Colombia Law 1581

Who is excluded from Law 1581 compliance? 

There are some exemptions with Law 1581, referring to databases held by sectors or institutions which fall outside its scope, such as: 

• databases maintained for personal or domestic purposes. One important exception is when these databases would be provided to any third party, in which case prior authorization is required.
• databases whose purpose is national security protection;
• databases belonging to intelligence or counterintelligence agencies; 
• databases or archives relating to journalistic information or any other editorial type of content; 
• databases regulated by Law 1266 of 2008, regulating the way data related to financial entities, commercial information, or credit data is to be processed;
• databases regulated by Law 79 of 1993 which regulates population census. 
  
  

How can I keep my organization Law 1581 compliant? 

Law 1581 offers in Article 4 several principles for your organization to take into account when staying compliant, as follows: 

Legality: data processing has to be done within the legal framework established by this law.

Purpose: data processing has to have legitimate purposes, according to both this law and Colombian Constitution, and data subjects have to be informed of said purposes. 

Freedom: data collection and processing has to be done with the consent of the data subject which was obtained prior to the collection/processing.

Accuracy: the data has to be true, complete, accurate, verifiable, understandable, and up to date.

Transparency: data processing has to be done in such a way so as to guarantee the data subjects’ right to obtain at any time and without any restrictions, from either the data controller or the data processor, information concerning the existence of personal data that relates to them. 

Access: access to data, or data processing activities, can only be made available to those authorized by the owner of the data and/or by persons authorized by this law. Also, it is prohibited from making public personal data that is not public information in and of itself, either via the Internet or by other means of mass communication or dissemination, unless access is technically regulated so as to control the level of access to knowledge to only the owner of the data or those third parties that are authorized by this law. 

Security: in the course of data processing you are required to ensure the implementation and use of any necessary measures - technical, administrative, human - that will ensure the security of the data, preventing its corruption, loss, or unauthorized access.

Confidentiality: any person or persons involved in personal data processing are required to observe the principle of confidentiality, even after the cessation of their relationship with the data processing, i.e. even after they are no longer employees of the data processor, being responsible for observing this law and its regulations. 

These are later outlined in Articles 17 and 18 under obligations of the data controllers and data managers (in effect, data processors), where data breach notifications are also regulated, as you are required to “inform the data protection authority when there are violations of security codes and there are risks in the administration of the information of the Holders.”

According to Article 7 of Decree 1377 of 2013 you need to establish mechanisms to obtain consent of data subjects or their legal guardian, as is the case. The mechanisms in question may be what a translated version of the law calls “predetermined through technical means that facilitate the Owner's (data subject’s) automated manifestation” and consent meets this requirement if it is expressed “in writing, orally, or through unequivocal conduct of the owner that allows the conclusion in a reasonable manner that he granted the authorization.” Silence on the part of the data subject will not be considered as unequivocal conduct. 

Articles 13 through 15 of the Decree, regulate Information Processing Policies and Privacy Notices, both of which have to contain a series of details that help data owners be informed of the way their data is collected and processed. While both have to include your company’s details, types and purposes of data processing, or data subject rights, the Information Processing Policy has to inform data subjects of the contact details for the person responsible with handling requests and claims, as well as its effective date and validity period, while the Privacy Notice has to ensure easy access to the Information Processing Policy and if sensitive personal data is being processed, it has to expressly indicate this to data subjects as well as to inform them of the optional nature of questions related to this type of data. 

Although there is no specific mention of a Data Protection Officer (DPO), Article 23 of the Decree states that a responsible party or manager must appoint either a person or a department that will be in charge of personal data protection, whose responsibility it will be to process data subject requests for the rights granted by the Law.

Decree 090 of 2018 regulates, among other aspects, who has to be registered in the National Registry Database (NDR). As such, your business has to register if it meets the following criteria as relates to your automated or manual processing of databases that contain personal data: 

• You are a company or a non-profit entity that has assets greater than 100,000 Units of tax value (UVT). At the current conversion rates, this means that if you have assets greater than $937,000 you must be registered with the NDR.
• You are a legal entity of a public nature. 

The deadline for registration for newly created databases is within 2 months of their creation.

What data access rights does Law 1581 grant? 

Law 1581 grants three data subject rights to individuals: 

• Right to access

• Right to correct inaccurate information

• Right to delete inaccurate information

Additionally, individuals can submit complaints to the regulating authority, revoke consent and have free access to personal data that has been processed. 

How to address data subject access requests under Law 1581?

Law 1581 stipulates in Article 11 that the personal data you provide to a data subject following a request for access can be provided by any means, including electronic ones, but the data has to be easy to read and to access, and it has to correspond to what you hold in your database. 

According to Decree 1377’s Article 20, the exercising of the data subject rights can be done by the data owners themselves, by their successors, by a legal representative or proxy, or by stipulation in favor of or for another data subject, and in the case of children or teenagers, data rights will be exercised by those legally authorized to represent them. 

Article 21 of the Decree stipulates that access to their personal data should be given to data subjects free of charge at least once per month or anytime there are significant changes to your organization’s Information Processing Policy that would require them to consult it. Also, it is your responsibility to “establish simple and agile mechanisms that are permanently available to the Holders so that they can access the personal data that are under their control and exercise their rights over them.”

Enforcement and penalties

The regulating authority is the Superintendence of Industry and Commerce (SIC) who may impose administrative sanctions on data controllers and processors as follows:

• Fines of up to 2,000 legal minimum monthly wages. At the current conversion rate, this means sanctions may go up to $574,000. These fines may be successive for as long as the non-compliance continues to occur. 
• Up to a 6 months suspension of activity of the data controller plus corrective measures to be adopted.
• Temporary closure of operations following suspension if the data controller fails to adopt the corrective measures imposed. 
• Immediate and permanent closure of operations where the violation refers to sensitive personal data. 

In the event that the violation applies to a public authority, the SIC will direct this to the Attorney General’s Office who will proceed with an investigation. 

There are also criminal penalties that apply as data protection is a constitutional right. As such, according to the Colombian Criminal Code, Articles 269A and 269J, a penalty is enforced for unauthorized access to databases, consisting of a prison sentence between 48 and 96 months (4 to 8 years) and a fine equivalent to between 100 and 1,000 legal minimum monthly wages, about $28,700 and $287,000 at the current conversion rate. 

For transfers of personal information without consent, for the purpose of obtaining a profit, the penalty incurred is a prison sentence between 48 and 120 months (4 to 10 years) and a fine equivalent to between 200 and 1,500 legal minimum monthly wages, about $57,400 and $430,000 at the current conversion rate. 

Data Subject Rights - GDPR vs. Law 1581