Actualidad Colombia

Modifications to the personal data protection regime

Draft Bill 089-2017 // External Circular No. 005 SIC

On 10th August 2017, Colombia’s Industry & Trade Authority (SIC) published External Circular 005 regulating the transfer to third countries of personal data that is under the jurisdiction of Colombian law. Data protection standards have been set, among them:

  • Standards applying to personal data processing and over guidelines for personal data processing, rights of data owners and duties of data officers and controllers.
  • Legal and administrative routes to ensure protection for data owners.
  • Public-sector data processing supervisory body.

A list has been drawn up of countries that ensure a suitable level of data protection; this list may be added to or otherwise changed by the SIC, in line with the guidelines stipulated by law.

Finally, to transfer personal data outside Colombia, data officers will need the SIC to issue a statement of conformity. In any event, if there is a contract or other legal instrument between the Data Officer issuing the data and the Officer receiving the data that specifies the principles and obligations for processing, the transaction will be presumed viable and considered as having a statement of conformity.

In the same way, as discussed in issue 5 of Progreso, the colombian government has recently published Bill 089-2017 amending the 2012 Statutory Act 1581 which sets the general provisions for personal data protection.

According to the Bill’s preamble, the regulation aims to give Colombia’s authorities the legal powers to protect citizens’ fundamental rights regarding the recompilation and processing of their personal data online.

The initiative is a response to the challenges of personal data processing presented by the internet. The Bill echoes the principles set in international papers such as (i) the “Estándares de protección de datos personales para los estados Iberoamericanos” [Personal Data Protection Standards for Ibero-American States] by the Ibero-American Data Protection Network and (ii) the Regulation (EU) 2016/679 of the European Parliament and of the Council.

We should draw attention to some of the amendments in the Bill:

Extended area of application

In the same way as Regulation (EU) 2016/679 extended its area of application to the processing of data of Community citizens beyond the European Union, this Bill also widens the application of the regulation. It now regulates data processing controllers who neither live nor are domiciled in Colombia, but who, online or by other means, are collating, storing, using, disseminating or involved in any other operation using personal data of people residing, domiciled or living in Colombian territory. The text also defines the duties of the data protection authority with regard to those international controllers who are living in the country and processing the personal data of Colombian citizens.


The Bill adds the principles laid down by the Ibero-American Data Protection Network, which include: the principle of data protection by design and by default; the principle of accountability and the principle of proportionality. These principles uphold that privacy, proper personal data processing and security should be an intrinsic part of the design, architecture and configuration of any technology or information handling process. They also establish the effective measures that the data processing controller should adopt to meet their legal obligations and the restrictions incumbent on this person when collecting or processing data, which depend on the use to which they are being put.

Outsourcing services involving data processing

With regard to the duties of data processing controllers, the Bill provides for the option of outsourcing services involving the processing of personal data, setting the framework for outsourcing and the liabilities taken on by the sub-contracted party.

Pro-active measures for data processing

The Bill adds a new sub-heading to the law, on pro-active measures in personal data processing, containing articles on privacy by design and privacy by default, as well as self-regulation mechanisms for the proper application of the law.

Assessments must be conducted on the impact on data protection when the processing, due to its nature or end purpose, carries a high risk of affecting the data subject’s right to data protection, a regulation which was inspired by EU Regulation 2016/679. The European law makes the same provision, but adds the scenarios or cases in which such an impact assessment would be required.

Lastly, it includes the figure of the data protection officer, present in EU Regulation 2016/679, although there are clear differences between the two documents. The Colombian Bill empowers the data processing controller to appoint the data protection officer, once the prior decision from the data protection body has been secured; whereas EU Regulation 2016/679 does not need this prior authorization before appointing an officer, but, instead, lays out the situations in which such an appointment should be made. Furthermore, the Colombian Bill does not provide for the possibility that a business group might appoint a single data protection officer, nor does it mention the principle of confidentiality in the performance of his/her duties.