In 2012, Colombia enacted Law 1581, establishing the national regime for personal data protection in the country. Law 1581 mandates that data controllers register their databases containing personal data in a national registry managed by the personal data protection authority, the Superintendencia de Industria y Comercio (SIC). This registration obligation occurs annually, with the deadline set for March 31st. For businesses with branches or subsidiaries in Colombia, compliance with these regulations is crucial. This article will discuss what database registration entails, whom it applies to, and the upcoming compliance deadline.
Understanding Database Registration:
According to Law 1581, „databases“ are organized sets of personal data subject to processing. The process of identifying and describing databases is similar to the „record of processing activities“ (ROPA) under the GDPR. However, whereas ROPAs in the European Union are primarily for internal use and should only be provided to authorities upon explicit request, in Colombia, databases are to be registered in a public registry called the “Registro Nacional de Bases de Datos” (RNBD), overseen by the data protection authority. Importantly, what is subject to registration is not the data contained in the database, but information about the database itself, such as the number of data subjects therein contained and the legal basis applicable. In other words, data subjects’ information is not registered. Controllers must annually update information about their databases in this registry. This includes uploading privacy policies, those of their processors („encargados“ in Colombian law), contact information for the person or department overseeing data protection, and channels for exercising data subject rights.
Who is Obligated to Register?
As per Decree 090 of January 18, 2018, companies processing personal data in Colombia with total assets exceeding 100,000 Tax Value Units (Unidades de Valor Tributario) are obligated to register. Currently, this threshold amounts to 4,706,500,000 Colombian pesos or around 1,101,900 euros.
Additional Obligations and Deadlines:
In case of significant changes in databases, controllers must promptly update the RNBD within the first 10 business days of the month following the change. Additionally, the registration of a new database in the RNBD must occur within two months of its creation, irrespective of the time of year.
In addition to database registration, controllers have further obligations. By the first 15 bank days of February and August, a report detailing data subject requests („reclamos“) received during the previous semester must be submitted through the RNBD system of the SIC. This report should encompass complaints directed at both the Controller and the processors.
Finally, data breaches affecting the registered databases must be reported in the RNBD 15 bank days after their detection.
Importance of Compliance
Businesses operating in Colombia, particularly those meeting the asset threshold, must promptly fulfill their responsibilities. This not only ensures legal compliance but also fosters trustworthy and transparent business management and relationships with data subjects. Failure to comply with data protection rules in Colombia may lead to fines of up to 2,600,000,000 Colombian pesos or around 608,800 euros plus the invaluable value of reputational loss.