Colombia Data Protection Law: Complete Compliance Guide (Habeas Data)

Colombia data protection law centers on the "Habeas Data" framework, a constitutional right to privacy and data protection codified primarily in Law 1581 of 2012. Understanding these requirements is critical for organizations operating in or targeting the Colombian market, as the Superintendence of Industry and Commerce (SIC) actively enforces compliance with substantial penalties.

What Is Colombia's Data Protection Law?

Colombia's data protection framework, commonly referred to as "Habeas Data," is unique in Latin America because it's enshrined as a fundamental constitutional right rather than merely statutory regulation. 

Constitutional Right to Data Protection

Article 15 of Colombia's Political Constitution of 1991 establishes the right of all persons to their personal and family intimacy and their good name. This article grants individuals the specific right to "know, update, and rectify" any information collected about them in databases maintained by public or private entities.

Because these are fundamental rights, comprehensive regulation requires "Statutory Law" (Ley Estatutaria)—legislation that undergoes rigorous process including mandatory Constitutional Court review, creating a remarkably stable legal framework.

Key Laws

Law 1581 of 2012: The General Data Protection Law serving as the primary instrument for corporate compliance, applying to all personal data registered in any database susceptible to processing by public or private entities.

Decree 1377 of 2013: Provides operational details for Law 1581, including consent requirements, privacy policy specifications, and data subject rights procedures.

Decree 1074 of 2015: The Single Regulatory Decree compiling all commerce-related regulations, including data protection provisions.

Law 1266 of 2008: Regulates financial, credit, and commercial data under a specialized "Financial Habeas Data" regime.

Role of the Superintendence of Industry and Commerce (SIC)

The SIC serves as Colombia's National Data Protection Authority through its Delegation for the Protection of Personal Data. Though an administrative agency within the executive branch, it functions with high technical autonomy.

The SIC possesses broad investigative and sanctioning powers including conducting on-site inspections, requesting exhaustive documentation, and interviewing employees. Current enforcement (2024-2026) demonstrates specific focus on high-risk sectors and emerging technologies, with specialized circulars providing binding instructions for AI systems (Circular 002 of 2024) and Fintech operations (Circular 001 of 2025).

Who Must Comply With Colombia Data Protection Law

Colombian-Based Organizations

All entities established in Colombia—regardless of size—that process personal data as part of business operations must comply with Law 1581.

Foreign Companies Processing Data of Colombian Residents

Law 1581 applies to processing carried out within Colombian territory, but extends to controllers and processors not established in Colombia if they're subject to Colombian legislation under international rules or treaties.

If an entity targets the Colombian market—offering services in Colombian Pesos, using a .co domain, or specifically marketing to Colombian residents—it's effectively "using means" located in the territory, triggering compliance obligations. [→ Learn how multi‑jurisdictional visitor‑tracking and regional‑laws reports identify exposure to Colombia‑style regimes in Secure Privacy’s “Laws Report Enhancements” post.]

Digital Services, SaaS, Ecommerce, Marketing Platforms

Controllers determine the purpose and means of data collection and must comply with full Colombian obligations including database registration if certain asset thresholds are met.

Processors perform processing on behalf of controllers with primary duties to safeguard data and process only under controller instructions.

If a foreign SaaS provider uses local agents, cookies tracking Colombian users, or payment infrastructure within Colombia, the SIC may assert jurisdiction over their data processing activities.

What Personal Data Is Covered

Colombian law classifies personal data based on risk level and proximity to human dignity, determining required legal basis and security measures.

Sensitive Data and Biometric Protections

Processing sensitive data is subject to "extraordinary" protection. Under Law 1581, owners are not obliged to authorize sensitive data processing, and controllers must explicitly inform them of this right.

Circular 001 of 2025 mandates that biometric processing must be "proportionate to the level of risk" and requires additional security measures. A 2025 enforcement action involved a $214 million fine against an e-commerce firm for making facial recognition mandatory for account access.

Protection of Children and Adolescents

Minors' data (under 18 years) receives "special constitutional protection." Law 1581 prohibits processing minors' data except when it's of public nature and serves their prevalent interests. Any permitted processing must be authorized by legal representatives, and the minor's opinion must be sought and valued according to their maturity.

Legal Bases for Processing Under Colombian Law

Unlike GDPR's six equivalent lawful bases, Colombian law is fundamentally "consent-centric."

Prior, Express, and Informed Consent

The Principle of Freedom dictates that data can only be processed with "prior, express, and informed" authorization satisfying three requirements:

Prior: Consent must be obtained before any data collection or processing occurs.

Express: Consent must be manifested through written/oral statement or unequivocal conduct. Silence or pre-checked boxes do not constitute express consent.

Informed: Owner must be clearly told treatment purpose, their rights, controller identification, and (if sensitive data) that they're not required to provide it.

Exceptions to Consent

Article 10 identifies narrow exceptions where authorization is not required:

• Information required by public entities or by court order
• Data of public nature
• Medical or sanitary emergencies
• Treatment authorized by law for historical, statistical, or scientific purposes
• Data related to Civil Registry

The SIC maintains a "proof of authorization" duty—entities must produce consent records upon demand.

Data Subject Rights (ARCO Rights)

Data subject rights in Colombia are categorized as ARCO rights—Access, Rectification, Cancellation, and Opposition. These rights are persistent and cannot be waived by contract.

Knowledge and Access: The right to obtain information about the existence of data concerning the individual.

Update and Rectification: The right to correct data that is "partial, incomplete, fragmented, or induces error."

Revocation and Suppression: The right to withdraw authorization or demand deletion of data if the controller violated the law or if treatment purpose has been fulfilled.

Opposition: The right to object to specific processing activities.

Proof of Authorization: The right to request a copy of the original consent granted.

Response Timelines

Data subjects cannot file formal complaints with the SIC until they've first attempted resolution directly with the controller.

Privacy Notices and Transparency Requirements

Personal Data Treatment Policy (PDTP)

Every organization must maintain a comprehensive PDTP including:

• Full identification and contact details of the Controller
• Detailed purposes of treatment
• Specific rights of data subjects
• Designated person responsible for handling claims
• Procedure for exercising ARCO rights
• Effective date and database duration

Privacy Notice

In scenarios where full PDTP cannot be presented (mobile interfaces, physical kiosks), a Privacy Notice must inform subjects of the policy's existence, means to access it, and specific purposes for data collection.

For Fintech and AI applications, 2024-2025 circulars require these notices differentiate between "necessary" purposes for service delivery and "ancillary" purposes like marketing.

Data Controllers vs Data Processors in Colombia

Controller (Responsable): The entity that "decides on the database and/or the processing of the data."

Processor (Encargado): The entity that performs processing on behalf of the controller.

The Accountability Principle

The Principle of Accountability (Responsabilidad Demostrada) requires organizations to implement "useful, timely, and efficient" measures to protect data and demonstrate their effectiveness to the SIC.

Key elements include high-level commitment from leadership, designation of a Data Protection Officer (strongly recommended by SIC), internal control systems, and continuous training for employees handling personal information.

Contractual Requirements

Controllers must establish written contracts with processors specifying processing purposes and scope, security measures, confidentiality obligations, incident notification procedures, and obligations upon contract termination.

Cross-Border Data Transfers

Article 26 of Law 1581 generally prohibits transferring personal data to countries that don't provide an "adequate level" of protection.

Countries with Adequate Protection

The SIC maintains a list of countries considered to have adequate standards. Transfers to these nations don't require specific SIC permits, though standard data transmission agreements are still necessary.

Adequate jurisdictions (as of 2025): USA, EU, UK, Canada, Japan, South Korea, Mexico, Peru, Serbia, and others.

When Transfers Are Prohibited

Transfers to non-adequate countries require a "Declaration of Conformity" from the SIC or a valid statutory exception.

Exceptions Allowing Transfer

Authorized transfers to non-adequate countries include international medical data for health treatment, bank transfers and international commercial operations, legally mandated transfers, and consent-based transfers where subjects are informed of inadequate protection levels.

Transfer vs Transmission

Transfer (Transferencia): Sending data to a recipient acting as independent Controller.

Transmission (Transmisión): Sending data to a recipient acting as Processor.

Transmissions to non-adequate countries don't always require Declaration of Conformity if the Colombian Controller ensures the foreign Processor adheres to Law 1581 through robust Data Transmission Agreements.

Data Security and Breach Management

Organizations must implement "technical, human, and administrative measures" to prevent unauthorized use, loss, or access to data.

Security Incident Handling

In the event of security breach, controllers and processors have mandatory notification duties:

Timeline: Notification within 15 business days of detecting the incident.

Procedure: Notifications typically submitted through the RNBD portal.

Proportionality: For AI and Fintech sectors, the SIC expects higher resilience standards including differential privacy techniques and encryption for biometric data.

Registration With the National Database Registry (RNBD)

The RNBD is a public directory administered by the SIC where certain organizations must register their databases.

Who Must Register

Following 2018 reforms, RNBD registration applies only to:

• Legal entities of public nature
• Private legal entities and non-profit organizations with total assets exceeding 100,000 Tax Value Units (UVT)

For fiscal year 2025, 100,000 UVT equals approximately COP $4,979,900,000 (roughly USD $1.1 million). Smaller entities are exempt from registration but remain fully liable for all other Law 1581 compliance duties.

2025 Compliance Calendar

Failure to register when required is a primary target for SIC audits.

Enforcement and Penalties

Types of Sanctions

Fines: Administrative fines can reach 2,000 monthly legal minimum wages (approximately USD $500,000 to $600,000).

Suspension of activities: The SIC increasingly uses its power to order temporary suspension of data processing activities when material risk is identified.

Closure of operations: In extreme cases, permanent cessation of processing activities.

Recent Enforcement Examples (2024-2025)

Inadequate Biometrics: In 2025, an e-commerce platform was fined $214 million for requiring facial recognition without valid necessity justification.

Blacklisting Violations: In 2024, a company was sanctioned for creating "blacklists" preventing subjects from exercising rectification rights.

Unauthorized Contact: The SIC frequently sanctions companies for contacting individuals for marketing purposes without prior authorization.

Colombia Data Protection vs GDPR

While Colombia's framework predates GDPR, it's rapidly incorporating GDPR-like concepts through administrative circulars. "Privacy by Design" and "Impact Assessments" are now effectively mandatory in Colombia for high-risk projects like AI.

Common Compliance Challenges

Manual consent tracking: Proving "prior, express, and informed" consent across multiple touchpoints without automated systems creates operational burdens and compliance gaps.

Fragmented privacy notices: Maintaining consistent, up-to-date privacy information across websites, apps, physical locations, and third-party platforms without centralized management.

Multi-country overlap: Organizations operating across GDPR, LGPD, APPI, and Colombian jurisdictions face complexity managing different consent models, breach timelines, and documentation requirements.

Scaling compliance without automation: Manual processes don't scale when managing hundreds of data flows and continuous data subject requests.

How to Operationalize Colombia Compliance

Mapping Processing Activities

Create comprehensive inventory of all processing activities including data categories collected, processing purposes, legal bases (primarily consent records), data subject categories, third-party recipients, international transfers, and retention periods.

Maintaining Consent Records

Implement systems that capture consent at collection points, store consent records with timestamps and context, enable retrieval of specific consent records upon request, support consent withdrawal and preference updates, and maintain audit trails demonstrating "prior, express, and informed" standard.

Managing Privacy Notices Dynamically

Privacy policies and notices must be easily accessible from all data collection points, updated when processing changes occur, available in Spanish for Colombian users, and differentiated between necessary and ancillary purposes.

Handling Rights Requests

Build DSAR workflows that accept requests through multiple channels, track requests to ensure 10/15 business day response deadlines, locate data across systems for access requests, execute corrections and deletions systematically, and maintain documentation of all responses.

Preparing for Audits

SIC audits require producing consent records demonstrating authorization, privacy policies and notices, RNBD registration confirmations (if applicable), data subject request logs and responses, security incident reports, and data transmission agreements for international transfers.

Colombia Data Protection Compliance Checklist

✓ Privacy Policy (PDTP): Comprehensive Personal Data Treatment Policy published and accessible

✓ Privacy Notices: Clear notices at all data collection points meeting "prior, express, and informed" standard

✓ Consent Mechanisms: Systems capturing and storing consent with retrievable records

✓ RNBD Registration: If assets exceed 100,000 UVT, databases registered in National Registry

✓ ARCO Procedures: Documented processes for handling access, rectification, cancellation, and opposition requests within required timelines

✓ Data Transmission Agreements: Contracts with processors (especially international) specifying Law 1581 compliance obligations

✓ Cross-Border Transfer Documentation: Legal mechanisms for transfers to adequate and non-adequate countries

✓ Incident Response Process: Procedures enabling 15 business day breach notification to SIC

✓ Security Measures: Technical, human, and administrative safeguards appropriate to data sensitivity

✓ Accountability Documentation: Evidence of "useful, timely, and efficient" data protection measures

✓ Claims Reporting: If RNBD-registered, semi-annual reports of data subject claims submitted

✓ Minors' Protections: Enhanced safeguards and legal representative authorization for processing children's data

Colombia's data protection framework demands operational rigor in consent management, documentation, and accountability. Organizations treating Colombian compliance as merely publishing privacy policies will face enforcement risk as the SIC continues sophisticated, sector-specific oversight with substantial penalties for violations.