During the last weeks of January, the Superintendence of Industry and Commerce (DPA), issued a new Circular (Circular No. 001 of January 17, 2022), by which it established specific instructions related to the Colombian personal data legal framework compliance, aimed at candidates, political movements and social movements of citizens who register candidates for elections, who in the framework of electoral campaigns, plebiscites, referendums, popular consultations or any other form of democratic participation act as a Controller for the processing of personal data of third parties.
This circular is currently relevant for all actors participating in the current electoral campaigns period in Colombia, who process or generated "any operation or set of operations on personal data, such as the collection, storage, use, circulation or deletion". Therefore, the following is a summary of some of the most relevant provisions of Circular No. 001 of January 17, 2022:
- First, the circular reiterates the need for compliance by Data Controllers, within the context described above, with the Colombian personal data protection legal framework (Law No. 1581 of 2012, Decree 1377 of 2013 and other complementary normativity). Thus, the circular does not bring exclusive and/or new provisions for the context of elections, campaigns, or any other context of democratic participation, but reiterates obligations that already exist from the general legal framework regarding personal data protection.
- The collection and processing of personal data of third parties must not be conducted by means of fraudulent or deceptive acts.
- The purposes of the processing must always be duly informed to the Data Subjects and therefore the processing must only be carried out for the purposes expressly authorized.
- The DPA reiterates the need for the collected authorizations to comply with the requirements of law in order to be valid consents. Therefore, they must be express, prior and informed.
- The Data Controllers, under the context of the circular, must adopt sufficient security measures to ensure the necessary confidentiality and compliance of the restricted access and circulation principle regarding third parties’ personal data.
- The reinforced responsibility in case of collecting and/or processing sensitive data is warned.
- Specific instructions regarding marketing and advertising are included, under the context of democratic participation, where, once again, the need for the existence of due authorizations and respect for the rights of the Data Subjects to withdraw his/her authorization is reaffirmed.
- The related Data Controllers must comply with the National Database Registry (NDR) in case of fulfilling with the DPA´s objective criteria established for this registration to be an obligation under local law.
If you have any doubts regarding data protection local legal framework compliance or this context is familiar to your current activities, please do not hesitate to contact us.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.