Global Data and Cyber Handbook

Colombia

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: 10 December 2024

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position? If yes, under what circumstances?

Entities processing personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia are required to appoint an area within the company, or a specific person as Data Protection Officer responsible for the privacy practices of the organization. The duties of this officer can be exercised either by a specific individual or by an area or division within the organization. While Colombian laws do not require the privacy officer to be located in Colombia, the privacy officer is obliged to respond in a timely manner to all queries and complaints and must be fully knowledgeable of the organization’s operations and privacy policies. There are no specific requirements for the appointment of this officer, so it can be anyone the company considers suitable for the position.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last review date: 10 December 2024

Entities processing personal data of individuals (regardless of their nationality) who are domiciled in the territory of Colombia are required to appoint an area within the company, or a specific person as Data Protection Officer responsible for the privacy procedures and activities of the organization. The duties of this officer can be exercised either by a specific individual, by an area or division within the organization. While Colombian laws do not require the privacy officer to be located in Colombia, the privacy officer is obliged to respond in a timely manner to all queries and complaints and must be fully knowledgeable of the organization’s operations and privacy policies. There are no specific requirements for the appointment of this officer, so it can be anyone the company considers suitable for the position.

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: 10 December 2024

No.

Decree 620 of 2020, which regulates DPO activities and duties does not establish any special requirement.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: 10 December 2024

Yes.

While no prior approval is required, databases must be registered with the Colombian DPA.

Companies must register or update their databases in the National Database Registry (RNBD) in cases where the threshold was met for the prior fiscal year (ending on 31 December):

  • Companies and non-profit organizations with total assets exceeding 100,000 Tax Value Units (for 2024, COP 4,706,500,000 or approximately US 1,000,000).

According to Colombian law, as of 2021, a database must be registered within two months following its creation if it contains personal data of residents in Colombia, or if personal data is collected using means located in Colombian territory. Additionally, substantial changes to the information registered in the RNBD must be made within the first ten business days of each month, and any non-substantial changes must be updated between 2 January and 31 March of each year.

{{ $store.state.loadingScreen.message }} ...