Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection.
Law 1266/08 ("Law 1266"), reviewed by the Colombian Constitutional Court in Decision C 1011/08, regulates the collection, use and transfer of personal information regarding monetary obligations related to credit, financial and banking services.
Law 1581 of 2012 ("Law 1581"), reviewed by the Colombian Constitutional Court in Decision C-748/11, contains comprehensive personal data protection regulations. This law is intended to implement the constitutional right to know, update and rectify information gathered about them in databases or files, enshrined in Article 20 of the Constitution, as well as other rights, liberties and constitutional guarantees referred to in Article 15 of the Constitution.
Accordingly Law 1581 applies to: (i) personal data stored in any public or private database or files; (ii) any treatment of personal data in Colombia; and (iii) operations performed by individuals who are not located in Colombia but are subject to the jurisdiction of Colombian Law under international standards and treaties.
Under Law 1581, the data owner (data subject) must always give prior, express and informed consent for all activities pertaining the collection, use and transfer of personal data, except those that are specifically exempted from all or part of the Law, which includes the processing of credit data under Law 1266.
DEFINITION OF PERSONAL DATA
Law 1266 defines "personal data" as any information related to one or several identified or identifiable persons or which can be associated with an individual or a legal entity. Personal data may be public, semi private or private. Semi private data is data that is not deemed private, sensitive or public.
Under Law 1581, the definition of "personal data" specifically includes information related to or that may be related to one or several identified or identifiable natural or legal persons.
DEFINITION OF SENSITIVE PERSONAL DATA
Under Law 1266 "private data" is data that, due to its sensitive or confidential nature, is relevant only to the data owner. For example, data that pertains to the right to intimacy may be deemed sensitive data under Colombian law.
Under Law 1581 "sensitive data" is data that relates to the intimacy of the data owner, or that, if disclosed without consent, could lead to discrimination, such as data revealing racial or ethnic origin, political orientation, religious or philosophical beliefs, trade-union membership, social organizations, human rights organizations, or those organizations that promote the interests of any political party or that ensure the rights and guarantees of opposition political parties, as well as data relating to health, sexual life and biometrics.
NATIONAL DATA PROTECTION AUTHORITY
Two different governmental authorities were designated as data protection authorities by Law 1266: The Superintendency of Industry and Commerce ("SIC") and the Superintendency of Finance ("SFC"). As a general rule, the SIC will be the data protection authority, unless the administrator of the data is a company that performs financial or credit activities under oversight of the SFC as set forth in applicable law, in which case the SFC will also serve as a data protection authority.
The SIC is the sole data protection authority responsible for monitoring compliance with the principles, rights, guarantees and procedures provided under Law 1581.
Law 1581 created the National Register of Databases as a public directory of all databases operating in the country. This Register will be managed by the SIC, and may be consulted by any citizen.
DATA PROTECTION OFFICERS
Neither Laws 1266 nor 1581 require organisations to appoint a data protection officer. However, data processors and data controllers are obliged to maintain adequate security levels for the protection of databases, as well as an administrative infrastructure to respond to data owner's requests and claims.
COLLECTION AND PROCESSING
Under Law 1266 and Decision C 1011, as a general rule the collection and cross border transfer of Private and Semi private Data can be performed only with the prior consent of the data owner unless an exception applies. The exceptions, set forth in Article 5 of Law 1266, permit personal data to be disclosed or delivered directly, without consent, to the following and in the following conditions:
- To the data owner or to a person to whom the owner has authorised such disclosure;
- To data users;
- To any judicial authority, pursuant to a judicial order;
- To Government Agencies or entities, when the data is required for the performance of legal or constitutional functions;
- To the Administrative Authorities who require such data for disciplinary, fiscal or administrative investigations; or
- To other databases that have the same purpose as the one of the disclosing data processor (but see Decision C 1011 below) or to databases as authorised by the data owner.
Under the interpretation in Decision C 1011, the Private and Semi Private Data of data owners may be disclosed in the foregoing cases, if the following conditions are observed:
- Except for the disclosure to the data owner, judicial authorities, governmental agencies, and administrative authorities, the disclosure can be performed only if the data owner gives his or her prior consent; or
- When the data is delivered to governmental agencies, they will be deemed to act as data users and will have all the corresponding obligations which include those pertaining to confidentiality, restricted circulation, and security of data.
Similar to Law 1266, according to article 10 of Law 1581, any operation performed on personal data requires the prior, express and informed consent from the data owner except in the following cases:
- Data required by a public or administrative agency in performance of their duties or required by a court order;
- Data that it is deemed public data;
- Data related to medical emergencies;
- Data related to historical, statistical or scientific purposes; and
- Data related to the Civil Registration of Persons.
Similarly, article 13 states that personal data can be disclosed without consent to the following:
- To the data owners, their successors or their legal representatives;
- To any administrative authority, when the data is required for the performance of public duties, or pursuant to a judicial order; or
- To third persons to whom the owner has authorised such disclosure, or who are authorised by law.
Under Law 1581, the cross border transfer of data is prohibited unless the foreign country where the data will be transferred meets at least the same data protection standards as the ones provided under Colombian law. This prohibition also applies to personal data governed by Law 1266.
Adequate levels of data protection will be determined in accordance with the standards set by the Data Protection Authority.
This prohibition against cross-border transfers does not apply in the following cases:
- If the data owner has expressly and unambiguously authorised the cross-border transfer of data (notice of specific elements, including destination and usage, must be given for consent to be effective);
- Exchange of medical data;
- Bank transfers and stock;
- Transfers agreed under international treaties to which the Colombia is a party;
- Transfers necessary for the performance of a contract between the data owner and the controller, or for the implementation of pre-contractual measures provided there is consent of the owner; and
- Transfers legally required in order to safeguard the public interest.
As mentioned, Law 1266 provides that data processors must implement security systems with technical safeguards to ensure the safety and accuracy of the data, and to prevent damage, loss, and unauthorised use or access of the data.
Similarly, Law 1581 requires that data protection processors and controllers implement the necessary technical, physical, and administrative safeguards to ensure the safety of databases and to prevent their damage, loss, and unauthorised use or access.
Article 17-N of Law 1581 requires notice to the DPA of certain security risks or violations of security policies related to the management of personal data. Other than this obligation, currently there are no specific breach notification regulations in Colombia.
Data Protection Authorities are allowed to initiate administrative investigations against those who breach the provisions of Laws 1266 or Law 1581 and impose penalties of up to 2,000 Minimum Monthly Legal Wages (approx. US$670.000) for each case, and sanctions that include the temporary or permanent closure of the professional or commercial activities of the subject who breached the data protection regime.
The penalties under Law 1581 only apply to private persons. If an offense is committed by a public authority, the SIC shall refer the action to the Attorney General's Office to initiate the respective investigation.
Additionally, on 5 January 2009 Colombia's Congress enacted Act 1273, which added an "Information and Data Protection" criminal offence to Colombia's Criminal Code. In particular, Article 269F states: "Violation of Personal Data: Anyone who, without being authorised to do so, to its own benefit or for a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, personal data contained in files, archives, databases or similar means, will be held liable for imprisonment for a term of forty eight (48) to ninety six (96) months and a fine."
Finally, data owners have the right to file, before any Colombian judge, a special constitutional action "Acción de Tutela" (Constitutional Writ of Protection) to have their fundamental right to privacy, data protection or habeas data protected. This Constitutional Writ of Protection involves a preferential and summary proceeding under which the pertinent court must issue a decision within the 10 days following the date on which the action is filed. This means that in those cases in which the right to privacy, to intimacy or to habeas data is affected, an expeditious action could be implemented to protect the fundamental rights of the individual. In this regard, Decree 2591/91 expressly provides that an Acción de Tutela can be filed against a private individual or company that violates Article 15 of the Colombian Constitution.
In general terms, a court granting an Acción de Tutela that involves habeas data will issue a decision ordering that data be rectified, updated or deleted. Failing to observe a Court's ruling could result in an imprisonment order against the defendant for a period up to 10 days.
Electronic Marketing is regulated by Law 527/99. The general rule is that opt-in consent from a data subject is required in order to send electronic marketing materials.
ONLINE PRIVACY (INCLUDING COOKIES AND LOCATION DATA)
Also, under the principle of access and restricted delivery enshrined in Article 4 of Law 1581, personal data may not be available on the Internet or in other mass media, unless the access is technically controllable to ensure access is available only to data owners or authorised third parties. This prohibition applies unless the information is public data, in which case its disclosure and circulation is possible within the limits established by law.
© DLA Piper
This publication is intended as a general overview and discussion of the subjects dealt with. It is not intended to be, and should not used as, a substitute for taking legal advice in any specific situation. DLA Piper Australia will accept no responsibility for any actions taken or not taken on the basis of this publication.
DLA Piper Australia is part of DLA Piper, a global law firm, operating through various separate and distinct legal entities. For further information, please refer to www.dlapiper.com