Do individuals have the right to access their personal information?
Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
Information Processing Policy
In Colombia, employers are required to maintain an information processing policy that is accessible to employees in paper or electronic form. The policy should include:
- contact information for the employer;
- the purpose(s) for processing personal data if not disclosed in a data processing notice;
- employees’ rights with respect to their personal data;
- contact information for the person or department responsible for responding to requests to exercise rights, inquiries and complaints about data processing;
- procedures for responding to employee requests to exercise rights relating to data processing;
- an effective date.
Material changes in the policy must be promptly communicated to employees.
Employee Access Requests
Employees and other individuals are entitled to request access to their personal data, free of charge, monthly or after a material change to the employer’s information processing policies. When an employer receives a personal information request from the employee, the employer must respond within 10 business days. When it’s not possible to provide this information in 10 days, employees must be informed of the reason for the delay within 5 business days.
Employees also have the right to request that inaccurate information is updated, corrected or deleted. Employees and other data subjects may file a complaint with the employer or send it through the appropriate unit designated by the employer (i.e., the data controller). Note that employers do not need to comply with deletion or revocation requests when there is a legal or contractual duty to retain the personal data.
Requests for correction/update/deletion should be handled within 15 business days. If there is an unavoidable delay, the individual must be informed of the reason for the delay, and changes (if any) must be made within 8 business days after the end of the original 15 day period.
HR Best Practices: Inform employees, job applicants and other individuals of their rights relating to their personal data. When receiving employee personal data access requests, ensure procedures are in place to enable a timely response within the required period.