Colombia introduces new model contractual clauses

On 19 Dec. 2025, Colombia's Superintendence of Industry and Commerce added a new piece to this framework by issuing Circular Externa No. 003 of 2025. The circular introduces model contractual clauses for international transfers and transmissions of personal data and sets out detailed instructions for their use.

At first glance, this development may sound familiar to anyone accustomed to the European Union's standard contractual clauses. However, Colombia's approach has its own regulatory logic, legal effects and limitations — and those differences matter.

A voluntary instrument with binding consequences

One of the most significant aspects of Circular Externa No. 003 of 2025 is the legal nature of the model contractual clauses. The SIC is explicit that their use is facultative. Controllers and processors are not legally required to adopt them in order to carry out international transfers or transmissions of personal data.

That voluntariness, however, should not be confused with regulatory irrelevance. Once a controller or processor chooses to adopt the model contractual clauses, the obligations contained in them — and the instructions governing their implementation — become binding. The circular expressly states that failure to comply with the clauses may be assessed by the SIC as a breach of its instructions under Law 1581, with potential administrative consequences.

In practice, this creates a voluntary entry, mandatory compliance mechanism. Adoption is optional, but once the clauses are incorporated into a contractual arrangement, compliance is no longer discretionary.

From a practical standpoint, this means organizations must think carefully before incorporating the SIC's clauses into their contracts. Their adoption is not a box-ticking exercise. It establishes enforceable obligations toward data subjects, counterparties and the data protection authority itself.

Transfers, transmissions and contractual discipline

Data protection law in Colombia draws a clear distinction between international "transfers" and "transmissions" of personal data. Transfers occur when personal data is sent from a controller in Colombia to another controller located abroad. Transmissions, by contrast, involve the disclosure of personal data from a controller in Colombia to a processor located outside the country.

The circular addresses both scenarios and includes two distinct sets of model agreements: one for controller-to-controller transfers and another for controller-to-processor transmissions. It also clarifies that the use of these clauses does not alter the legal classification of the operation or the statutory obligations applicable to controllers and processors under Colombia's law.

Substantively, the clauses reflect familiar data protection principles, including purpose limitation, accountability, transparency, data security, confidentiality and breach notification. They also grant data subjects enforceable rights as third-party beneficiaries, a feature that underscores their binding character.

At the same time, the circular imposes clear limits on contractual flexibility. While organizations may supplement the clauses with additional safeguards, they may not modify them in a way that reduces or weakens the level of protection afforded to data subjects. In the event of any inconsistency, data protection law and SIC instructions prevail.

Safeguards, not shortcuts

A critical clarification in the circular is that the model contractual clauses do not replace the requirements set out in Article 26 of Law 1581. Their adoption does not, by itself, lift the general prohibition on transfers to countries that do not provide an adequate level of data protection.

Instead, the clauses operate as complementary safeguards. They may be used where a transfer falls within one of the statutory exceptions provided by law or where the controller has otherwise verified compliance with Colombia's requirements. The circular is explicit that adopting the clauses does not exempt organizations from conducting this prior legal assessment.

This point is particularly important for multinational organizations accustomed to jurisdictions where standard contractual clauses function as a standalone legal basis for international transfers.

Regulatory signaling and risk management

Although voluntary, the model contractual clauses serve a clear signaling function. By endorsing a standardized contractual framework — developed by the Ibero-American Data Protection Network and adopted by several countries in the region — the SIC is articulating its expectations regarding appropriate safeguards for cross-border data flows.

For organizations subject to SIC oversight, this matters. In the context of an investigation, the use of the model clauses may be viewed as evidence of diligence and good-faith compliance efforts. Conversely, relying on bespoke contractual mechanisms that diverge materially from the SIC's model may invite closer scrutiny, even if such mechanisms are not prohibited.

In this sense, Circular Externa No. 003 of 2025 functions as a soft-law instrument with tangible effects on compliance strategies, contractual practices and risk management decisions.

A brief comparison with the European framework

It is difficult to discuss model contractual clauses without referencing the EU. Under the EU General Data Protection Regulation, standard contractual clauses adopted by the European Commission are a central mechanism for legitimizing transfers of personal data to third countries without adequacy decisions.

There are clear similarities between the approaches in Europe and Colombia. Both rely on standardized contractual commitments, emphasize accountability and recognize data subjects as third-party beneficiaries. Both seek to extend data protection safeguards beyond national borders through private law instruments.

There are also important differences. In the EU, standard contractual clauses are formally recognized transfer mechanisms capable of establishing a lawful basis for international transfers. In Colombia, by contrast, the model clauses are expressly framed as complementary safeguards and do not constitute an independent legal authorization. Moreover, while EU practice increasingly focuses on transfer impact assessments and foreign surveillance risks, Colombia's circular remains primarily focused on contractual alignment and administrative instructions.

That said, the broader direction is similar. Colombia is gradually aligning its approach to international data transfers with global and regional standards, while preserving its existing statutory architecture.

Practical takeaways

For privacy professionals and in-house counsel, the message is straightforward: Circular Externa No. 003 of 2025 should not be ignored simply because the clauses it introduces are voluntary.

Organizations should begin by mapping their international data flows and identifying the legal bases currently relied upon for transfers and transmissions. From there, they can assess whether adopting the model contractual clauses would strengthen their compliance posture or provide additional regulatory certainty.

Where the decision is made to adopt the clauses, implementation should be deliberate and consistent, ensuring alignment with internal policies, vendor management processes and incident response procedures.

Ultimately, the circular represents a step — not a destination — in Colombia's evolving approach to cross-border data protection. For organizations operating across jurisdictions, understanding how these requirements interact with other regimes, including the GDPR, will remain essential to managing compliance in an increasingly interconnected regulatory landscape.

Margarita Fandiño, CIPP/E, is compliance officer and data protection lead at Publicis Groupe Colombia.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.

Submit for CPEs

Interested in writing for us? Visit our Contributor Guidelines Page