Data protective jurisdictions tend to guarantee the right of individuals to contact an organization directly and find out whether personal data is being tracked. Access procedures and acceptable exceptions (such as business secrecy) are determined by law and may be subject to the control of data protection authorities. In the context of HR, personal data access requests can include information tracked by the company as well as data tracked by third-party solutions, such as background check vendors.
In Colombia, employers are required to maintain an information processing policy that is accessible to employees in paper or electronic form. The policy should include:
Material changes in the policy must be promptly communicated to employees.
Employees and other individuals are entitled to request access to their personal data, free of charge, monthly or after a material change to the employer’s information processing policies. When an employer receives a personal information request from the employee, the employer must respond within 10 business days. When it’s not possible to provide this information in 10 days, employees must be informed of the reason for the delay within 5 business days.
Employees also have the right to request that inaccurate information is updated, corrected or deleted. Note that employers do not need to comply with deletion or revocation requests when there is a legal or contractual duty to retain the personal data.
Requests for correction/update/deletion should be handled within 15 business days. If there is an unavoidable delay, the individual must be informed of the reason for the delay, and changes (if any) must be made within 8 business days after the end of the original 15 day period.
HR Best Practices: Inform employees, job applicants and other individuals of their rights relating to their personal data. When receiving employee personal data access requests, ensure procedures are in place to enable a timely response within the required period.