Columbia in 2011 enacted new measures in upgrading its privacy and Data Protection laws, many sections of which have been drawn on the experience of the European Union, some of the main areas are
The law prohibits the processing of personal data without the data subject’s prior consent. When the personal data are sensitive data (e.g., health data), the consent must take the form of an explicit authorization.
- The law permits cross-border transfers of personal data to countries that lack adequate data protection laws only in specified circumstances, such as (1) when the data subject has given express and unequivocal consent for the transfer (2) the transfer is necessary for the performance of a contract between the data subject and the data controller, or (3) with the approval of the Superintendence of Industry and Commerce.
- The processing of children’s personal data is generally prohibited.
- Data subjects have access rights.
Unlike other EU-style data protection laws that place obligations primarily on data controllers, this law would also directly regulate data processors. Under the legislation, a data processor would need to comply with a long list of requirements, including:
- Informing the Superintendence of Industry and Commerce when there are violations of security rules or there are risks in the administration of personal data.
- Developing an internal manual containing policies and procedures to ensure compliance with the law, with special emphasis on addressing data subjects’ inquiries and claims.
- Facilitating data subjects’ access requests and guaranteeing the right of hábeas data.
- Indicating in its database when information is subject to certain disputes or judicial processes.
- Refraining from circulating information that is subject to certain disputes.
- Protecting personal data against fraud and security threats.
- Updating its databases within five days to reflect new information received from the relevant data controllers