By María Alejandra De Los Ríos Rueda, Lloreda Camacho & Co.
Colombia has implemented general regulations on Personal Data protection since 2012. Before the issuing of Law 1581 of 2012 (the Data Protection Law), the Government had issued a specific regulation on Personal Data protection exclusively applicable to financial data, and there were some consideration regarding habeas data on the National Constitution, however that was not enough to effectively protect and ensure the rights of privacy for all citizens.
Since the Data Protection Law was issued, its main goals have been to protect the Data Subjects (individuals whose data is processed) rights and ensure them that any company handling their data will comply with all the legal requirements, so Personal Data is properly used. Off course this implies that companies are more aware of the data handling and also it has made that the companies have to implement data protection programs internally.
We highly advice to check the following ten aspects on Data Protection that your company should take into account when establishing a business in Colombia, since most of the companies will handle Personal Data (at least employees data) and therefore will have to comply with the Data Protection Law and its regulations.
1. The Data Protection Law applies to individuals and entities processing Personal Data in Colombia
In accordance with the Data Protection Law, any individual or entity who collects, uses, discloses, transfers, stores, deletes, combines ("Process") Personal Data of individuals, in Colombia, will be subject to this law. The law is not clear on whether the regulation will apply if the entity or individual that Process the Personal Data is not located in Colombia, however it can be interpreted that if the entity performs any activity related with processing Personal Data, it will be subject to the said regulation.
For instance a company located in Germany that collects data from Colombians, located in Colombia, to use such data in order to offer services in Colombia, through its subsidiary located in Colombia will be considered as a subject to the data protection regulation. In this case, and since there is a subsidiary in Colombia, the authorities will normally require that the said subsidiary complies with the regulation even though is the parent company the one collecting the data.
We would like to point out that the Data Protection Law establishes that it will not be applicable to Personal Data stored in the following databases: a. Personal or domestic. b. Security and national defense, and the prevention, detection, monitoring, and control of money laundering and terrorism financing. c. intelligence and counter-intelligence. d. Journalistic information. e. Financial and credit information (Law 1266 of 2008). f. Population censuses (Law 79 of 1993).
2. For each data base it is necessary to identify who will be the Data Controller and who the Data Processor
According with the Data Protection Law the Data Controller is an individual or a company, which determines the purposes for which the Personal Data is collected and the manner in which it will be processed. On the other hand, the Data Processor is a person or a company which will be in charge of processing the Personal Data on behalf of the Data Controller. Data Processors and Data Controllers have different obligations and responsibilities established in the applicable regulation, and that is why it will be important to be able to establish if your company is acting as a processor or as a controller.
For instance the Data Controller will have to obtain the authorization from the Data Subjects to process his/her Personal Data; ensure the confidentiality, integrity and availability of information; perform the inscription of its data bases within the National Database Registry, among others; and the Data Processor is in charge of keeping track of all activities related with the data base and of reporting them to the Data Controller so it can be registered, among others.
Please bear in mind that whenever an employee of the Data Controller performs activities related with data protection and acts as responsible inside de organization, the Data Controller will also be the Data Processor.
Therefore, in order to be able to determine the responsibilities of each person inside the company as well as if the company also acts as Data Processor regarding certain data base, it is important to have certainty on who is performing what activities and how are those activities being performed in order to be able to warrant security and confidentiality of Personal Data.
3. Obtain the authorization/consent from the Data Subject to process Personal Data
The Colombian data protection regulation is based on the consent granted by the Data Subject. If Personal Data is being handled without consent from the Data Subject it will be a clear violation to the Data Protection Law. Therefore, Data Controller (or the Processor Data who processes Personal Data on behalf of the Data Controller) must adopt procedures to request -no later than at the time of collecting the data- the Data Subject's consent to process the Personal Data. In the said consent it is important to inform the Data Subject the purposes of the data handling as well as the data that is going to be handled. It is important that the Data Controller evidence proof of the authorization.
The consent may be obtained by writing, verbally or by means of unequivocal behaviors of the Data Subject that allow to reasonably conclude that the consent was granted. In case of substantial changes referring to the identification of the Data Controller and to the purpose of the processing of Personal Data, which can affect the contents of the consent, the Data Controller must communicate these changes to the Data Subject and obtain a new consent when the change refers to the purpose of the Processing.
5. Adopt mechanisms for the exercise of Data Subjects rights
The subjects involved in data handling (Data Controller and Data Processor) must implement mechanisms and procedures that enable Data Subjects to exercise the rights to know, update, rectify and suppress information or revoke the consent that include the Data Protection Law. Normally companies will have a line available for complaints and requests from consumers in which they also receive requirements related with data protection, also companies make available a specific email to receive this kind of complaints. It will be very important to have control of such requirements since companies must answer the Data Subjects within 10 days if it is a question and within 5 days if it is a complaint.
6. Implement security measures to safeguard the Personal Data
The Data Protection Law requires that Data Controllers and Processors develop, implement, maintain, and monitor a comprehensive written information security program which contains appropriate administrative, technical, and physical safeguards to protect Personal Data against anticipated threats or hazards to their security, confidentiality or integrity, and against unauthorized access or leaks, and unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage, and against all other unauthorized forms of Processing. In this sense it is highly advisable to have internal procedures or systems that can be implemented to prevent data loss, and to detect incidents on the security.
7. Have in place an accountability program
Even though this is not an specific requirement from the Data Protection Law, the regulation mentions that in the data handling it will be important to be able to demonstrate that the company has acted in an responsible manner regarding the compliance with it. In case there is an investigation, being able to demonstrate accountability will help for the investigation to be handled easier. Also an accountability program will warrant Data Subjects and third parties that the company takes serious the data handling and that data will be handled in a secure and confidential way.
In order to implement an accountability program your company must take into account the following:
- Have effective internal politics on data privacy.
- Implement compliance mechanisms
- Designate an individual or individuals that are in charge of the data protection matters, for example a Data Privacy Office (DPO).
- Implement procedures to educate and make people aware of the need to warrant security and confidentiality of data.
- Evaluate risks and be able to mitigate them.
- Constantly review the implementations of matters related with data privacy.
- Implement security measures mentioned above as well as the mechanisms to exercise Data Subjects' rights.
8. Register all the data bases that handle Personal Data within the National Data Base Registry
This is one of the most important obligations that Data Controllers will need to comply with. Recently the National Data Base Registry was made available for registration and therefore any company that handles Personal Data and that is the controller of the said data base will have to perform the registry of its data bases. Since the registry was recently enabled (November 9th, 2015), Data Controllers that have data bases must register their data bases within a year after the aforementioned date. Data bases created after the mentioned date must be registered within the following two (2) months after their creation.
The following is the minimum information that must be registered; however during the process there will be some addition questions related each of the following points:
- Contact information of the Data Controller.
- Contact information of the Data Processor.
- Mechanisms to exercise the rights of Data Subjects.
- Name and purpose of the data base.
- Way of data handling (manual or automatized)
- Categories of information that is being handled (i.e. name, address, phone, sensitive data, among others)
- Mention the amount of Data Subjects of which its data is included in the data base
- Security measures
- Source of the Personal Data (identify how data was obtained)
- Information about international data transfers and/or transmissions
- Assignment or national data transfer.
- Report of news (Data Subject's claims and/or security incidents)
The registry can be performed though the Superintendence of Industry and Commerce ("SIC") web page and it is relatively easy. However companies must have all the mentioned information clear and must have previously performed an inventory on their data bases.
9. There are criminal offenses related with the violation to Personal Data
The Colombian Criminal Code contains some criminal offenses related with "Information and Data Protection". In particular Article 269F states: "Violation of Personal Data: Anyone who, without being authorized to do so, to its own benefit or for a third party, obtains, compiles, subtracts, offers, sells, exchanges, sends, buys, intercepts, discloses, modifies or uses personal codes, Personal Data contained in files, archives, databases or similar means, will be held liable for imprisonment for a term of 48 to 96 months and a fine". Therefore in case that there is any breach or leakage of information companies may file a criminal lawsuit under this article. The criminal offenses will be independent from any investigation that the SIC decides to start due to the breach or leakage.
10. If there is a breach to the data protection regime, sanctions will be applied
The SIC is allowed to initiate administrative investigations against those who breach the provisions of the Data Protection Law and impose penalties of up to 2,000 Minimum Monthly Legal Wages (approx. USD $475,485.51 on 2016), and sanctions that include the temporary or permanent closure of the professional or commercial activities of the subject who breached the data protection regime. The penalties may apply individually to the company as well as to its directors and managers.