CMS Expert Guide: Data Law Navigator

Data protection

1. Local data protection laws and scope

The Personal Data (Privacy) Ordinance (Cap. 486)  (the "PDPO") is a comprehensive set of laws that is technology-neutral and provides a set of Data Protection Principles outlining how data users should collect, handle and use personal data.

2. Data protection authority

The Office of the Privacy Commissioner for Personal Data

Superintendence of Industry and Commerce (SIC) - Data Protection Delegate Superintendent /

3. Anticipated changes to local laws

The legislation is due for amendment since its last substantive amendment in 2012.

The Constitutional and Mainland Affairs Bureau released LC Paper. No. CB(2) 512/19-20(03), a discussion paper seeking the Legislative Council’s Panel on Constitutional Affairs’ (the Panel) views on proposed changes to the Personal Data (Privacy) Ordinance (Cap.486). The proposed changes follow proposals by the Privacy Commissioner for Personal Data, and include six proposed amendments:

  • Inclusion of a Mandatory Data Breach Notification Mechanism;
  • Requirement for retention policy and specified Data Retention Period; 
  • Provision of Sanctioning Powers to PCPD to impose administrative fines and raise relevant criminal fine levels; 
  • Regulation of Data Processors; 
  • Amending the Definition of Personal Data to cover information relating to an "identifiable" natural person; 
  • Regulation of Disclosure of Personal Data of Other Data Subjects to curb doxing;

There are no anticipated changes

4. Sanctions & non-compliance

Administrative sanctions:


Criminal sanctions:  

A summary of various offences and penalties under the Ordinance can be found at:



Administrative sanctions:

The SIC has the power to apply any of the following sanctions:

  • Fines, up to the equivalent COP 2,000 minimum monthly legal wages (USD 435,000).
  • Temporary suspension (up to six months) or closure of activities related to the data processing.
  • Immediate and definitive foreclosure of the operation involving the processing of sensitive data.

Criminal sanctions:

The Criminal Code states that anyone who, without authorisation, seeking personal or third-party gain, obtains, compiles, subtracts, offers, sells, exchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, can be punished with:

  •  48 to 96 months of prison
  • And/or a fine of COP 1,000 minimum monthly wages (USD 28,400)

5. Registration / notification / authorisation

There is no requirement for notification/registration/authorisation for processing personal data (i.e. no mechanism similar to that in UK Notification to process personal data - GOV.UK (

The processing of personal data requires the prior and informed authorisation of the Data Subject, which must be obtained by any means that can be later consulted. The Controller, when requesting the Data Subject’s authorisation, must inform him or her clearly and expressly of the following:

  • The type of processing to which his/her personal data will be subject and its purpose.
  • The optional nature of the answers to the questions asked, when these are about sensitive data or about the data of children and adolescents.
  • The rights to which he/she is entitled as a Data Subject.
  • The identification, address or electronic address and phone number of the Controller.

Regarding databases, those that store personal data and whose automated or manual processing is carried out by a natural or legal person (public or private), in Colombian territory or abroad, and that have total assets that exceed TVU 100,000, must be subject to registration in the NDR handled by the DPA.

6. Main obligations and processing requirements

Data users shall comply with the six principles set out in Schedule 1 to the Ordinance: 

  • personal data shall only be collected for a lawful purpose directly related to a function or activity of the data user. The data collected should be necessary and adequate but not excessive for such purpose. The means of collection should be lawful and fair; 
  • data users are required to take all practicable steps to ensure that personal data is accurate and not kept longer than is necessary for the fulfilment of the purpose for which the data is used. If data users engage a data processor for handling personal data of other persons, data users should adopt contractual or other means to ensure that the data processor comply with the mentioned retention requirement; 
  • data users shall not use personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data, unless with the data subject’s express and voluntary consent; 
  • data users shall take all practicable steps to protect the personal data they hold against unauthorised or accidental access, processing, erasure, loss or use; 
  • data users are required to take all practicable steps to ensure openness of their personal data policies and practices, the kind of personal data held and the main purposes for holding it; and 
  • data users shall provide data subjects with the right to request access to and correction of their own personal data.

Data Processors must comply with the following duties, regardless of the rest of the rules set forth in the Law and the others that may govern their activity:

  • Guarantee to the Data Subject, at all times, the full and effective exercise of the habeas data right;
  • Keep the information under the necessary security conditions to prevent its adulteration, loss, consultation, use or unauthorised or fraudulent access;
  • In a timely manner, update, amend or delete data in the terms set forth in Law Nº. 1581 of 2012;
  • Update the reported information by the Data Controller within five business days from when it was received;
  • Process the consultations and claims made by the Data Subject in the terms indicated in Law Nº 1581 of 2012;
  • Adopt an internal policy and procedure manual to ensure compliance with Law Nº 1581 of 2012 and, in particular, to respond to enquiries and complaints by the Data Subject;
  • Register a “Claim in progress” tag in the database in the terms set by the Law Nº 1581 of 2012;
  • Register an “Information in judicial discussion” tag in the database once the Processor is notified by the competent authority about any judicial processes related to the personal data;
  • Refrain from circulating information that is being disputed by the Data Subject, and whose blocking has been ordered by the Superintendence of Industry and Commerce;
  • Allow information access exclusively to people who should have access to it;
  • Inform the Superintendence of Industry and Commerce when there are violations of security codes and risks regarding the administration of the Data Subject’s information;
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce;
  • Comply with the obligations regarding data flows (transfer and transmission).

7. Data subject rights

Data subjects are given the right to access and make correction to their data.

The following are rights granted to Data Subjects:

  • To know, update and rectify personal data with the Data Controller or Processor. This right may be exercised in the event of partial, inaccurate, incomplete and/or misleading data; and data whose processing is expressly prohibited or has not been authorised;
  • To request the proof of the authorisation granted to the Data Controller;
  • To be informed by the Data Controller or Processor, upon request, on how his or her personal data has been used;
  • To submit complaints before the Superintendence of Industry and Commerce regarding infringements and violations of data protection regulations;
  • To revoke the authorisation and/or request suppression of the data when its processing does not respect constitutional principles or legal provisions. The revocation and/or suppression will proceed if the Superintendence of Industry and Commerce determines that the Data Controller or Processor has engaged in said conducts;
  • To freely access the personal data that has been processed.

8. Processing by third parties

No direct regulation on data processors.  However, data are required to adopt contractual means to ensure that data processors or sub-contractors adopt measures to ensure the safety of personal data.

A third-party Processor may process personal data if it follows transmission instructions provided by the Controller. International transmission agreements should take place according to Decree Nº 1377 of 2013. International transmission may only be carried out with other countries authorised by the Superintendency of Industry and Commerce.

9. Transfers out of country

A data user shall not transfer personal data outside Hong Kong unless one of the following conditions is met: 

  • the place is specified by the Commissioner by notice in the Gazette that there is in force any law which is substantially similar to, or serves the same purposes as, the Ordinance – no place has satisfied this condition up to date. 
  • The data user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, the Ordinance;
  • The data subject has consented in writing to the transfer;
  • The data user has reasonable grounds for believing that the transfer is for the avoidance or mitigation of adverse action against the data subject; it is not practicable to obtain the consent in writing of the data subject to that transfer; but if it was practicable, such consent would be given;
  • The data is exempt from Data Protection Principle 3 by virtue of an exemption under Part VIII of the Ordinance (such as personal data held for news activities, for domestic use, for purpose of prevention of crime etc.); or
  • The data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not, in that place, be collected, held, processed, or used in any manner which, if that place were Hong Kong, would be a contravention of a requirement under the Ordinance. Please note that use of recommended model data transfer clauses to develop an enforceable data transfer contract by data users is one method to satisfy the required due diligence requirement. 

International data transfers are generally prohibited, unless the country in which the recipient Controller is located meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian laws. The transfer is also allowed in cases in which the Data Controller has obtained a transfer authorisation from the Data Subject, and in the following cases:

  • exchange of medical data;
  • bank and stock transfers;
  • transfers agreed under international treaties to which Colombia is a party;
  • necessary transfers for a contract between the Data Subject and Controller;
  • implementation of pre-contractual measures;
  • and transfers legally required in order to safeguard public interests.

The authorised countries for the international transfer of personal data are Australia, Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Denmark, Slovakia, Slovenia, Estonia, Spain, United States of America, Finland, France, Greece, Hungary, Ireland, Iceland, Germany, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Norway, the Netherlands, Peru, Poland, Portugal, the UK, Czech Republic, Republic of Korea, Romania, Serbia, Sweden, and the countries the European Commission deems appropriately protected.

10. Data Protection Officer


Colombian Laws on data protection do not require the appointment of a Data Protection Officer within organisations. However, companies must allocate a department or a person in charge of personal data matters in order to handle requests by Data Subjects. While the DPA’s Accountability Guide is not an obligatory publication, it includes a “minimum of compliance” that the Authority must consider in any inspection or investigation of a personal Data Controller or Processor.

11. Security

There is no mandatory requirement.  However, it is required that a data subject is informed of the name or job title, and address, of the individual who is to handle the data access or correction request made to the data user.

Law Nº 1266 provides that Data Processors must implement security systems with technical safeguards to ensure the safety and accuracy of the data, and to prevent damage, loss, and unauthorised use of or access to the data. Law Nº 1581 of 2012, on the other hand, states that Data Controllers and Processors must guarantee that the personal data is being kept under strict security and confidentiality measures, that it will not be disclosed or modified and will be used for the approved purposes by the Data Subject. Data Processors and Controllers must therefore develop an internal policy and procedure manual to comply with data protection regulations.

12. Breach notification

There is no mandatory requirement, but a data breach may amount to a contravention of 

  • Data Protection Principle 4(1); and in Schedule 1 of the Ordinance;

The following action plan is recommended as practice to be adopted by data users: 

  • immediate gathering of essential information relating to the breach; 
  • contacting the interested parties and adopting measures to contain the breach; 
  • assessing the risk of harm; 
  • considering the giving of data breach notification: notifying the affected data subjects, the relevant parties, the law enforcement agencies, the Commissioner, relevant regulators and such other parties who may be able to take remedial actions as soon as practicable after the defection of the data breach.  For notifying the Commissioner, a “Data Breach Notification Form” can be used.

Any data security breach, or any risk of one occurring must be notified by the Data Controller or Processor to the DPA.

13. Direct marketing

The data user must:

  • inform the data subject (i) that the data user intends to so use the personal data; and (ii) that the data user may not so use the data unless the data user has received the data subject’s consent to the intended use – this “consent” needs to be “an indication of no objection to the use or provision” and hence, silence or lack of response will not be deemed to be consent;
  • provide the data subject with the following information in relation to the intended use (i) the kinds of personal data to be used; and (ii) the classes of marketing subjects in relation to which the data is to be used –  the description of such classes should be specific, making reference to the distinctive features of the goods, facilities or services so that it is practicable for the customers to ascertain the goods, facilities or services to be marketed with a reasonable degree of certainty; and
  • provide the data subject with a channel through which the data subject may, without charge by the data user, communicate the data subject’s consent to the intended use – a data user can only elect a response channel that enables the data subject’s consent to be made in writing.

eCommerce is currently regulated by Law 527 Nº of 1999. However, considering that an email address is personal data, any processing requires the authorisation of the Data Subject and must be done according to personal data protection laws (Law Nº 1581 of 2012).

14. Cookies and adtech

There are no specific requirements in relation to use of cookies.  

However, the use of cookies to collect personal data needs to be in compliance with Data Protection Principle 1(3) in Schedule 1 to the Ordinance that requires: 

  • the data subject is explicitly or implicitly informed, on or before collecting the data, of (i) whether it is obligatory or voluntary for him or her to supply the data; and (ii) where it is obligatory for him or her to supply the data, the consequences for him or her if he or she fails to supply the data; and 
  • he or she is explicitly informed: (i) on or before collecting the data, of (A) the purpose (in general or specific terms) for which the data is to be used; and (B) the classes of persons to whom the data may be transferred; and (ii) on or before first use of the data for the purpose for which it was collected, of (A) his or her rights to request access to and to request the correction of the data; and (B) the name or job title, and address, of the individual who is to handle any such request made to the data user.

Cookies could eventually form a database according to the legal definition from Law No. 1581 of 2012 when collecting personal data, taking into account the following characteristics: (i) when the data refers to exclusive and specific aspects of a person, ii) when the data allows the person to be identified; iii) when the data’s ownership resides exclusively on the Data Subject and iv) when the data’s processing is subject to special rules (principles) regarding its acquisition, administration and disclosure. The person responsible must adhere to the data protection regulations in Colombia (Law Nº 1581 of 2012). Taking this into account, the use of cookies must be allowed by the Data Subject through his/her prior and informed authorisation.

15. Risk scale




1. Local cybersecurity laws and scope

  • The most significant laws that cover cybersecurity matters include provisions under: 
  • Crimes Ordinance (Cap 200): (1) s.161 Access to computer with criminal or dishonest intent; and (2) s.60 Destroying or damaging property; 
  • s.27 A (unauthorised access to computer by telecommunications) under Telecommunications Ordinance (Cap 106); 
  • Control of Obscene and Indecent Articles Ordinance (Cap. 390); 
  • Prevention of Child Pornography Ordinance (Cap 579); and 
  • The Unsolicited Electronic Messages Ordinance (Cap 593)
  • CONPES document Nº 3854, released on 11 April 2016, is the National Policy that is currently in force regarding Cybersecurity in Colombia; it constitutes the general standards for cybersecurity, cyberdefence and risk management measures;
  • Law Nº 1928 of 2018: By which Colombia adheres to the Budapest Agreement on cybercrime signed in November 2001;
  • Law Nº 1273 of 2009: Introduces specific legislation on cybercrime under Colombian criminal law;
  • Resolution Nº 2710 of 2017 issued by the Ministry of Information Technologies and Communications: Established actions to adopt IPv6 protocol in order to avoid sharing IPv4 directions, and assign a unique IP per user to encourage cybersecurity.
  • Resolution Nº 5050 of 2016 issued by the Communication Regulation Commission: Contains general instructions to guarantee network security and services integrity. It introduced the obligation to implement security models, using the ITU’s framework X.800 and technical measures. It reinforces inviolability of communications principle as well as data and information security principles, introducing the obligation of network and telecommunication service providers to inform customers about network security risks and secure fraud prevention.
  • External Circular Nº 007 of 2018 issued by the Colombian Financial Superintendence: Imparts instructions related to the minimum requirements for cybersecurity risk management.

2. Anticipated changes to local laws

There are no anticipated changes to local laws, although there has been more pressure to introduce laws against doxing

Draft Bill No. 339 of 2020: Cybercrime

The bill seeks to criminalise new cybercrimes that particularly affect minors, and introduce preventive actions.

Draft Bill No. 033 of 2019: Cryptocurrency

The bill seeks to establish new cybersecurity standards for cryptocurrency-related transactions, designating the Technology Ministry as watchdog.

Financial Superintendency: Draft resolution

Seeks to introduce new report protocols for cybersecurity incidents, and to implement new Traffic Light Protocols for data exchange.

3. Application 

It mainly criminalises conduct around unauthorised access to computer and disseminating obscene, child pornography and unsolicited electronic messages. 

  • Network and IT systems:
    Law Nº 1341 of 2009 is the sectoral law for information technology and communication services. Network and information systems are regulated under that law, their definition is linked to the ITU’s concepts as mentioned on article 6 of the mentioned law. Communication services are defined as: “services that provide the ability to send / receive information in accordance with the conditions for the provision of such services previously agreed between a provider and a user”;
  • Critical Information Infrastructure Operators:
    Critical Infrastructure is defined by official documents such as CONPES Nº 3701 of 2011, CONPES Nº 3854 of 2016, which also established rules for Critical Information Infrastructure Operators (“CIIO”);
  • Cloud Computing Services:
    The guideline released by the Ministry named “Security and privacy of information” included controls and specific technologies, such as: i) PKI/PKOs; ii) data loss prevention by using methods like DRM, ZIP or Open PGP; iii). Data activity monitor, among others, in order to protect data storage in the cloud;
  • Digital Service Providers.

5. Key obligations 

N/A – There is no prescribed obligation imposed on cyber users or operators to adopt security measures except those involving handling personal data as specified in Personal Data (Privacy) Ordinance (Cap 486) (the “Ordinance”)

  • Security Measures: Ministry of Information Technologies and Communications has established some security measures through the Digital Security Risk Management Model and the System for Information Security Management, which may resume as follows: i) organisational commitment; ii) identification of stakeholders and processes related to digital security management; iii) develop a risk management policy; iv) role definition and liability; v) resources for digital security risk management such as: budget, human resources and tools to control security. Under Data Protection Law and its Regulatory Decree 1377 of 2013 as well as the CONPES Nº 3854 of 2016, there are technical and organisational measures to manage data security risks. Decree Nº 1377 of 2013 introduces the obligation of the Controller and the Processor of personal data to adopt a “Personal data management programme”, an internal policy and procedure manual to guarantee DPL compliance and attention to queries and claims. The Guideline for implementation of Accountability Principle in personal data protection, released by the Superintendence of Industry and Commerce (“SIC”) developed some measures, such as the protocols for responding and managing data breaches and/or security incidents and risk management systems for personal data processing;
  • Notification on Cybersecurity Incidents: There is not a mandatory duty for every party involved in reporting incidents to the National Government. But in the event of a cybersecurity incident, Colombian Cyber Emergency Response Group (ColCERT) has its own procedure to notify incidents. Cybercrimes and cybernetic incidents can be reported to ColCERT or to the Police Cybernetic Centre. If the incident is related to a personal data breach, there is an obligation to notify it to the Superintendence of Industry and Commerce;
  • Registration: Data Protection Law that demands, under Article 17, that the Database Controller must register on the National Databases Registration (NDR) managed by the Superintendence of Industry of Commerce if it meets the criteria;
  • Appointment of a Security Officer: The E-Government strategy for public entities introduced the mandatory System of Information Security Management, which includes the appointment of a security officer. The officer must plan, coordinate and manage information security processes; define control and follow up measures to quantify compliance in security; manage the development and implementation of policies, rules and directives and procedures of information security management; supervise security incidents and investigate security violations; among other functions.

6. Sanctions & non-compliance 

Administrative sanctions:


Criminal sanctions:

Hong Kong Police will enforce the provisions of the relevant Ordinances.  Penalties will range from a level 4 fine (HKD 25,000) to imprisonment for five years.



Administrative sanctions:

The SIC has the power to apply any of the following sanctions:

  • Fines, up to the equivalent of COP 2,000 minimum monthly legal wages (USD 435,000);
  • Temporary suspension (up to six months) or closure of activities related to the data processing;
  • Immediate and definitive foreclosure of the operation involving the processing of sensitive data.

The Financial Superintendency can also impose penalties on those who fail to comply with requirements established in External Circular Nº 052 of 2007.

Criminal sanctions:

The violation of Law No. 1273 of 2009 (Cybercrime regime) can cause:

  • A penalty ranging from 36 to 96 months prison time
  • A penalty ranging from 100 to 1,500 times the minimum wage (approximately UDD 28,430 to USD 426,400)



7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 



ColCERT (Grupo de Respuesta a Emergencias Cibernéticas de Colombia). Its main purpose is to coordinate necessary actions to protect infrastructure from cybersecurity emergencies that may threaten or compromise national security.

8. National cybersecurity incident management structure



The Ministry of Information Technologies and Communications released the Digital Security Risk Management Model and the System for Information Security Management, which defines some technical measures that must be adopted by public entities although it is designed for all public and private entities.

9. Other cybersecurity initiatives 

  • Hong Kong Monetary Authority has issued various non-binding cybersecurity guidelines for authorised institutions such as Cyber Resilience Assessment Framework and cybersecurity guidelines with respect to the use of stored value facilities, ebanking systems and artificial intelligence.
  •  Securities and Futures Commission has published guidelines and circulars such as the Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading and specific guidelines in relation to the use of external electronic data storage.
  • Insurance Authority has issued the Guideline on Cybersecurity laying down the minimum cybersecurity standards that authorised insurers must observe.
  • The Commissioner for the Electronic Health Record has issued codes of practice regarding the use of the electronic health record sharing system by healthcare providers to access and share patients’ electronic health records. 
  • The Office of the Government Chief Information Office has issued guidelines on cybersecurity controls and measures applicable to various government offices and departments.

Other rules that can relate to cybersecurity-specific matters are: Law Nº 527 of 1999 regarding eCommerce; Law Nº 594 of 2000 or General Archive Law; Law Nº 679 of 2001 and Law Nº 1336 of 2009, regarding child pornography and sexual exploitation; Law Decree Nº 019 of 2012 regarding entities authorised for digital certification; Decree Nº 1704 of 2012 regarding legal interception of communications; CRC Resolution Nº 3502 of 2011 about Net Neutrality; Decree Nº 2573 of 2014 about eGovernment; amongst others.

Portrait of Jonathan Chu
Jonathan Chu
Hong Kong (CMS CMNO - Lau, Horton & Wise LLP)
Portrait of Lorenzo Villegas-Carrasquilla
Lorenzo Villegas-Carrasquilla