PERSONAL DATA

REGULATION IN COLOMBIA
Recolección de datos personales

2 It is not allowed to use deceptive or

fraudulent means to collect or
manage the personal data of users.

1 Data collection should be limited that

which is relevant and appropriate for
the purpose for which the data is being
collected.
 1. Privacy notice.
Verbal or written communication
generated by the person in charge or
responsible for the treatment of the
personal data being collected, which gives
information about:
Definiciones • The existence of Personal Data Treatment
prelimnares Policies which will be applicable to the
user.
• The way to access to the policies
implemented by the person responsible
for the collection of personal data.
• The purposes for which data is being
collected.
 2. Public data
• It is the data that is not private or
sensitive.
• Public data is that related to the civil
status of the persons, data related to the
Definiciones profession or trade, or data that by its
prelimnares nature may be contained, among
others, in public records, public
documents, gazettes and official
bulletins and judicial decisions duly
executed that are not subject to
reservation.
 • 3. Sensitive data
• Sensitive data is understood to be that
information which affects the owner's
Definiciones privacy or whose improper use can result
in discrimination.
prelimnares • For example, data that reveals racial or
ethnic origin, political orientation, religious
or philosophical convictions, membership
to unions, social organizations, human
rights activism or that promotes the
interests of any political party.
 • 4. Transfer

The transfer of data takes place when

Definiciones the person in charge of collecting,
managing or processing personal data,
prelimnares located in Colombia, sends the
information or personal data to a
receiver, who in turn is responsible for its
treatment and who is inside or outside
Colombia.
How to perform
data collection?
• Authorization must be obtained from the
personal data owner at the least at the time of
data is collected.

• All specific purposes for which such consent is

obtained must also be informed.
What happens to the
information in public
databases?

• Personal data found in public

databases can be used by any
person as long as, by its nature, the
information is of public concern.
 How to obtain
authorization...
• It can be obtained by any means, including through technical
mechanisms.

• Authorization is valid whether it is given in writing or orally.

• The fundamental requisite is that the person’s authorization to

allow his personal data to be collected cannot be unambiguous.

• In no case may silence be assimilated to unequivocal conduct.

• The Responsible must keep proof of the authorization granted

 Revocation of the
authorization and deletion
of the data.

• At any time, the owner of the information

collected may revoke his authorization or
request the deletion of the information already
collected.

• The revocation will not proceed when the holder

has a legal or contractual duty to remain in the
database.
 Revocation of the
authorization and deletion
of the data.

• The person in charge of the collection of the

information must provide for free and easily
accessible mechanisms to present requests,
making queries or solicit the deletion of the
personal data collected according to the
authorization granted.
 Revocation of the
authorization and deletion
of the data.

• Once the authorization has expired, it is

obligatory to stop collecting personal data
and, to give back the information collected or
to eliminate it.
• Moreover, the owner of the information has the
right to request the Superintendence of Industry
and Commerce to order the revocation of the
authorization and the deletion of personal
data.
 • Those responsible for the business or entity
collecting information must request proper
authorization to continue the collection and
Data collected handling of the information. To do this, the
before the law law authorizes the responsible to solicit
authorization through the mechanisms used
1581 of 2012 in the ordinary course of activities.
• If requesting authorization imposes a disproportionate
burden on the party responsible or it is impossible to request
each person to consent to the processing of their personal
data and to inform them of the information treatment policies
and how to exercise their rights, the person in charge may
implement mechanisms alternate for that purpose.

• Publication of the data treatment policies in newspapers

of wide circulation, local or national journals or
magazines, the website of the responsible, informative
posters, among others.

• Regarding these procedures a report to the

Superintendency of Industry and Commerce must be filed
within five (5) days after its implementation.
 When is there a disproportionate burden?

It is determined by considering:

The territorial scope

The time for which The number of
and the possibility
information has persons to be
of using alternative
been collected. informed.
mechanisms.

The purpose is not to compromise the financial stability of the person in

in charge, the performance of activities specific to his business or his
viability of your programmed budget.
 Time limitations to the processing of
personal data…

1. 2. 3.
Data can only be Once these purpose has Notwithstanding the
collected, stored and been fulfilled, the person foregoing, personal data
used for the time in charge must proceed must be retained when
reasonably necessary to to the suppression of the required for the
fulfill the purpose for personal data in his fulfillment of a legal or
which authorization was possession. contractual obligation.
requested.
When handling information of juveniles and
children, it is imperative to keep in mind:

Respect for their The right of the

The best interest
fundamental child to be
of the child
rights. heard.
Thanks!
Legal Focus