Data Protection Enforcement in Colombia

Administrative Remedies

The Colombian Data Protection Authority, namely the Superintendence of Industry and Commerce (“SIC”) has the power to investigate ex officio and based on complaints, alleged violations of data privacy and data protection rights of Colombian data subjects and of data subjects domiciled in Colombia. The SIC can issue compelling orders to the managers of data bases to allow data subjects to access the data, to rectify and/or remove the data collected or processed in breach of the rights of data subjects; temporarily block the collected data as a precautionary measure; promote and implement educational campaigns on data protection rights, among others. Sanctions: The SIC can impose fines after the administrative investigation if it considers that the violation has been proven.

  • Data controllers and processors can be subject to fines for breach of data protection regulations, which can be as high as 2.000 minimum legal monthly salaries (equivalent to COP 1.288.700 million during 2015 or approximately USD $545.000 at current exchange rates; these cap is updated annually).
  • I Successive fines could be imposed when the violation does not cease upon the order of the SIC.
  • Data controllers and processors can be subject to fines for breach of data protection regulations, which can be as high as 2.000 minimum legal monthly salaries (equivalent to COP 1.288.700 million during 2015 or approximately USD $545.000 at current exchange rates; these cap is updated annually).
  • I Successive fines could be imposed when the violation does not cease upon the order of the SIC.

The SIC can also order the immediate and definitive closure of the activities related with the processing of sensitive data.

Civil Remedies

Data protection is a constitutional right, which is given a special and privileged protection by the Colombian Constitution. Individuals may bring a civil claim for monetary damages for any harm suffered for the violation of the constitutional rights to privacy and habeas data, and may also demand the suspension of the practice that gave rise to such violation.

Criminal Remedies

The Colombian Criminal Code establishes that acts or omissions that violate personal data protection rights, (including unauthorized collection, compilation, subtraction, offer, sale, exchange, interception, disclosure or modification of personal data), for ones benefit or that of a third party, will be subject to sanctions of imprisonment for a term between 48 to 96 months, and a fine of up to 1,000 minimum legal monthly salaries (equivalent to COP 644350 million or approximately USD $272914 at current rates; these cap is updated annually). The benefit that the criminal code provides for has been construed by local enforcement authorities to be a financial or economic one.

Other Remedies

Individuals may also bring constitutional actions (“acciones de tutela”) before Colombian courts, when there is no other more expedited action to stop the violation of their rights or to prevent imminent damages.

Selected Enforcement Actions / General Comments

Law 1581 includes references to the principle of accountability and a provision on Binding Corporate Rules, which will be subject to further regulation. It is anticipated that the BCR model will provide a more lenient treatment to companies and groups of entities that incorporate sound internal procedures for the adequate protection of privacy rights. The SIC has started to take actions against managers of data bases who have breached data protection rights. Fines have been imposed for creating black client lists to deny services without complying with required procedures, collecting data in excess of the purpose of the collection, using data for cross selling without consent, among others. Fines have been lenient so far and have not reached 10% of the maximum threshold. Because the regime is fairly new, the SIC has continued to apply a lenient trend in terms of amounts of fines, but this trend can change at any time and once all pending regulations are developed by the Colombian government. Some examples of recent enforcement action in Columbia include:

  • In 2014 stem cells bank Red Cord was fined for COP 123 million (approximately USD $ 70,000) for the unconsented processing of sensitive personal data of women who tested positive for being pregnant in laboratory tests taken in a laboratory located in the city of Bogota.
  • I In 2014 the website www.datajuridica.com was temporarily foreclosed for the unconsented display of personal data. This site allowed to enter any Colombian ID number and made a false suggestion that the person under a specific ID, had a criminal our court prosecution record.
  • I In 2012 the SIC imposed fines to mobile phone operator TIGO for collecting credit history data and consulting credit bureaus with respect to individuals that were buying pre-paid packages of mobile phone services. The SIC considered that the violation consisted of imposing on the individuals the obligation to provide redundant data that was not required for the purpose of the service (a pre-paid card did not trigger any credit risk for the service provider) and using it to consult the credit rating databases without consent from the data subject. Fines were of COP $11,334.000 (approximately USD $ 6,300).
  • I In 2011 telecom companies Telmex and UNE were subject to fines of COP 187 million each (approximately USD $ 100,000) for reporting individuals to credit bureaus for non-existent debts or obligations, or for reporting them for a period beyond the authorized term, after the fulfillment of their obligations with the telecom companies.