By: María del Pilar Duplat M. – Peña Mancero Abogados
The Colombian tax authority (DIAN by its Spanish acronym) issued resolution 13 of February 11, 2021 regulating the implementation of the electronic payroll system (the “Electronic Payroll Resolution” or the “Resolution”).
Who must submit the electronic payroll to DIAN?
Income taxpayers that are employers or that make payments due to legal or regulatory relationships or that make pension payments, and require to support said costs and deductions in their tax returns.
On a monthly basis, the aforementioned subjects must submit to DIAN a payroll supporting document for its approval or correction.
What is the payroll supporting document?
The electronic payroll supporting document is the document that shows all labor-related payments made by the employer. This document must contain the following information for its creation, transmission and approval by DIAN:
Expressly indicate that it is an electronic payroll supporting document.
Employer complete name of the individual or entity, ID Number or tax id number.
Complete name(s) and ID of the person who receives the payment.
The Unique Code Number of the Supporting Document of the electronic Payroll (CUNE by its initials in Spanish).
Internal consecutive number granted by the subject obliged to submit the electronic payroll.
Contents and amounts of the accrued value of payroll pursuant to the Technical Appendix to the Electronic Payroll Resolution.
Contents and amounts of the deducted sums from the payroll pursuant to the Technical Appendix to the Electronic Payroll Resolution.
Total amount resulting from the difference between the total accrued payroll payments minus the total deducted sums from the payroll payments.
The contents of the Technical Appendix as provided in article 20 of the Electronic Payroll Resolution, regarding the information and contents contained herein.
The form of payment of the payroll per the Technical Appendix to the Payroll Resolution.
Date and time of creation of the document.
Digital signature of the Subject who pays the Payroll in accordance with the DIAN’s requirements of authenticity and integrity of the signature.
Complete name and ID or tax id number of the software supplier and identification of the software.
When do I have to submit the electronic payroll to DIAN?
The electronic payroll supporting document must be issued and sent to DIAN on a monthly basis, ten (10) days after its creation or issuance.
As of when must the electronic payroll be implemented?
Implementation Calendar for subjects per the number of employees
Beginning date of the enabling of the electronic payroll data processing system
Maximum date to start the issuance and transmission of the electronic payroll payment support document and the electronic payroll payment support document adjustment notes.
Range in relation to the number of employees
May 31st, 2021
July 01, 2021
More than 251
August 01, 2021
September 01, 2021
October 01, 2021
November 01, 2021
December 01, 2021
Permanent Implementation Calendar
The obliged subjects will have a term of two (2) months from the date in which they make the payroll payments to carry out the enabling of the service and proceeding to transmit the supporting documents of the electronic payroll and its adjustment notes.
The remaining subjects must issue the supporting payroll document and their adjustment notes to request the costs and deductions of the income tax and the VAT deductible taxes, when applicable.
Implementation calendar for subjects not obliged to issue electronic sales invoices
Subjects not obliged to issue electronic sales invoices must start the enabling of the electronic data payroll service on March 31, 2022; and they must issue and send the supporting document of the payment of the electronic payroll and their adjustment notes, no later than May 31, 2022.
How do I issue the electronic payroll documents?
The enabling procedure is the one that is developed within the electronic invoicing system which must have the function to issue the electronic payroll supporting document pursuant to DIAN’s requirements.
The enabling procedure must be carried out before the date when the subjects must start with the implementation and the term when they must submit the monthly electronic payroll.
If you have further inquiries regarding this new regulation, please do not hesitate to contact us at: email@example.com
Why a due diligence process may become a nightmare in Colombia?
Strong institutions with reliable databases available to the public are key when carrying out a due diligence process. In most cases, information provided by the target is insufficient and not always accurate. This means that attorneys must be creative in order to look for the right information in the right places.
Here are some examples of what can go wrong if a due diligence process is not properly handled:
Real estate is tricky in Colombia, especially when you acquire assets or companies with rural real estate. Many attorneys focus on making sure that the “owner” of the land or property is duly recorded with the Real Estate Registry without realizing there is so much more! For instance: (i) determining whether the area has oil & gas or mining licenses that would create compulsory easements or eventually hinder its use; (ii) determining whether there are environmental restrictions such as being part of a national park, a protected wetland or a forest; (iii) verifying whether the land was formerly owned by communities or people who had to give it up because of armed groups’ pressure and are now subject to restitution proceedings; (iv) confirming that the land is not in fact a barren land that someone occupied as, regardless of time lapsed, it will continue to be State-owned and not subject to transfer.
The Superintendence of Corporations recently issued a new regulation introducing stricter rules for anti-money laundering and terrorism financing. We cannot hide that Colombia has individuals and companies involved in such activities that do business in creative manners so as to disguise the true origin of their funds. A proper investigation during due diligence should include examining who the beneficial owners of the target are and searching not only the standard international OFAC and similar lists but also carrying out a full search of local media publications and other more informal sources of information.
Latin American countries keep facing more and more corruption scandals. Colombia is not the exception. Doing business with relatives, partners and close friends of politically exposed parties can be risky. A proper due diligence should involve requesting full disclosure not only from all sellers but also from the target’s main stakeholders. Regulatory standards can be found in the Colombian anti-corruption statute.
Unlike most Latin American countries, Colombia’s foreign exchange regulation imposes strict reporting obligations concerning foreign-currency-related operations such as foreign investment, receiving or granting loans from/to foreign residents, granting securities abroad, imports and exports. Non-compliance with such obligations may derive in huge fines to be imposed either by the Superintendence of Corporations or by the tax authority (DIAN). To avoid such liability, due diligence should include reviewing all the above foreign exchange transactions including: timely filing of reports to the Central Bank; correct reporting of each transaction; requesting an up-to-date report from the Central Bank to obtain information on all reported items.
When searching for the history of land, corporations, litigation, property and any other asset that is subject to public record, one must be careful in Colombia. Government agencies are not always up-to-date and technology tends to be basic when it comes to search engines. There are entities and courts who simply do not provide such service to the public so not being able to complete an independent verification of the target’s records is common.
Being able to distinguish between what a “deal breaker” is and what not requires a thorough understanding of the risks involved and their eventual effects. For example, if a mining license does exist on the target’s land, a deal breaker would be not being able to use the land at all because of a compulsory easement that would prevent you from carrying out any activity whatsoever and that land being essential and of great value to the business you are acquiring. Otherwise, you may still negotiate such liability being properly disclosed in the “Disclosure Schedule” of the purchase agreement and establishing an escrow or taking any other measure to tackle loss if occurring. The same thing cannot be said when there are findings concerning money laundering or corruption charges. The risk involved in such situations would need to be measured in a very conservative manner as effects would not only involve economic consequences but eventual imprisonment.
Peña Mancero Abogados is publishing a series of high-level articles on M&A activity in Colombia. This article is for information purposes only and does not constitute legal advice. If you require further information, please contact Gabriela Mancero (firstname.lastname@example.org)
Guidelines for the treatment of personal data in artificial intelligence
By: María del Pilar Duplat – Peña Mancero Abogados
In June 2019, the Superintendence of Industry and Commerce (hereinafter “SIC”) issued its Guidelines for the treatment of personal data through Artificial Intelligence (AI).
Purpose of the Guidelines
The guidelines seek to provide a series of suggestions to those who develop artificial intelligence projects based on the Standards for Data Protection for the Iberoamerican States of the Ibero-American Data Protection Network (RIPD, after its acronym in Spanish).
To comply with local regulation on the treatment of personal data
To avoid any legal objection over the AI products, it is important that your organization develop from the beginning a legal risk study of the local regulations to determine a strategy to:
Mitigate legal risks.
Earn and maintain the trust of the users of the AI technologies.
Prevent any damage to the reputation of the organization.
Avoid potential investigations from data protection or other authorities.
To develop privacy impact studies
Before designing and developing AI products and to the extent possible, if there is a high risk of affecting the data protection rights of the owners of the data, it is necessary to develop a Privacy Impact Assessment (PIA) to put in place an effective system of risk management and internal controls to guarantee that the data is dully treated and in compliance with the current regulation.
Said PIA must contain at least the following:
A detailed description of the operations of treatment of personal data involved in the development of the AI.
An evaluation of the specific risks for the rights and liberties of the owners of the personal data.
The measures foreseen to face the risks, including the guarantees, safety measures, software design, technologies and mechanisms that guarantee the protection of the personal data, taking into consideration the legitimate interests and rights of the owners of the data and other potentially affected third parties.
The results of the PIA with the risk mitigation measures are part of the principle of privacy by design and by default.
To include the privacy, ethics and security from the design and by default
The privacy by design and by default is considered as a proactive measure towards the Principle of Accountability. By including the privacy from the design, the organization seeks to guarantee the adequate treatment of the personal data used in the AI procedures, even before the risks are materialized.
Thus, the privacy by design must be included in the design, the architecture of the software or the algorithm of the AI product. The following are the purposes that the technology must include:
Avoid unauthorized access to the data.
Avoid the manipulation of the data.
Avoid the destruction of the information.
Avoid unauthorized or improper uses of the information.
Avoid the circulation or supply of the data to unauthorized people.
The safety measures must be adequate and must consider various risk factors, such as:
The risk levels of the treatment of data for the exercise of the rights and freedoms of the owners of the data.
The nature of the data.
The potential consequences derived from a safety breach and the magnitude of the damage caused by said breach to the owner and, overall, to the society.
The number of owners of the data and the amount of information.
The size of the organization.
The available resources.
The monitoring and follow-up of the reliability of the algorithms.
The status of the technique
The reach, context and purposes of the treatment of the information.
The cross-border circulation of the data.
The uncertainty and complexity of each AI initiative.
Every safety measure must be revised, evaluated and permanently improved.
The following are risk management aspects that have an impact on the algorithms:
To materialize the principle of accountability
The designers and developers of AI products must adopt useful, appropriate and affective measures to comply with their legal obligations. They must also show the evidence of the correct compliance of their duties. Said tools must be subject to permanent revision and evaluation to determine their effectiveness regarding the compliance and degree of protection of the personal data.
For said purpose, and to comply with the principle of accountability, the organization should have, at least the following:
Allocate resources to implement data protection programs and policies.
Implement a risk management program for the treatment of data protection.
Develop mandatory data protection programs and policies within the organization.
Put in place training and updating programs for the personnel on the obligations of data protection.
Review periodically the policies and programs for the safety of the data to determine the required amendments.
Incorporate an internal and external surveillance system, including audits, to verify the compliance of the data protection programs and policies.
Establish procedures to receive and answer questions and complaints of the owners of the data.
The accountability principle goes further than just creating a series or policies and programs, it requires that the organization responsible for the treatment of the data can show evidence of concrete results of the correct treatment of the personal data in the AI projects.
To design adequate governance schemes over the treatment of personal data in the entities who develop AI products.
It is recommended that the organization defines a structure with clear functions and responsibilities that guarantee a proper corporate governance for the respectful treatment of the norms related to the personal data protection regime and the rights of the owners of the data.
The main functions and responsibilities that must be set within the organization are the following:
Develop risk management evaluations.
Decide which decision-taking models will be used.
Develop maintenance, monitoring and revision activities.
Review the channels of communication with the users and consumers.
To undertake measures to guarantee the principles of data protection in the AI Projects
Every person or organization responsible or in charge of the treatment of personal data must foresee adequate and efficient strategies to guarantee the compliance of the principles of treatment of personal data pursuant to the principles of the Standards for Data Protection for the Ibero-American States of the RIPD.
To respect the rights of the owners and implement effective mechanisms so they can exercise them.
The organizations that create or use AI technologies must guarantee the following rights to the owners of the personal data:
It is specially important to talk about the right “not to be subject to automated individual decisions” when we talk about AI proyects. Thus, when talking about AI projects, it must be a possibility for the owners of the personal data to argue any decision related to the treatment of his/her personal data before a human being, and that it is not 100% in charge of algorithms or automated procedures.
Additionally, the RIPD’s Standards forbid that the automated decisions are discriminatory. Thus, developers of the AI proyects must foresee in their design all the mechanisms or options for the owners of the data to exercise their rights through simple, free, fast, and accesible means that allow them to access, rectify, cancell, opose or transfer their personal data.
To ensure the quality of the data
One of the risks using AI is that the machine is biased due to the configuration of the algorithm and the quality of the information. To minimize the risk of bias and prevent the breach of the rights of the owners of the personal data, it is suggested that:
The information used by the AI is true and precise.
The organization carries a registration of the source of the data.
The organization makes audits of the sets of data used in the creation of the algorithms used in the decision-making processes by the machine.
Grant veracity scores to the sets of data used to train the machine during its creation.
Regularly update the data.
Have separate sets of data to train, prove, and validate the decision-making processes.
To use anonymization tools
It is important to determine if it is strictly necessary that the information that will be used by the AI must be used or linked to a person. If it is not necessary it is recommended that the information is used anonymously, so the owner of the data is not identified. In this way, the anonymization will help in the mitigation of the risks of massive treatment of personal data in the AI projects and procedures.
To increase the trust and transparency with the owners of the personal data
A transparent organization may increase the trust of the owners of the Data in it through:
Keeping open communication channels with Data owners and disclosing its policy for the treatment of the personal data in AI procedures or products. It is important to use a simple language that a non-expert in AI may understand.
Carrying out pilot tests to evaluate the decision-making model and correct any problem that may exist.
Giving the option to the data owner, in certain cases, that its information is excluded from the data provided and studied by the machine in the development of the algorithms and patterns in the cases allowed by law.
Implementing revision channels so the decisions taken by the machine may be revised by humans to ratify them or correct them.
Why is Big Data so important for the evidence in the judicial and arbitral proceedings?
Título: Why is Big Data so important for the evidence in the judicial and arbitral proceedings?
Fecha de publicación: may. de 2018
Descripción de la publicación: Blog del Departamento de Derecho de los Negocios de la Universidad Externado de Colombia
Descripción de la publicación: The ICLG to: Mining Law covers common issues in mining laws and regulations – including the mechanics of acquisition of rights, foreign ownership and indigenous ownership requirements and restrictions, processing and beneficiation, transfer and encumbrance – in 32 jurisdictions.
Editorial: GLOBAL LEGAL GROUP
Autor: Gabriela Mancero
The Colombian Competition Agency orders precautionary measures as a result of the Odebrecht case
The Colombian Competition Agency orders precautionary measures as a result of the Odebrecht case
We present the May 2017 edition of the IBA Antitrust Committee newsletter, which covers news from 34 different jurisdictions around the world, including Colombia where Gabriela Mancero, partner of Peña Mancero Abogados contributed to this issue.
We present the September 2016 edition of the IBA Antitrust Committee newsletter, which covers news from 34 different jurisdictions around the world, including Colombia where Gabriela Mancero, partner of Peña Mancero Abogados contributed to this issue.