From: Morgan, Lewis & Bockius LLP

Humbertyo Padilla Gonzalez and Emilio Grandío-Urrea

Regulations stipulate that all individuals have the right to know about and update personal information that has been gathered about them by public or private entities.

On July 27, Colombia enacted Decree 1377 (the Decree), which adds regulations to the 2012 Colombian General Personal Data Protection Law (the Law). The Decree is central to the proper operation of the Law as it strengthens and supplements some of the Law’s most critical provisions.

The purpose of the Law is to protect the constitutional right of all individuals (the Owners) to know about, update, and correct personal information that is or has been gathered or processed about them in databases and archives by public or private entities (the Holders). Importantly, the Law does not apply to data of legal entities or personal data of individuals that is public. In addition, excluded from the application of the Law are all databases maintained for (i) personal or domestic purposes exclusively, (ii) national security purposes, (iii) journalistic files and other editorial content, (iv) credit and similar financial information (which is regulated under separate laws), and (v) census information. It is currently unclear how the authorities will construct the use of personal information for “personal or domestic purposes exclusively.”

The Law generally prohibits the processing of any individual’s sensitive information without the prior, explicit, and informed consent of that individual. Sensitive information includes information that affects the privacy of the Owner or that may lead to discrimination if misused. This information mainly relates to the race, religion, political affiliation, and sexual orientation of any individual.

Some of the central features of the Decree are (i) the implementation of a mechanism to obtain and revoke an Owner’s consent to use his or her personal information and (ii) the delivery, or creation of notice mechanisms when delivery is not possible, of clear and simple policies for the treatment of personal information.

It is important to note that Holders must obtain the Owners’ consent even if the information was collected prior to the enactment of the Decree. In addition, the consent given by Owners for the use of their personal information may be revoked at any time except when the Owner has an obligation under law or contract to maintain the personal information in the applicable database. Upon revocation of the Owners’ consent, Holders must delete or destroy, as applicable, any record of such information.

The Law specifically prohibits the issuance of ambiguous or broad policies for the use and treatment of personal information and calls for simple, specific, and clear policies. The Decree includes detailed provisions with respect to the treatment of personal information of minors and the cross-border transfer of personal information.

Sanctions for violations of the Law and Decree may range from fines of up to approximately USD $620,000 to suspension and permanent closure of the operation involved in the processing or treatment of sensitive personal information.

Organizations doing business in Colombia should ensure that, among other things, their guidelines and policies for the retention of personnel information meet the elements of an effective compliance program under the Law and the Decree.