Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.
Data transfers typically include the following examples:
- personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
- IT systems or data feeds which lead to personal data being stored on databases hosted outside Colombia;
- people/entities outside Colombia being able to access or "see" personal data held in the country; and,
- the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.
Under Colombia’s data protection law (Law 1581 of 2012), personal data may only be transferred to countries which provide at least the same level of data protection as Colombia. Data can also be transferred to other countries (which don’t necessarily provide the same level of protection) in certain cases, including when:
- the employer has received the express consent from the employee (destination and usage must be included in order for consent to be effective);
- Colombia has an international reciprocity agreement with the country the data will be transferred to;
- when the transfers are necessary for the execution of a contract or pre-contractual measures between the employee (or applicant) and the employer.
Certain countries have been deemed to have an adequate level of protection, including countries in the EU, countries declared as having adequate protection by the European Commission, and the United States.
Data can also be transferred internationally to a third party for the purpose of processing data on behalf of the employer. In this case, the third party must contractually agree to apply the same data protection and security obligations as the employer. The agreement must include the:
- scope of processing;
- the service provider’s activities as it relates to personal data;
- the service provider’s obligations: to comply with the employer’s data processing policy, to safeguard personal data and prevent unauthorized disclosure to third parties, and, to process personal data only in accordance with the employee’s authorization and applicable law (Decree 1377 of 2013, Ch. 5, Art. 24-25).
HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred when an adequate level of protection is ensured.