Law 1581/2012 Colombia

    Overview

    Colombia's Law 1581 of 2012, also known as the Data Protection Law, establishes general provisions for the protection of personal data. It regulates how personal data should be processed by both public and private entities, ensuring individuals' rights to access, update, and rectify their information. The law aims to safeguard personal data privacy in compliance with the country's constitutional guarantees.

    Decree 1377 of 2013 further regulates aspects of Law 1581, including the requirements for obtaining data subject consent, policies for data processing, and data transfers. Decree 90 of 2018 amends certain requirements regarding the registration of personal data databases. Law 1266 of 2008 regulates the handling of personal data specifically related to financial, credit, and commercial services.

     

    Regulation Summary

    Timeline
    • Enacted: October 17, 2012
    • Effective Date: October 18, 2012 (Published in the Official Gazette)
    • Regulated by: Decree 1377 of 2013
    What Businesses Are Affected
    • Entities operating in Colombia that process personal data.
    • Foreign businesses processing data of Colombian residents when applicable under international treaties.
    • Public and private databases handling personal information.
    Exemptions
    • Personal or household data processing for non-commercial use.
    • Data used for national security, defense, or criminal investigations.
    • Journalistic databases for news and editorial purposes.
    • Data governed by financial regulations under Law 1266 of 2008.
    Principles
    • Obtain prior, explicit, and informed consent before processing personal data.
    • Inform individuals about data collection, purpose, and retention periods.
    • Ensure data security to prevent unauthorized access, modification, or loss.
    • Respond to data subject requests within 10 business days.
    • Notify the Superintendence of Industry and Commerce (SIC) in case of data breaches.
    • Appoint a Data Protection Officer (DPO) if engaging in large-scale data processing.
    • Maintain records of processing activities for regulatory audits.
    Specific Responsibilities for Website Owners
    • Publish a privacy policy explaining how data is collected and used.
    • Implement cookie consent mechanisms for tracking technologies.
    • Provide users with the ability to withdraw consent at any time.
    • Secure online forms and payment data to prevent data breaches.
    Additional Requirements
    • Cross-border data transfers are restricted, unless:
      • The recipient country offers adequate protection.
      • The transfer is legally required or contractually necessary.
      • The data subject has provided explicit consent.
    • Impact assessments are required for high-risk data processing activities.
    Data Subject Rights
    • Access: Individuals can request copies of their personal data.
    • Correction: Users can update or correct inaccuracies.
    • Erasure: Data subjects may request deletion of their data under certain conditions.
    • Portability: Personal data can be transferred to another provider upon request.
    • Objection: Individuals can object to data processing for marketing or profiling purposes.
    Enforcement
    • Regulatory Authority: The Superintendence of Industry and Commerce (SIC) oversees compliance and enforcement.
    • Penalties:
      • Fines up to 2,000 times the minimum monthly wage (Approx. COP 2 billion / ~$500,000 USD).
      • Temporary or permanent suspension of data processing activities.
      • Criminal liability for unauthorized disclosure of sensitive data.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596