Last review date: 10 December 2024

Yes.

The restrictions or requirements are as follows:

☒        qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒        right to information / transparency requirement

☒        right to request human review of the automated decision making

The data subject should be given the option to grant consent for processing their personal data under automated decision-making mechanisms. This consent should be independent and autonomous from the consent granted for other processing purposes. As blank or bundled consents are not permitted under applicable data protection laws in Colombia, a tick box is required for each processing purpose.

Last review date: 10 December 2024

Yes.

The exceptions are as follows:

Entities processing personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia are required to appoint an area or department within the company, or a specific person as Data Protection Officer responsible for the privacy practices of the organization. The duties of the Data Protection Officer can be exercised by an individual or an area or division within the organization. While Colombian laws do not require the privacy officer to be located in Colombia, the privacy officer is obliged to respond in a timely manner to all queries and complaints and must be fully knowledgeable of the organization's operations and privacy policies. There are no specific requirements for the appointment of this officer, so it can be anyone the company considers suitable for the position.

In addition, data controllers and data subjects must follow the instructions given by the SIC External Circular No. 002 of 2024. This Circular indicates that it is mandatory to identify and classify risks associated with using artificial intelligence in processing personal data. Likewise, it is necessary to carry out an impact study assessment on the activities that will involve the processing of personal data with artificial intelligence, before implementing said activities.

Last review date: 10 December 2024

Yes.

The Superintendence of Industry and Commerce published a guideline (soft law) establishing some recommendations from the Ibero-American Network of Data Protection. This guideline mentions the use of AI in the context of data privacy but does not go into detail.

In addition, the Superintendence of Industry and Commerce published External Circular No. 002 of 2024, which provides specific instructions for data controllers and data subjects on processing personal data using artificial intelligence.

Last review date: 10 December 2024

☒         No enforcement activity to date

Last review date: 10 December 2024

☒        Proposal for legislation or regulation at an early stage

There are currently seven proposals for legislation at an early stage, which are the following: Bill of Law 59 of 2023, Bill of Law 091 of 2023, Bill of Law 130 of 2023, Bill of Law 255 of 2024, Bill of Law 005 of 2024, Bill of Law 113 of 2024, Bill of Law 154 of 2024.