Last review date: 10 December 2024

☒ omnibus – all personal data
☒ constitutional

Last review date: 10 December 2024

• Law 1266 of 2008
• Law 1581 of 2012
• Law 2300 of 2023
• Decree 1377 of 2013
• Decree 1074 of 2015
• SIC Basic Circular
• External Circular No. 001 of 2024
• External Circular No. 002 of 2024
• External Circular No. 003 of 2024
• Guidelines of the SIC regarding international data transfers
• Guidelines of the SIC regarding security incidents and data breaches
• Guidelines of the SIC regarding the implementation for accountability
• Report of the SIC referring to recommendations and security measures
• Guidelines of the SIC referring to the role of the Data Protection Officer

Last review date: 10 December 2024

The Colombian Information and Communications Technology Ministry issued Decree 338 of 2022, which modified Decree 1078 of 2015, with general guidelines to strengthen digital security, identify critical cybernetic infrastructures and essential services, and regulate the management of risks and the response to digital security breaches. This regulation is applicable to all public agencies as well as private companies and individuals who carry out administrative activities or administer critical cybernetic infrastructures or provide essential services.

• Guidelines of the Superintendence of Industry and Commerce (SIC) regarding security incidents and data breaches

Last review date: 10 December 2024

• Decree 1078 of 2015
• Ley 1755 de 2015

Last review date: 10 December 2024

There are no material changes in data privacy and cybersecurity. However, a new Bill of Law (152 of 2024 of the Cámara) has been filed before Congress regarding data privacy. This Bill of Law follows the parameters of the EU General Data Protection Regulation (EU GDPR) and would introduce structural modifications to Colombian legislation, such as the bases of legitimacy, where currently the sole basis of legitimacy is consent.

It is important to note that there are currently seven legislative proposals (Bills of Law) aimed at regulating the use of artificial intelligence. Some provisions in these Bills of Law relate to implementing personal data protection and cybersecurity measures, which would include specific regulations. It is worth highlighting that many aspects of cybersecurity are currently implemented through the principle of accountability, which establishes a very broad parameter of obligations depending on the conditions of each controller and processor. As a result, we can expect developments in this area in the medium to long term.