Territory: Colombia

Data Protection Regulations:

  • Article 15 of the Political Constitution of Colombia
  • Law 1266 of 31 December 2008
  • Law 1581 of 17 October 2012

Links: https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981

Regulatory purpose: Article 15 of the Colombian Constitution: "All persons have the right to their personal and family privacy and to their good name, and the State must respect them and ensure that they are respected.

Likewise, they have the right to know, update and rectify the information that has been collected about them in data banks and in the files of public and private entities".

Law 1266 of 2008: general provisions on Habeas Data and regulates the handling of information contained in personal databases, especially financial, credit, commercial, service and third country information, and other provisions. (Habeas Data)

Law 1581 of 2012: general provisions for the protection of personal data.


  • Data controller: Yes. Natural or legal person, public or private, who alone or in association with others, decides on the database and the Processing of the data.
  • Data Processor: Yes. Natural or legal person, public or private, who by himself or in association with others, carries out the Processing of personal data on behalf of the Controller.
  • Data Protection Officer: Yes.
  • Supervisory Authority: Yes. Delegation for the Protection of Personal Data of the Superintendency of Industry and Trade.


  • Principle of legality in data processing
  • Principle of purpose
  • Principle of freedom
  • Principle of truth or quality
  • Principle of transparency
  • Principle of access and restricted transit
  • Principle of security
  • Principle of confidentiality


  • Register of Processing Activities: No.
  • Impact Assessments: No.
  • Risk analysis: No.
  • Technical and organisational security measures: No.
  • Duty to inform: Yes.
  • Data Protection Officer: No.

Data subjects' rights:

  • Right of Access: Yes.
  • Right of rectification: Yes.
  • Right of Suppression: Yes.
  • Right to limitation: Yes.
  • Right to portability: No.
  • Right to object: No.
  • Automated individual decisions, including profiling: No.

International transfers:

Prohibited, with exceptions. Article 26 of Law 1581 of 2012 prohibits, as a general rule, the international transfer of personal data of any kind, to countries that do not guarantee an adequate level of protection for such data, with the exceptions established in that article.

The law empowered the Superintendence of Industry and Commerce to pronounce on international data transfers, by means of the Declaration of Conformity. The Superintendent is empowered to request information and carry out the necessary steps to establish compliance with the requirements for the viability of the operation.

Sanctioning regime:

  • Fines of a personal and institutional nature up to the equivalent of two thousand (2,000) legal monthly minimum wages in force at the time the sanction is imposed. Fines may be successive as long as the non-compliance that gave rise to them persists;
  • Suspension of activities related to the Treatment for up to six (6) months. The act of suspension shall indicate the corrective measures to be adopted;
  • Temporary closure of the operations related to the Processing once the term of suspension has elapsed without the corrective measures ordered by the Superintendency of Industry and Commerce having been adopted;
  • Immediate and definitive closure of the operation involving the Processing of sensitive data.

Certification or accreditation of compliance for companies: Yes.