Home / Publications / Data Law Navigator | Colombia

Data Law Navigator | Colombia

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.



Last reviewed 8 October 2018


Article 15 of the Colombian Constitution sets forth fundamental rights to intimacy, good name or reputation and data protection. Statutory Law 1266 of 2008 then established the general provisions of habeas data and regulated the handling of the information contained in databases and a few years later, the Law 1581 of 2012 was passed, which dictates general provisions for the protection of personal data. On August 10, 2017, the Superintendence of Industry and Commerce issued circular 005 in order to develop the existing regulation on international data transfers. 


The Superintendence of Industry and Commerce (SIC) through its Data Protection Office is the authority responsible for Data Protection.

Anticipated changes to law

Draft Law No. 141 of 2017 intends to regulate and limit the time of permanence of personal data in databases, specifically regarding financial information. This draft was submitted on October 3rd, 2017, and has yet to go through first debate before the Senate. 


Data Subject is the individual whose personal data are subject to processing. The data subjects, altogether with the data controllers and the data processors, are the main actors defined by Colombian data protection laws.


Non-compliance with any of the provisions established by law may cause the following penalties:

  • Fines, up to the equivalent of two thousand (2,000) minimum monthly legal wages

(approximately COP $ 1,475,000,000 or USD $ 540,000)

  • Temporary suspension or closure of activities related to the data processing.
  • Immediate and definitive closing of the operation involving the processing of sensitive data

Registration / notification

Databases containing personal data whose automated or manual processing is carried out by individuals or legal entities in the Colombian territory or abroad shall be subject to registration in the National Database Registry handled by SIC, in the latter case provided that the Colombian legislation is applicable to the data controller or data processor. However, only public entities, and private entities which have total assets exceeding one hundred thousand (100,000) minimum monthly legal wages (about USD 1.143.000) are obliged to register their databases.

Consecuentaly, Data Controlers and Data Processsors must notify the Data Protection Authority about any violation of security codes and risks in the data subjects information management.

Main obligations and processing requirements

  • Guarantee the data subject, at all times, the full and effective exercise of the right of habeas data;
  • Request and keep a copy of the respective authorization granted by the data subject;
  • Properly inform the data subject about the purpose of the treatment and the rights that assist him by virtue of the authorization granted;
  • Store the data with the adequate security measures to prevent deterioration, loss, alteration, unauthorized or fraudulent use;
  • Guarantee that the information provided is truthful, complete, accurate, updated, verifiable and understandable;
  • Update the information with all the novelties regarding the data previously provided and adopt the necessary measures so that the information provided to it is kept up to date;
  • Process queries and claims formulated by the data subject;
  • Adopt an internal manual of policies and procedures to ensure adequate compliance with the Law and, in particular, to attend to queries and claims;
  • Inform the Data Processor when certain information is under discussion by the data subject, once the claim has been filed and the respective procedure has not been completed;
  • Inform at the request of the data subject about the use given to his data;
  • Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the data subject
  • Comply with the instructions and requirements issued by the Superintendence of Industry and Commerce
  • Im plement a Data Processing Policy and / or Privacy Notice.

Data subject rights

  • To know, update and rectify its personal data;
  • To request the proof of the authorization granted;
  • To be informed of the use that has been given to their personal data;
  • To submit complaints before the Superintendency of Industry and Commerce for violation of the law in the treatment of their personal data;
  • To revoke the authorization and request the deletion of the data when the principles, rights and constitutional guarantees are not respected.

Processing by third parties

It is possible to whom the owner has authorized such disclosure, or who are authorized by law.

Transfers out of country

The cross border transfer of data is prohibited unless the foreign country where the data will be transferred meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian laws. 

Adequate levels of data protection will be determined in accordance with the standards set by the Superintendency of Industry and Commerce in Circular 005 of 2017. 

This prohibition against cross-border transfers does not apply in the following cases:

  • if the data owner has expressly and unambiguously authorised the cross-border transfer of data (notice of specific elements, including destination and usage, must be given for consent to be effective)
  •  exchange of medical data
  • bank transfers and stock
  • transfers agreed under international treaties to which Colombia is a party
  • transfers necessary for the performance of a contract between the data processor and the controller
  • implementation of pre-contractual measures provided there is consent of the owner, and transfers legally required in order to safeguard the public interest.

Data Protection Officer

Neither Laws 1266 nor 1581 require organizations to appoint a data protection officer. However, data processors and data controllers are obliged to maintain adequate security levels for the protection of databases, as well as an administrative infrastructure to respond to data owners' requests and claims.


As mentioned, Law 1266 provides that data processors must implement security systems with technical safeguards to ensure the safety and accuracy of the data, and to prevent damage, loss, and unauthorized use or access of the data.

Breach notification

Colombian personal data laws establish the obligation to notify the Data Protection Authority in the event of security incidents that generate risks of disclosure of the personal data. This obligation is applicable to both data processors and controllers.

Direct marketing

Electronic Marketing is regulated by Law 527/99. The general rule is that opt-in consent from a data subject is required in order to send electronic marketing materials.


In general, consent is required to use cookies and other tracking mechanisms to collect any data that could be used to identify an individual; consent may generally be obtained via the user’s acceptance to the privacy policy if the use of cookies (and the way to disable them) is fully disclosed in the privacy policy. IP address may be considered personal data; however, currently there is no official opinion or law addressing whether IP address is personal information. Also, under the principle of access and restricted delivery enshrined in Article 4 of Law 1581, personal data may not be available on the Internet or in other mass media, unless the access is technically controllable to ensure access is available only to data owners or authorized third parties. This prohibition applies unless the information is public data, in which case its disclosure and circulation is possible within the limits established by law.

Useful links


< back to Overview



Karl Mutter
Karl Mutter, LL.M.