What are the penalties for noncompliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
There are multiple fines and sanctions under Colombia’s data protection law (Law 1581 of 2012). Noncompliance with the law can lead to fines of up to 2,000 times the legal monthly minimum wage. These fines can be levied repeatedly until the individual or company complies with the law. In addition, and likely more important for employers, the processing of employees’ personal data that’s in violation of the law could be suspended for up to six months. The operations relating to collecting and processing the data may be temporarily closed if corrective measures haven’t been taken within the six-month period. In addition, when there are violations relating to sensitive personal data, the processing operations may be closed immediately.
Penalties are determined based on a number of factors, including the extent of damages, the economic benefit the employer obtained by the violation, the repeated nature of the violation, compliance (or reluctance to comply) with the investigative and/or supervisory authorities, and the acceptance/acknowledgment to the commission prior to a sanction being levied.