Law on the Protection of Personal Data


    Law on the Protection of Personal Data

    Statutory Law No. 1581

     Statutory Law No. 1581 was adopted on 17 October 2012 in compliance with Decision C-748 of 2011, issued by the Constitutional Court of Colombia and sanctioning the Senate proposed bill for a Statutory Act on general provisions for the protection of personal data.

    Last Updated: July 30, 2019

  • General description

    The right to privacy is afforded constitutional protection in the text of the 1991 Constitution. Article 15 of the Colombian Constitution states that: ‘Everyone has the right to personal and family intimacy, and to their good reputation. Everyone has the right to access, update and rectify personal information about them contained in public or private databases. All constitutional rights ought to be protected whilst collecting, processing and sharing personal data. Correspondence and other forms of private communication are inviolable. They may only be intercepted or recorded pursuant to a court order, following the formalities established by law’.

    This Law is the general framework regulating the processing of personal data in Colombia, and is applicable to all sectors except for the financial sector, which is regulated in Law 1266 of 2008. Law 1581 is divided in IX Sections governing: general provisions (object, scope and definitions); principles relating to the processing of personal data; especial categories of personal data; rights of data subjects and criteria for the lawful processing of personal data; procedures for access, claims, and exhaustion of remedies (before submitting a claim to the DPA, data subjects must first attempt to access their data and file complaints directly with controllers or processors); obligations of controllers and processors; enforcement mechanisms and sanctions; transfer of personal data to third countries; and, other provisions laying the foundations for BCRs.

    The main objective of Law 1581 is to develop the constitutional right to access, update and rectify personal data about individuals that has been collected and kept in databases. For this purpose, the law defines a territorial and a material scope of applicability. Concerning the former, this law applies to the processing of personal data carried out in Colombia and to the processing of personal data by a controller not established in Colombia but who is subject to Colombian legislation by virtue of Public International Law and International Agreements.

    Materially, Law 1581 applies to personal data that is part of any filing system and which, is subject to being processed by private or public entities. The reach of this law has boundaries, and it does not apply to:

    • a) processing activities in a purely domestic context;
    • b) databases and processing operations which objective is public security, national security and defence;
    • c) information processed for the prevention, detection, prosecution, screening and control of money laundering and the funding of terrorism; databases that have information pertaining to intelligence and counterintelligence; processing operations and databases of journalistic expression and other sorts of editorial content; financial information (credit history, credit bureaus, financial entities, credit records, and commercial information); and information processed for statistical, historic, or archiving purposes (which is covered by Law 79 of 1993).

    Law 1581 provides 7 definitions: consent, database, personal data, controller, processor, data subject (owner), and processing. These definitions are largely along the same lines as the GDPR, except for the following, which are defined in rather loose terms:

    • (a) consent is has to be explicit and informed in order to be valid, however, this Law remains silent about the unambiguousness and specificity of consent. Consent is further regulated in Decree 1377 of 2013;
    • (b) database (filing system) is defined as any structured set of personal data that is subject to processing operations;
    • (c) personal data is defined as any information relating to an identified or identifiable natural subject;
    • (d) data subject (owner) is defined as any natural person whose personal data are being processed.

    It is worth noting that in defining special categories of personal, Article 7 of Law 1581 includes a specific section concerning data relating to children and teenagers. In general all processing of data concerning children and teenagers is prohibited, unless the data being processed are of a public nature. In addition, this article imposes on the State and educational institutions the obligation to raise awareness among, and educate, tutors and legal guardians about:

    • (a) the responsible and safe sharing of children’s personal data; and,
    • (b) potential risks to children and teenagers resulting from inadequate processing of their personal data.
  • Incident and Breach Notifications

    Articles 17 and 18 impose on both controllers and processors the obligation to notify the authority (Superintendent for Industry and Commerce) about any violations to the security guidelines that could put at risk the processing of personal data. This Law does not provide further details concerning notification procedures and timeline, severity threshold, or notifying the affected data subjects.

  • DatabreachPedia


    In Colombia, both the data controllers and processors have the obligation to notify any violations to the security guidelines that could put at risk the processing of personal data.

    Is it Mandatory to Notify Individuals?

    No, but recommended.

    Is it Mandatory to Notify Regulator?


    Notification Deadline

    Not specified, but likely without undue delay.

    Responsible Regulator

    Superintendency of Industrial and Commerce
    Industria y Comercio Superintendencia (“SIC”)
    Carrera 13 No. 27 – 00,
    Floors. 1 and 3
    Postal code: 110311

    Phone: (571) 592 04 00
    Fax: (571) 587 02 84
    Email: [email protected]

    Breach Notification Format

    Based on SIC’s Accountability Guidelines, the individuals are to be informed as a part of best practice but no specifics of notification content are highlighted. The Guidelines also stipulate that notification to SIC should contain a basic description of the incident details and number of individuals involved. The SIC can be contacted using the details above.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.