Colombia made personal privacy a fundamental right in its 1991 Constitution. A 2008 law protected personal financial information, and in 2012 Colombia adopted Law 1581, a broad code across all sectors, modeled generally on the European/Iberian approach.
Angela María Noguera Moreno, of counsel with the Colombian law firm of Vanegas Morales Consultores and an IAPP-certified Information Privacy Professional/Europe, explains in this podcast the Colombian approach to protecting personal data. Colombia requires all businesses to protect personal data. Consent of the data subject, the individual, is the keystone requirement. All controllers and processors of personal data must comply with the requirements of Law 1581 and decrees that function as regulations implementing the code. Responsible parties are both controllers and processors of personal data. Personal data categories include not only sensitive (financial, medical, religious, political) and non-sensitive (business or email address) types of data, but what Colombia calls “semi-private” data, such as information about an individual’s credit history.
The data protection authority is the Superintendence of Industry & Commerce, which can levy fines and even close a business for violating data privacy laws.
Colombia is now in a transition from formalistic compliance (posting website notices and policies) to a compliant society that protects personal data in practice. Superintendence officials expect compliance beyond simply posting policies. This is an approach under way generally in South America, though some countries like Ecuador and Panama did not adopt a general law until 2019. Listen to this podcast for an overview of how this important South American country aims to protect personal data privacy.