Employee Data Privacy

Colombia - Cross-Border Data Transfer

 Download as a PDF

Are there any restrictions on transferring personal data and how can these be overcome?

Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located in other nations.

Data transfers typically include the following examples:

  • personal data communicated over the telephone, by email, fax, letter, through a web tool or in person to another country;
  • IT systems or data feeds which lead to personal data being stored on databases hosted outside Colombia;
  • people/entities outside  Colombia being able to access or "see" personal data held in the country; and,
  • the use of personal data by third parties through external solutions, e.g., outsourcing, offshoring and cloud computing.

Under Colombia’s data protection law (Law 1581 of 2012), personal data may only be transferred to countries which provide at least the same level of data protection as Colombia. Data can also be transferred to other countries (which don’t necessarily provide the same level of protection) in certain cases, including when:

  • zivile-arunas-298645the employer has received the express consent from the employee (destination and usage must be included in order for consent to be effective);
  • Colombia has an international reciprocity agreement with the country the data will be transferred to;
  • when the transfers are necessary for the execution of a contract or pre-contractual measures between the employee (or applicant) and the employer.

Certain countries have been deemed to have an adequate level of protection, including countries in the EU, countries declared as having adequate protection by the European Commission, and the United States.

Data can also be transferred internationally to a third party for the purpose of processing data on behalf of the employer. In this case, the third party must contractually agree to apply the same data protection and security obligations as the employer. The agreement must include the:

  • scope of processing;
  • the service provider’s activities as it relates to personal data;
  • the service provider’s obligations: to comply with the employer’s data processing policy, to safeguard personal data and prevent unauthorized disclosure to third parties, and, to process personal data only in accordance with the employee’s authorization and applicable law (Decree 1377 of 2013, Ch. 5, Art. 24-25).


HR Best Practices: The use of applications in the cloud frequently results in the international transfer of employee data. Personal data should only be transferred when an adequate level of protection is ensured.


UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk