • This law applies to:
      • Personal data stored in public or private database or files any processing treatment of personal data in Colombia
      • Operations performed by individuals who are not located in Colombia but are subject to the jurisdiction of Colombian Law under international standards and treaties
    • Under this law, the data owner must give informed consent for all activities pertaining the collection, use and transfer of personal data, except those that are specifically exempted from all or part of the Law
  • Decree 1377 of 2013 constitutes secondary regulation on data protection matters and regulates the following:
    • Authorization given by data owners for personal data treatment
    • Including processing treatment of sensitive data
    • Measures to be implemented regarding data collected before the publication of the Decree
    • Policies on processing treatment of personal data
    • The exercise of data owner’s rights
    • Cross border transfer and transmission of personal data, and
    • Liability regarding the processing of personal data through the organisational implementation of the accountability principle.
    • More information here and here

Privacy and Protection Laws Applicability to Public Blockchains

  • As the Colombian government is currently discussing the future implementation and regulation of blockchain and cryptocurrencies in the country, it is still unknown how the the laws above will apply to public blockchains
  • This article provides an update on the Colombian government’s progress on investigating blockchain
    • As a start the The Third Committee of the Colombian Senate convened on June 6 to discuss the future implementation and regulation of cryptocurrencies and blockchain in the country

Sources

Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus

NEO