New Rules on Data Protection

Through Decree 255 (23 February 2022), the Colombian government has issued the following new binding corporate rules regarding data protection:

1. Binding Corporate Rules (“BCR”) are policies, corporate governance principles or good business practices of mandatory compliance by any party treating personal data located in Colombia in order to be able to transfer such data to a third party abroad and belonging to the same business group.
2. Transfer of data abroad between companies belonging to the same economic / business group must be governed by BCR that must guarantee compliance with data protection principles and regulation in Colombia.
3. BCR must ensure that all data is:
4. • Treated in a licit, loyal and transparent manner in relation to the data owner.
   • Collected for specific, explicit and legitimate purposes and that it shall not be treated later on with purposes incompatible with the original purpose.
   • Adequate, pertinent and limited to what is required for its purpose.
   • Exact and regularly updated thus taking all reasonable measures to delete or rectify inexact data.
   • Kept in such a way that the data titleholder may be identified during the specific period required for its purpose.
   • Treated under control of the party responsible for its treatment who must guarantee and evidence compliance with the above rules.

4. Each of the entities forming the business group shall be jointly and severally liable for compliance with the group’s BCR.
5. The Colombian Superintendence of Industry and Commerce (SIC) may impose sanctions to the Colombian member for defaults by other members of the business group abroad.

BCR must contain at least the following requirements:

1. Structure and contact details of the business group and each one of its members to which the BCR apply.
2. Data transfers or series of transfers including categories, type of treatment and purposes, type of affected titleholders and name of the third party or third countries.
3. Its legally binding character, for all entities forming the corresponding business group.
4. Application of legal principles for data protection as envisaged in Law 1581 of 2012 and its regulation.
5. Reference to titleholders’ rights pursuant to Law 1581 and its regulation as well as the means to exercise such rights.
6. Measures adopted to avoid transfer to other entities not belonging to the same business group.
7. Reference to the staff in charge of compliance with BCR as well as claims’ supervision and processing.
8. Mechanisms established within the business group to guarantee verification of compliance with BCR. This must include data protection auditing and methods to guarantee corrective measures to protect the right of data titleholders.
9. Mechanisms to communicate and record modifications introduced to policies and to notify such modification to the SIC.
10. Data protection training for the staff having permanent or regular access to personal data.
11. Procedures for titleholders to be able to file consultations or claims and to be timely processed.
12. Adoption of accountability measures to evidence that useful, timely, pertinent and efficient measures have been implemented to comply with BCR.
13. Additional requirements and specifications to be issued by the SIC regarding this matter.

Approval by the SIC

The SIC shall approve the BCR complying with the following requirements:

1. Are legally binding and apply to all members of the business group responsible for the transfer and treatment of personal data.
2. Expressly confer the data titleholders the power to exercise the rights envisaged in Law 1518 of 2012.
3. Meet the requirements established in Decree 255

BCR may be submitted to approval by the SIC once approved by the corresponding corporate bodies. Those filed for approval by the SIC shall be in force upon the approval date. The business group that obtains such approval must inform about it in its web page

We will keep you posted on the regulation that will follow this decree containing specific requirements.