Last review date: 10 December 2024
The Colombian Personal Data Protection Office (Delegatura para la Protección de Datos Personales) is a branch within the Superintendence of Industry and Commerce (SIC). While the Superintendence of Finance (the governmental entity in charge of regulating financial entities) has some specific faculties regarding data protection over entities under its supervision, the Colombian data protection authority is the data protection office of the SIC.
The Ministry of Information Technologies (Ministerio de Tecnologías de la Información) issues regulations regarding data protection and cybersecurity.
There is no centralized entity that regulates the handling of non-personal information.
Last review date: 10 December 2024
Privacy regulator
Very active
Cybersecurity regulator
Very active
Please be aware that cybersecurity regulations are mandatory for public agencies and private companies and individuals who carry out administrative activities, administer critical cybernetic infrastructures or provide essential services. Therefore, there is no active investigation, surveillance or control for private companies or individuals.
Last review date: 10 December 2024
In the last months of 2024, the SIC issued three External Circulars related to the Registry of Excluded Numbers in accordance with Law 2300 of 2022. This Law created a public registry where data subjects can register, preventing controllers from contacting them with advertising messages. The Circulars also addressed the use of artificial intelligence in the processing of personal data and the responsibilities of company managers in the processing of personal data. Therefore, it is likely that the actions of the SIC will focus on verifying compliance with the instructions outlined in these External Circulars.
Currently, a Committee in Congress was created to discuss the seven Bills of Law that aim to regulate the use of artificial intelligence. Hence, it is possible that in 2025, there will be developments regarding the regulation of artificial intelligence, particularly in the context of personal data processing.
Last review date: 10 December 2024
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Common
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
☒ Increasing
Last review date: 10 December 2024
There are:
☒ administrative remedies from regulators and law enforcement
Penalties for not complying with applicable data protection laws may include the following:
- fines of up to 2,000 minimum statutory monthly wages, (approximately USD 600,000 at current exchange rates for 2024)
- if the SIC considers that the data controller has materially breached the applicable data protection laws, it may adopt more stringent decisions, such as the order to temporarily close the data controller's establishment (for up to six months); or to permanently close the establishment.
- suspension of the activities related to the processing of personal data for up to six months in the event of material breaches of the obligations of data controllers, putting an end to activities related to the processing or decommissioning the activities related to the processing.
☒ criminal penalties from regulators and law enforcement
The Criminal Code considers the processing of data without consent a criminal felony, resulting in a jail penalty of four to eight years and fines from approximately USD 30,000 to USD 300,000 at current exchange rates.
☒ private remedies
Class actions or individual civil liability claims may be brought in the event of a violation of the constitutional right to habeas data and the personal data protection regime, where the damages caused by such violations could be sought.