International transfers of personal data must be consented to by the data subject and the purposes of such transfers must be included in the Privacy Notice. Such consent is not required where the transfer is:
- pursuant to a Law or Treaty to which Mexico is party;
- necessary for medical diagnosis or prevention, healthcare delivery, medical treatment or health services management;
- made to holding companies, subsidiaries or affiliates under common control of the Data Controller, or to a parent company or any company of the same group as the Data Controller, operating under the same internal processes and policies;
- necessary by virtue of a contract executed or to be executed in the interest of the data subject between the Data Controller and a third party;
- necessary or legally required to safeguard public interest or for the administration of justice;
- necessary for the recognition, exercise or defence of a right in a judicial proceeding; or
- necessary to maintain or fulfil a legal relationship between the Data Controller and the data subject.
Data transfer to the countries not specified in the PDP Law or in the “white list”, is allowed only if the controller/processor has ensured appropriate safeguards, prescribed by the PDP Law, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The following are considered to be appropriate safeguards under the PDP Law:
- A legally binding and enforceable instrument between public authorities or bodies;
- Standard Data Protection clauses adopted by the Commissioner that regulate the legal relationship of the Controller and the Processor;
- Binding corporate rules approved by the Commissioner;
- An approved code of conduct with binding and enforceable commitments of the controller/processor in the third country to apply the appropriate safeguards, or an approved certification mechanism.
International data transfers are generally prohibited, unless the country in which the recipient Controller is located meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian laws. The transfer is also allowed in cases in which the Data Controller has obtained a transfer authorisation from the Data Subject, and in the following cases:
- exchange of medical data;
- bank and stock transfers;
- transfers agreed under international treaties to which Colombia is a party;
- necessary transfers for a contract between the Data Subject and Controller;
- implementation of pre-contractual measures;
- and transfers legally required in order to safeguard public interests.
The authorised countries for the international transfer of personal data are Australia, Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Denmark, Slovakia, Slovenia, Estonia, Spain, United States of America, Finland, France, Greece, Hungary, Ireland, Iceland, Germany, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Norway, the Netherlands, Peru, Poland, Portugal, the UK, Czech Republic, Republic of Korea, Romania, Serbia, Sweden, and the countries the European Commission deems appropriately protected.