What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Colombia’s personal data protection law (Law 1581 of 2012) sets duties for those in charge of protecting personal data and Decree 1377 requires that businesses place a person or group of people in charge of personal data (there is no requirement that those in charge must be based in Colombia). Responsibilities include:
- guaranteeing employees can exercise their rights under the law;
- retaining copies of individuals’ consent to process data;
- informing the employees (and other data holders) about the reason for the data collection and their rights relating to the data (including providing this information upon request);
- securing personal data to protect it from adulteration, loss, consultation, unauthorized use or fraud;
- ensuring that data is kept up-to-date;
- correcting inaccurate data and informing third party processors to ensure corrections are made;
- requiring internal and third-party processors to follow security and privacy policies;
- processing data inquiries and claim requests;
- adopting internal policies and procedures to protect the data and respond to inquiries and complaints;
- registering databases as required by applicable law;
- informing the data protection authority when there are data risks or violations of the law; and,
- complying with requirements issued by the Superintendent of Industry and Commerce.