BTN News: In recent years, the handling of personal data has become one of the most contentious issues worldwide, with numerous companies under investigation for allegedly selling customer and user information. The processing of personal data encompasses any operation carried out on information that can identify a natural person, including names, addresses, phone numbers, email addresses, medical history, and more. In Colombia, the protection of such sensitive information is governed by Law 1581 of 2012, commonly referred to as the Personal Data Protection Law. This legislation is primarily designed to safeguard the fundamental right of individuals to “know, update, and rectify the information that has been collected about them.”
The Personal Data Protection Law lays out the principles and rules that natural and legal persons must adhere to when collecting, storing, using, or sharing personal data. Recently, the Superintendence of Industry and Commerce (SIC) released new guidelines concerning the management of personal data by corporate administrators, emphasizing their crucial role in ensuring data privacy.
On August 23, 2024, through External Circular No. 003, the SIC introduced new directives for corporate administrators—those natural or legal persons responsible for the management and representation of a company. The guidelines underscore the importance of these administrators in upholding data protection standards within their organizations, especially given the constitutional mandates that govern such practices in Colombia.
The SIC’s circular references specific articles of the Colombian Constitution to underline the importance of these new instructions. Article 2 emphasizes the necessity to “ensure the effectiveness of the principles, rights, and duties enshrined in the Constitution.” Article 15 asserts that “all persons have the right to personal and family privacy and to a good name, and the State must respect and ensure these rights.” Article 333 affirms that “economic activity and private initiative are free, within the limits of the common good,” and highlights that “free economic competition is a right of all, which entails responsibilities,” further noting that “the company, as the foundation of development, has a social function that implies obligations.”
The SIC, in its capacity as the National Data Protection Authority, has aligned its latest guidance with the broader objectives of the National Government to ensure the effective protection of fundamental rights. The SIC has clarified that the issuance of External Circular No. 3 on August 22, 2024, aims to instruct corporate administrators on the scope of their obligations concerning the processing of personal data.
Moreover, the SIC stresses that, under the data protection regime and particularly concerning the principle of demonstrated responsibility, administrators must establish effective internal policies and appropriate corporate guidelines to implement preventive measures that protect the rights of data subjects under the Habeas Data right.
The introduction of these new instructions is intended to harmonize statutory norms that primarily aim to ensure the constitutional protections of the Habeas Data right and the proper treatment of personal data. By reinforcing the obligations of corporate administrators, the SIC is making a concerted effort to enhance the protection of personal data in Colombia, reflecting a broader commitment to safeguarding individual privacy in the digital age. These developments signal a crucial step in ensuring that companies adhere to the highest standards of data protection, thereby fostering greater trust and security for all stakeholders involved.