The Presidency of Colombia has enacted the Regulation of the Data Protection Act—Decree 1377 of June 27, 2013. The regulation supplements the Data Protection Act that was enacted in the year 2012, Law n. 1581 of 2012.

The law followed closely the European regulatory model on data protection matters. With this regulation, Colombia is ready to apply its data protection law.

The main characteristics of this new regulation are as follows:

ADVERTISEMENT

Cassie IAPP Leaderboard - AI Checklist-041024-WP
  • Databases only for internal or domestic use are exempted from the data protection act when they are created by natural persons; thus, this exception does not apply to corporations.
  • Privacy notice is defined. This is important because this is the document to inform the data subject of his/her rights and for companies to demonstrate compliance with the data protection law.
  • Public data is defined as data that is not data that is not sensitive, nor private, nor semiprivate. This may include data obtained from public registries, official bulletins or judicial decisions. The definition is important because the authorization (consent) from the data subject is not required for public data under the Data Protection Law.
  • A new definition of sensitive data that includes biometric data.
  • Companies must preserve the evidence to prove that they have obtained authorization from the data subject.
  • Data should be preserved according to the purpose of the collection and later erased unless there is a legal or contractual duty to preserve it.
  • A special provision when data of children is collected provides that the superior interest of the child should be taken into account. Under the Data Protection Act, personal data from children is considered together with sensitive data as a special kind of personal data.
  • Companies must have a privacy policy and to make it available to individuals. The document should contain the purpose of the collection, name and other information of the data controller, rights of the data subject and explain how to request access and correction.
  • No consent is necessary from the data subject if there is an international transfer agreement. The registration of international transfer agreements is not regulated yet, although they are a requirement to transfer personal data.
  • Companies must be able to show the DPA that all requirements of the Data protection Act are in place.

In sum, one more country in Latin America completes its regulation on data protection issues and is ready to be part of the data protection club. With this regulation, Colombia is on board with Argentina, Mexico, Uruguay, Peru, Costa Rica and Nicaragua as countries that have been following closely the EU model.

Pablo A. Palazzi is a partner at Allende & Brea in Buenos Aires, Argentina, specializing in IT & IP Law. He frequently provides advice on data protection in Latin America, having worked on several regional data protection projects. He can be reached at pap@allendebrea.com.ar.