In Circular Externa Number 002 from November 3, 2015, the
Superintendence of Commerce and Industry set up the Registro
Nacional de Bases de Datos (RNBD, national database record).
Guidelines were established for the responsible parties to process
the RNBD registration of personal databases that include: personal
information, legal entities of a private nature registered by the
Chamber of Commerce, and companies with both public and private
Since 2012, when the Law Protecting Personal Information went
into effect, we have been hearing about the creation of a register
that will include all of the personal databases. This has not yet
happened, but the aforementioned Circular, from the Colombian
government, began to develop these regulations in Decree number 886
from 2014. This Decree made direct reference to the creation of the
RNBD and gave the SIC the responsibility for creating and
administering the official register.
The SIC is the entity appointed to deal with all matters related
to protection of information. The SIC launched the RNBC in
November, 2015, which plans to register all of the personal
databases that companies or individuals involved in commercial
activities develop. With this measure, they hope to have better
control over the databases and see what kind of information each is
This new regulation that companies must comply with is not
intended to bring any benefit to the companies themselves. The
objective is to protect the owners of this personal information and
guarantee that the company that possesses them fully abides by the
law in the way they are utilizing the information.
For this reason it would be useful for companies to have
professional advisors to guide them in conducting an inventory on
the state of compliance regarding protection of information.
In addition, guidance regarding the verification and
existence of personal databases in each area is relevant. When the
time comes to register their database with the RNBD, they can
certify to the SIC that: a company policy is in place regarding
information data processing, the security measures implemented are
sufficient, and there has been no tampering with the information.
These are requirements to demonstrate that the company is following
the applicable guidelines.
The registration process with the RNBD involves completing an
internal due diligence process about personal information databases
and the company's internal procedures for collecting, storing,
using, and administering information. This is a complicated process
necessitating a series of detailed steps prior to registering the
information. Companies need to identify the databases they possess
and the exact information contained within them, verify that they
have the necessary authorization to utilize the information, and
confirm that their policies regarding protection of information
comply with all of the requirements stated in the law, among other
Therefore, it is highly recommended that companies should have
rigorous professional counsel to guide them through this obligatory
compliance process before the SIC. This support will usually be
oriented towards preparing the necessary documentation, legalizing
the form that companies need to fill out about data processing,
identifying the relevant elements from each current database being
used, and determining which of them need to be registered. In
addition, expert professional counsel will give advice on any other
aspects necessary to ensure compliance with the aforementioned
At this time, many companies are just beginning to uncover a
range of problems in the registration process. These include, but
policy that needs to be modified in order to comply with the
current regulations; missing proper authorization for data
processing; and inadequate clarity about the way the that the data
processing is taking place. These problems need to be thoroughly
assessed and solutions adequately found in order to effectively
comply with all of the legal requirements.
All of these concerns, problems, or facets should be solved or
corrected by professionals that advise the firm in this process.
This needs to be done quickly and efficiently, as the deadline is
approaching. The RNBD has established November 8, 2016, as the due
date to register the databases that each company possesses.
There is still time. Seek counsel.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Peru was an innovator in the field of data privacy with the issuance of Law N° 29733, Data Protection and Privacy Law, in 2011.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).