Personal data protection beyond the duty to register databases in Colombia04/05/2018
Find out if your company could be fined for violating the personal data protection regime, even if you already registered your databases.
Considering the strong sanctioning measures set to ensure the application of adequate policies in terms of data protection, in addition to the registration of the databases, learn about the obligations you have and how to fulfill them under the Colombian legal system standards.
o Do your databases contain information about the company's clients?
o Does your company have an application (APP) for electronic devices?
o Do you store your company's data in servers located outside Colombia?
o Does your company handle forms to be filled out by clients?
o Do you use tools such as satisfaction or preference surveys?
If your answer is yes to any of these questions, you have special obligations of data protection and you need to apply a comprehensive policy that foresees the issues that frequently arise from data storage. In this sense, are you currently applying an integral business protocol for personal data protection? Does your protocol ensure that your assistant or secretary does not voluntarily or involuntarily provide information that is subject to protection? Do you have a structure that guarantees that the marketing department of your company does not share the data of its clients? Are the images captured by the security cameras under proper protection?
If you are not sure that your data management policy foresees these and many other situations that are part of the data protection regime, the following article will be of interest to you.
As a result of the massive theft of personal data belonging to more than 87 million users, stored in the social network Facebook, the company is being investigated by the US Congress, and it could face a penalty that would amount up to 2 billion dollars. Without prejudice to the fine received, with the implementation of the new European Union regulation on data protection (European Union's General Data Protection Regulation - GDPR) it must adopt a comprehensive policy that guarantees the rights of its users in this matter.
Given the importance that this matter deserves, for some years, Colombia has made sure to incorporate personal data protection into the legal system, assigning it a higher category of legal duty. The legal consolidation of this legal determination took place when, in 2012, Law 1581 was issued “Whereby general provisions for the protection of personal data are issued”, reaffirming on the one hand, rights attributed to the holders of personal data, and on the other hand, duties required from those responsible for the treatment and storage of the data.
As a result of the confirmation of such protection as a legal requirement, the Superintendence of Industry and Commerce of Colombia has taken the task of exercising its inspection, surveillance and control functions regarding the fulfillment of the duties deriving from it, through the Direction of Personal Data Protection Research. Consequently, and making use of its powers, for the past eight years, the Superintendence of Industry and Commerce has imposed more than 650 fines for a value higher than $ 21,000 million pesos. Among the most common infringements, we can find non-compliance of the habeas data regime, breaches in the security of information that lead to the disclosure of the data on the Internet, the use of people’s information for marketing purposes without the authorization of the owner, and the theft and/or loss of information stored in databases.
Despite this, the number of companies that ignores and neglects the duties derived from the protection of personal data, it is still the majority. It seems that it is wrongly understood that the registration of the databases in the platform of the Superintendence of Industry and Commerce, will be enough to satisfy the legal requirements demanded in this matter, ignoring the legal duty to develop and implement a policy of data management that is responsible and comprehensive.
All those obligations that the data collection company has regarding the owner of the personal data, and the duties that arise directly from the provisions that have been developed in this area, could only be satisfied through this policy.
In this regard, it should be noted that there are companies that must observe special provisions in response to the information they handle or the mechanisms they use for the collection, treatment or storage of it.
In the latter scenario, it is important to highlight the case of companies that store information of different natures on servers located outside of Colombia. This, with regard to the remission of the information generated in the country towards another country, it sets in any case, an international transfer of data; therefore, additional duties must be observed. Under this assumption, the main obligation will be to certify before the Superintendence of Industry and Commerce, that the country where the server is located has adequate personal data protection standards, in accordance with the requirements of the Colombian legal system.
This subject needs special attention under the consideration that the Superintendence of Industry and Commerce has recognized its competence to investigate cases of infringements of personal data processing that are carried out outside the Colombian territory, through the figure that has been named “application of extraterritorial protection standards”, that seeks the protection of the rights of holders of personal data, entitled in light of Colombian law.
In conclusion, full compliance with the provisions on data protection, implies the application of a policy specifically designed considering the information management and structure of the company, which translates into effective actions integrated to the overall operation of the company. This, in terms of the isolated and limited execution of some of the obligations included in the Colombian law, is not enough to give the holders of personal data, an effective guarantee that their data will not end up at the hands of different companies, that are sometimes not aware they are seriously infringing this regime, and they become severely sanctioned.