Colombia introduces new model contractual clauses

Those working with international data flows in Latin America have likely had Colombia on their radar for some time.

The country's data protection regime — anchored in Law 1581 of 2012 and its regulatory decrees — has long imposed restrictions on international transfers of personal data, particularly when data is sent to jurisdictions that do not provide "adequate" levels of protection.

On 19 Dec. 2025, Colombia's Superintendence of Industry and Commerce added a new piece to this framework by issuing Circular Externa No. 003 of 2025. The circular introduces model contractual clauses for international transfers and transmissions of personal data and sets out detailed instructions for their use. 

At first glance, this development may sound familiar to anyone accustomed to the European Union's standard contractual clauses. However, Colombia's approach has its own regulatory logic, legal effects and limitations — and those differences matter.

A voluntary instrument with binding consequences

One of the most significant aspects of Circular Externa No. 003 of 2025 is the legal nature of the model contractual clauses. The SIC is explicit that their use is facultative. Controllers and processors are not legally required to adopt them in order to carry out international transfers or transmissions of personal data.

That voluntariness, however, should not be confused with regulatory irrelevance. Once a controller or processor chooses to adopt the model contractual clauses, the obligations contained in them — and the instructions governing their implementation — become binding. The circular expressly states that failure to comply with the clauses may be assessed by the SIC as a breach of its instructions under Law 1581, with potential administrative consequences.

In practice, this creates a voluntary entry, mandatory compliance mechanism. Adoption is optional, but once the clauses are incorporated into a contractual arrangement, compliance is no longer discretionary.