Home / Publications / Data Law Navigator | Colombia

Data Law Navigator | Colombia

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security>>


Last reviewed March 2020

Risk scale

Risk Scale Red


  • Articles 15 and 20 of Colombia’s Constitution recognize the right to privacy and to data rectification as fundamental rights.
  • Law Nº 1581 of 2012: Law in charge of the regulation of all data processing and databases.
  • Law Nº 1266 of 2008: Law in charge of the regulation of data processing and databases when it comes to financial data and credit records. 
  • Decree Nº 1377 of 2013: It partially regulates the dispositions stated in Law N° 1581 of 2008.
  • Decree Nº 886 of 2014: It partially regulates the dispositions stated in Law N° 1581 of 2008 regarding databases and the National Databases Registration (NDR).
  • Decree Nº 2952 of 2010: Regulates the dispositions stated in Law Nº 1266 of 2008.
  • Law Nº 1263 of 2009: Established unlawful and unauthorised personal data processing as a crime and was incorporated to the Criminal Code.
  • Decree N° 90 of 2018: Establishes the criteria for the mandatory registry of databases on the National Database Registry (NDR).
  • Unique Circular from the Superintendence of Industry and Commerce: Title V specifically regulates different aspects regarding personal data protection such as data transfers, habeas data right and the National Data Registry (NDR).
  • External Circular Nº 005 of 2017 from the Superintendence of Industry and Commerce: Sets the standards of an adequate level of protection in the receiving country when it comes to international data transfers; it establishes the conditions in order for a country to obtain a declaration of conformity to carry out international transfers of personal data.


Superintendence of Industry and Commerce (SIC) through its Data Protection Office (DPO) is the authority responsible for Personal Data Protection.

Anticipated changes to law

There aren’t any bills in Congress that aim for a modification of current data protection laws. 

If applicable: stage of legislative implementation of GDPR 

Although there was a Bill (89 of 2017 from the Senate) that intended a modification of Law Nº 1581 of 2012 regarding new regulation to comply with the GDPR, the bill did not pass the legislative procedure. 


All personal data collection and processing in Colombia is regulated and all public and private entities that process personal data must comply with current regulation. Almost all data collection and processing are regulated through Law Nº 1581 of 2012; some specific matters are regulated through other dispositions (i.e. financial personal data). Personal or domestic databases, databases that have national defence and security purposes and information or databases containing press information are not part of the current laws regarding personal data protection scope. 


Non-compliance with any of the provisions established by law may result in the following penalties:

  • Fines, up to the equivalent of two thousand (2,000) minimum monthly legal wages, approximately US$ 435.000.00
  • Temporary suspension or closure of activities related to data processing.
  • Immediate and definitive closure of the operation involving the processing of sensitive data.
  • The Criminal Code states that anyone who, without authorization, seeking personal or third party gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of one thousand (1,000) minimum wages.


Personal data processing requires the prior and informed consent of the Data Subject, which must be obtained by any means that can be later consulted. The Controller, when requesting the Data Subject’s consent, must inform him/her clearly and expressly of the following:

  • The type of processing to which his/her personal data will be subject and its purpose.
  • The optional nature of the answers to the questions asked, when these are about sensitive data or about the data of children and adolescents.
  • The rights to which he/she is entitled as a Data Subject.
  • The identification, address or electronic address and phone number of the Controller.

Regarding databases, those that store personal data and whose automated or manual processing is carried out by a natural or legal person (public or private), in Colombian territory or abroad, and that have total assets that exceed one hundred thousand (100,000) Tax Value Units (TVU), must be subject to registration in the NDR handled by the DPO.

Main obligations and processing requirements

Data Processors must comply with the following duties, regardless of the other rules set forth in the Law and those that may govern their activity:

  • Guarantee to the Data Subject, at all times, the full and effective exercise of the habeas data right.
  • Keep the information under the necessary security conditions to prevent tampering, loss, consultation, use or unauthorized or fraudulent access.
  • In a timely manner, update, amend or delete data in the terms set forth in Law Nº 1581 of 2012.
  • Update the reported information by the data Controller within five (5) business days counted from the day it was received.
  • To process the consultations and claims made by the Data Subject in the terms indicated in Law Nº 1581 of 2012.
  • Adopt an internal policies and procedures manual to ensure the adequate compliance of Law Nº 1581 of 2012 and, in particular, to attend inquiries and complaints made by Data Subjects.
  • Register a “Claim in progress” tag in the database in the terms set by the Law Nº 1581 of 2012.
  • Register an “Information in judicial discussion” tag in the database once the Processor is notified by the competent authority about any judicial processes related to the personal data.
  • Refrain from circulating information that is the subject of a dispute by the Data Subject or a blockade ordered by the Superintendence of Industry and Commerce.
  • Allow information access exclusively to people who should have access to it.
  • Inform the SIC when there are violations of security codes and risks regarding the administration of the Data Subject’s information.
  • Comply with the instructions and requirements issued by the SIC.
  • Comply with the obligations regarding data flows (transfer and transmission).

Data subject rights

The following are rights granted to Data Subjects:

  • To know, update and rectify its personal data against data Processor and Controller. This right may be exercised with respect to partial, inaccurate, incomplete and/or misleading data, and for data whose processing is expressly prohibited or has not been authorized.
  • To request the proof of the authorization granted to the data Controller.
  • To be informed by the data Controller or Processor, upon request, on the use that has been given to his/her personal data.
  • To submit complaints before the SIC regarding infringements and violations of data protection regulations.
  • To revoke the authorization and/or request the suppression of the data when the processing does not respect constitutional principles or legal provisions. The revocation and/or suppression will proceed when the SIC has determined that the data Controller or Processor have engaged in such conduct.
  • To free access to the personal data that has been processed.

Processing by third parties

Processing by third parties is allowed through a transmission of personal data in favour of a third-party Processor that can only use the transmitted data according to the Controller’s instructions. On international transmissions it is recommended to execute an international transmission agreement according with Decree Nº 1377 of 2013.

Transfers out of country

International data transfers are generally prohibited by Law, unless the country in which the receiving Controller is located meets at least the same data protection standards (adequate level of protection) as the ones provided under Colombian law. The transfer is also allowed in cases in which the data Controller has obtained the transfer authorization from the Data Subject, and in the following cases:

  • exchange of medical data;
  • bank and stock transfers;
  • transfers agreed under international treaties to which Colombia is a party;
  • necessary transfers for the performance of a contract between the Data Subject and Controller;
  • implementation of pre-contractual measures; and
  • transfers legally required in order to safeguard public interests.

These are the authorized countries for the international transfer of personal data: Australia, Austria; Belgium; Bulgaria; Cyprus; Costa Rica; Croatia; Denmark; Slovakia; Slovenia; Estonia; Spain; United States of America; Finland; France; Greece; Hungary; Ireland; Iceland; Germany; Italy; Japan; Latvia; Lithuania; Luxembourg; Malta; Mexico; Norway; Netherlands; Peru; Poland; Portugal; UK; Czech Republic; Republic of Korea; Romania; Serbia; Sweden; and the countries that have been declared as having appropriate level of protection by the European Commission.

Data Protection Officer

Colombian Laws on data protection do not require the appointment of a Data Protection Officer within organizations. However, companies must design an area or person in charge of personal data matters in order to handle requests submitted by Data Subjects. It is also highly recommended, considering the Accountability Guide of the DPO that is not an obligatory publication, but includes the “minimums of compliance” that the Authority must consider in any inspection or investigation regarding a personal data Controller or Processor. 


Law Nº 1266 provides that data Processors must implement security systems with technical safeguards to ensure the safety and accuracy of the data, and to prevent data damage, loss, and unauthorized use or access. Law Nº 1581 of 2012, on the other hand, states that data Controllers and Processors must guarantee that the personal data is being kept under strict security and confidentiality measures, that it will not be disclosed or modified and will be used for the approved purposes by the Data Subject. In order to fulfil the obligation, data Processors and Controllers must develop an internal policies and procedures manual to ensure adequate compliance with data protection regulations. 

Breach notification

Any breach on the security of the data administration, or any risk on the matter must be notified by the data Controller or Processor to the DPO (SIC).

Direct marketing

E-commerce is currently regulated by Law 527 Nº of 1999. However, considering that an email address is personal data, any processing requires the Data Subject’s authorization and must be done in accordance with personal data protection laws (Law Nº 1581 of 2012). 


Cookies could eventually form a database according to the legal definition from Law Nº 1581 of 2012 when collecting personal data, taking into account the following characteristics: (i) they refer to exclusive and specific aspects of a person, ii) they allow the person to be identified; iii) its ownership resides exclusively on the Data Subject; and iv) its processing is subject to special rules (principles) regarding its acquisition, administration and disclosure. The person responsible must adhere to the data protection regulations in Colombia (Law Nº 1581 of 2012). Taking it into account, the use of cookies must be allowed by the Data Subject through his/her prior and informed consent.

Useful links

Cyber Security

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws and regulations

  • CONPES document Nº 3854 released on April 11, 2016, is the National Policy that is currently in force regarding Cybersecurity in Colombia; it constitutes the general standards for cybersecurity, cyberdefense and risk management measures.
  • Law Nº 1928 of 2018: By which Colombia adheres to the Treaty on Cybercrime signed in Budapest on November 2001 (Budapest Agreement).
  • Law Nº 1273 of 2009: It introduced specific legislation on cybercrime under Colombian criminal law.
  • Resolution Nº 2710 of 2017 issued by Ministry of Information Technologies and Communications: Established the actions to adopt IPv6 protocol in Colombia in order to avoid the shared use of IPv4 directions allowing the assignment of a unique IP per user for the benefit of cyber security.
  • Resolution Nº 5050 of 2016 issued by the Communication Regulation Commission: Contains general instructions to guarantee network security and services integrity. It introduced the obligation to implement security models, using the ITU’s framework X.800 and technical measures. It reinforces inviolability of communications principle as well as data and information security principle, introducing the obligation of network and telecommunication service providers to inform customers about network security risks and secure fraud prevention by using technological tools.
  • External Circular Nº 007 of 2018 issued by the Colombian Financial Superintendence: Imparts instructions related to the minimum requirements for cybersecurity risk management.

Anticipated changes to law

Bill 060 of 2018 currently in the Senate: A bill on citizen security with measures to protect users online. It now includes another bill on cybersecurity and cybercrime. 


  • Network and Information Systems: Law Nº 1341 of 2009 is the sectoral law for information technology and communication services. Network and information systems are regulated under that law, their definition is linked to ITU’s concepts as mentioned in article 6 of the aforementioned law. Communication services are defined as: “services that provide the ability to send / receive information in accordance with the conditions for the provision of such services previously agreed between a provider and a user”.
  • Critical Information Infrastructure Operators: Critical Infrastructure is defined by official documents such as CONPES Nº 3701 of 2011, CONPES Nº 3854 of 2016, those also established some rules to Critical Information Infrastructure Operators (“CIIO”).
  • Cloud Computing Services: The guideline released by the Ministry named “Security and privacy of information” regarding security in the cloud includes controls and specific technologies, such as: i) PKI/PKOs; ii) data loss prevention by using methods such as DRM, ZIP or Open PGP; and iii) Data activity monitor, among others, in order to protect data storage in cloud.
  • Digital Service Providers.


The National Planning Department (NPD) and the Ministry of Information Technologies and Communications (“MinTIC” in Spanish) are the officially recognized responsible public entities for implementing a national cybersecurity strategy, policy and roadmap.

Key obligations 

  • Security Measures: Ministry of Information Technologies and Communications has established some security measures through the Digital Security Risk Management Model and the System for Information Security Management, that can be summarized as follows: i) organizational commitment; ii) identification of stakeholders and processes related to digital security management; iii) the development of a risk management policy; iv) role definition and liability; v) resources for digital security risk management such as: budget, human resources and tools to control security. Under Data Protection Law and its Regulatory Decree 1377 of 2013 as well as the CONPES Nº 3854 of 2016, there are technical and organisational measures to manage data security risks. Decree Nº 1377 of 2013 introduces the obligation of the Controller and the Processor of personal data to adopt a “Program of Personal Data Management”, an internal manual of policies and procedures to guarantee the proper compliance of Data Protection Law and attendance of queries and claims. The Guideline for implementation of Accountability Principle in personal data protection, released by the Superintendence of Industry and Commerce (“SIC”) developed certain measures, such as the protocols for response and management of data breach and/or security incidents and system for risk management associated to personal data processing.
  • Notification on Cybersecurity Incidents: There is no mandatory duty for every party involved to report incidents to the National Government. Notwithstanding, in case of a cybersecurity incident, Colombian Cyber Emergency Response Group, ColCERT, has its own procedure to notify incidents. Cybercrimes and cybernetic incidents can be reported to ColCERT or to the Police Cybernetic Centre. If the incident is related to a personal data breach, there is an obligation to notify it to the Superintendence of Industry and Commerce.
  • Registration: Data Protection Law that demands, under article 17, that the data Controller of databases must register it on the National Databases Registration (NDR) managed by the Superintendence of Industry of Commerce if it meets the criteria stablished by the mentioned authority.
  • Appointment of a “Security Officer”: The E-Government strategy in Colombia, directed to public entities, introduced the mandatory “System of Information Security Management” which includes the appointment of a security officer. The officer must plan, coordinate and manage information security processes; define control and follow up measures to quantify compliance in security; manage the development and implementation of policies, rules and directives and procedures of information security management; supervise security incidents and investigate security violations, amongst other functions.


Within the administrative field, the Superintendence of Industry and Commerce can impose penalties when data protection violations up to a number equivalent to 2,000 times the minimum wage. Also, the non-monetary penalties can be: the suspension of activities related to data processing for up to six months and impose corrective measures; temporal closure of data processing activities if the corrective measures are not implemented; immediate and definitive closure of data processing activities.

Financial Superintendence of Colombia can also impose penalties to those who do not comply with its External Circular Nº 052 of 2007.

For Criminal Law, violation of Law Nº 1273 of 2009 (Cybercrime regime) penalties are from 36 to 96 months in jail and from 100 to 1500 times the minimum wage in Colombia, equivalent to $21.100 up to US$326.000. The penalty depends on the felony committed.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes, ColCERT (Grupo de Respuesta a Emergencias Cibernéticas de Colombia). Its main purpose is the coordination of necessary actions in order to protect the infrastructure against cybersecurity emergencies that may threaten or compromise national security.

Is there a national incident management structure for responding to cyber security incidents?

The Ministry of Information Technologies and Communications released the Digital Security Risk Management Model and the System for Information Security Management which defines some technical measures that must be adopted by public entities although it is designed for all entities, public and private. 

Other cyber security initiatives

Other rules that can be related to cybersecurity specific matters are: Law Nº 527 of 1999 regarding e-commerce; Law Nº 594 of 2000 or General Archive Law; Law Nº 679 of 2001 and Law Nº 1336 of 2009, regarding child pornography and sexual exploitation; Law Decree Nº 019 of 2012 regarding entities authorized for digital certification; Decree Nº 1704 of 2012 regarding legal interception of communications; CRC Resolution Nº 3502 of 2011 about Net Neutrality; Decree Nº 2573 of 2014 about E-govern; among others.

Useful links

<< back to Overview


Lorenzo Villegas-Carrasquilla
María Camila Piedrahita-CMS-Colombia
María Camila Piedrahita
Alejandra Vásquez