What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
Colombia’s Constitution gives individuals the right to personal privacy (Art. 15). In addition, Colombians have the right to know, update and correct information that has been collected about them. Private correspondence and personal communication is generally protected under the law, with certain lawful exceptions for tax or judicial purposes.
Law 1581 of 2012 sets the general provisions for the protection of personal data in conjunction with Decree 1377 of 2013. Under the Law, personal data can only be processed for a legitimate purpose with the prior express, informed consent of the individual. Employers may only collect and store information that is reasonable and necessary given the purpose for the data collection.
Individuals have specific rights relating to their personal data, including:
- the right to know, update and rectify their personal information;
- the right to request proof of authorization for processing personal information (except when authorization isn’t needed to process data);
- the right to request and receive information on how personal information has been processed;
- the right to submit complaints to the Superintendencia de Industria y Comercio (the data protection authority);
- the right to revoke authorization and request deletion of personal information;
- and, free access to their personal information that has been processed.
Processing sensitive data is generally prohibited with a few exceptions relevant to human resources. Sensitive data includes data which, when revealed, could result in discrimination and includes: race/ethnicity; political orientation; religious/philosophical beliefs; membership in a trade union, social, political or human rights organization; and health, sexual or biometric data. Under Law 1581 of 2012, explicit consent must be obtained prior to processing sensitive personal data, unless the processing is required by law or is necessary for the establishment, execution or defense of a right in a legal proceeding.
The current authority responsible for enforcement of data privacy law and regulations in Colombia is the:
Superintendency of Industry and Commerce
Superintendencia de Industria y Comercio