What is Law 1581?
Law 1581 of 2012 is Colombia’s data protection law, regulating the way personal data is collected and processed in databases or archives, and mandating that individuals have a constitutional right “to know, update and rectify the information that has been collected about them.”
Although this is Colombia’s main data protection law, it is partially regulated by Decree 1377 of 2013 when it comes to matters such as cross-border transfers or limitations that apply on data processing, to name but a few. In addition to this, there are other statutory laws and resolutions that detail and clarify the way data privacy is to be carried out in Colombia, such as Statutory Law 1266 of 2008 which details habeas data or the way data related to financial entities, commercial information, or credit data is to be processed, or Decree 090 of 2018 which lists the criteria for registration in the National Database Registry (NDR), which is a mandatory requirement for certain entities.
What is Personal Information and what are other key definitions?
Law 1581 defines ‘personal information’ as any type of information that is linked to or may be associated with one or more identifiable individuals. It offers a more detailed definition for what is ‘sensitive data’ seeing it as data that has an impact over the privacy of the data subject and which, if misused, could lead to discrimination. In that regard, sensitive data is any data relating to the racial or ethnic origin; the religious or philosophical convictions; the political affiliation; the union or social organization membership; and the health, sex, and biometric data of an individual.
It does not define what a data controller is, only a ‘data processor’ which it sees as either a natural or a legal person, whether public or private, who, either independently or in association with another, engages in the processing of personal data on behalf of a data controller.
In addition to these definitions, Decree 1377 defines what a ‘Privacy Notice’ is, namely a verbal or written communication issues by a responsible party, addressed to a data subject about the processing of their personal data, in which data subjects are informed about the existing Data Processing Policies that will be applicable, the way to access these, and about the purposes for processing their personal data. This definition may prove relevant when making a distinction between privacy notices and data processing policies, both of which have to be made available to the data subjects with the goal of informing them, and have specific information they must each include.
Who has to comply with the Law 1581?
Law 1581 applies to any personal data that is recorded in a database that makes the data susceptible to processing by public or private entities. As far as territorial scope is concerned, the law is applicable to any personal data processing that is carried out on Colombian territory or to data processing that occurs outside the country but which falls under the jurisdiction of this law or of international treaties.
Who is excluded from Law 1581 compliance?
There are some exemptions with Law 1581, referring to databases held by sectors or institutions which fall outside its scope, such as:
- databases maintained for personal or domestic purposes. One important exception is when these databases would be provided to any third party, in which case prior authorization is required.
- databases whose purpose is national security protection;
- databases belonging to intelligence or counterintelligence agencies;
- databases or archives relating to journalistic information or any other editorial type of content;
- databases regulated by Law 1266 of 2008, regulating the way data related to financial entities, commercial information, or credit data is to be processed;
- databases regulated by Law 79 of 1993 which regulates population census.
How can I keep my organization Law 1581 compliant?
Law 1581 offers in Article 4 several principles for your organization to take into account when staying compliant, as follows:
Legality: data processing has to be done within the legal framework established by this law.
Purpose: data processing has to have legitimate purposes, according to both this law and Colombian Constitution, and data subjects have to be informed of said purposes.
Freedom: data collection and processing has to be done with the consent of the data subject which was obtained prior to the collection/processing.
Accuracy: the data has to be true, complete, accurate, verifiable, understandable, and up to date.
Transparency: data processing has to be done in such a way so as to guarantee the data subjects’ right to obtain at any time and without any restrictions, from either the data controller or the data processor, information concerning the existence of personal data that relates to them.
Access: access to data, or data processing activities, can only be made available to those authorized by the owner of the data and/or by persons authorized by this law. Also, it is prohibited from making public personal data that is not public information in and of itself, either via the Internet or by other means of mass communication or dissemination, unless access is technically regulated so as to control the level of access to knowledge to only the owner of the data or those third parties that are authorized by this law.
Security: in the course of data processing you are required to ensure the implementation and use of any necessary measures - technical, administrative, human - that will ensure the security of the data, preventing its corruption, loss, or unauthorized access.
Confidentiality: any person or persons involved in personal data processing are required to observe the principle of confidentiality, even after the cessation of their relationship with the data processing, i.e. even after they are no longer employees of the data processor, being responsible for observing this law and its regulations.
These are later outlined in Articles 17 and 18 under obligations of the data controllers and data managers (in effect, data processors), where data breach notifications are also regulated, as you are required to “inform the data protection authority when there are violations of security codes and there are risks in the administration of the information of the Holders.”
According to Article 7 of Decree 1377 of 2013 you need to establish mechanisms to obtain consent of data subjects or their legal guardian, as is the case. The mechanisms in question may be what a translated version of the law calls “predetermined through technical means that facilitate the Owner's (data subject’s) automated manifestation” and consent meets this requirement if it is expressed “in writing, orally, or through unequivocal conduct of the owner that allows the conclusion in a reasonable manner that he granted the authorization.” Silence on the part of the data subject will not be considered as unequivocal conduct.
Articles 13 through 15 of the Decree, regulate Information Processing Policies and Privacy Notices, both of which have to contain a series of details that help data owners be informed of the way their data is collected and processed. While both have to include your company’s details, types and purposes of data processing, or data subject rights, the Information Processing Policy has to inform data subjects of the contact details for the person responsible with handling requests and claims, as well as its effective date and validity period, while the Privacy Notice has to ensure easy access to the Information Processing Policy and if sensitive personal data is being processed, it has to expressly indicate this to data subjects as well as to inform them of the optional nature of questions related to this type of data.
Although there is no specific mention of a Data Protection Officer (DPO), Article 23 of the Decree states that a responsible party or manager must appoint either a person or a department that will be in charge of personal data protection, whose responsibility it will be to process data subject requests for the rights granted by the Law.
Decree 090 of 2018 regulates, among other aspects, who has to be registered in the National Registry Database (NDR). As such, your business has to register if it meets the following criteria as relates to your automated or manual processing of databases that contain personal data:
- You are a company or a non-profit entity that has assets greater than 100,000 Units of tax value (UVT). At the current conversion rates, this means that if you have assets greater than $937,000 you must be registered with the NDR.
- You are a legal entity of a public nature.
The deadline for registration for newly created databases is within 2 months of their creation.
What data access rights does Law 1581 grant?
Law 1581 grants three data subject rights to individuals:
- Right to access
- Right to correct inaccurate information
- Right to delete inaccurate information
Additionally, individuals can submit complaints to the regulating authority, revoke consent and have free access to personal data that has been processed.
How to address data subject access requests under Law 1581?
Law 1581 stipulates in Article 11 that the personal data you provide to a data subject following a request for access can be provided by any means, including electronic ones, but the data has to be easy to read and to access, and it has to correspond to what you hold in your database.
According to Decree 1377’s Article 20, the exercising of the data subject rights can be done by the data owners themselves, by their successors, by a legal representative or proxy, or by stipulation in favor of or for another data subject, and in the case of children or teenagers, data rights will be exercised by those legally authorized to represent them.
Article 21 of the Decree stipulates that access to their personal data should be given to data subjects free of charge at least once per month or anytime there are significant changes to your organization’s Information Processing Policy that would require them to consult it. Also, it is your responsibility to “establish simple and agile mechanisms that are permanently available to the Holders so that they can access the personal data that are under their control and exercise their rights over them.”
Enforcement and penalties
The regulating authority is the Superintendence of Industry and Commerce (SIC) who may impose administrative sanctions on data controllers and processors as follows:
- Fines of up to 2,000 legal minimum monthly wages. At the current conversion rate, this means sanctions may go up to $574,000. These fines may be successive for as long as the non-compliance continues to occur.
- Up to a 6 months suspension of activity of the data controller plus corrective measures to be adopted.
- Temporary closure of operations following suspension if the data controller fails to adopt the corrective measures imposed.
- Immediate and permanent closure of operations where the violation refers to sensitive personal data.
In the event that the violation applies to a public authority, the SIC will direct this to the Attorney General’s Office who will proceed with an investigation.
There are also criminal penalties that apply as data protection is a constitutional right. As such, according to the Colombian Criminal Code, Articles 269A and 269J, a penalty is enforced for unauthorized access to databases, consisting of a prison sentence between 48 and 96 months (4 to 8 years) and a fine equivalent to between 100 and 1,000 legal minimum monthly wages, about $28,700 and $287,000 at the current conversion rate.
For transfers of personal information without consent, for the purpose of obtaining a profit, the penalty incurred is a prison sentence between 48 and 120 months (4 to 10 years) and a fine equivalent to between 200 and 1,500 legal minimum monthly wages, about $57,400 and $430,000 at the current conversion rate.
Data Subject Rights - GDPR vs. Law 1581
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to correct
- Right to delete
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.