	Global Data Privacy Guide
	Colombia
	(Latin America) Firm Brigard Urrutia Updated 28 Jul 2025
1. What is the key legislation?	The principal legislation governing data protection in Colombia is the Law 1581 de 2012, which establishes the general regime for the protection of personal data and Law 1266 of 2008 which regulates the special regime for financial information. These laws are complemented by regulatory decrees, notably Decree 1074 de 2015. Together know as the Colombian General Data Protection Regime (CGDP).
2. What are the key decisions applying that legislation?	Constitutional Court decisions such as C-748-2011 and C-1011-2008, which confirm the constitutionality of Laws 1266 of 2008 a1581 of 2012 and determined the fundamental nature of data protection and habeas data in Colombia are the most notable decision that determine the application of the most important legislation.
1. How are “personal data” and “sensitive data” defined?	• Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons (Law 1581 of 2012, Art. 3; Decree 1074 of 2015, Art. 2.2.2.25.1.1). • Sensitive Data: Data that affect the privacy of the data subject or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, health data, sexual life, and biometric data (Law 1581 of 2012, Art. 5; Decree 1074 of 2015, Art. 2.2.2.25.2.6).
2. How is the defined data protected?	Data must be processed in accordance with principles of legality, purpose, freedom, truthfulness, transparency, restricted access and circulation, security, and confidentiality (Decree 1074 of 2015, Art. 2.2.2.25.2.1). Sensitive data is subject to stricter requirements, including explicit consent and additional security measures (Decree 1074 of 2015, Art. 2.2.2.25.2.6).
3. Who is subject to privacy obligations?	All natural and legal persons, public or private, who process personal data in Colombia or whose data processing affects individuals located in Colombia, are subject to the law. This includes data controllers (responsables) and data processors (encargados).
4. How is “data processing” defined?	Processing is any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion (Ley 1581 de 2012, Art. 3).
5. What are the principles applicable to personal data processing?	• Legality • Purpose • Freedom • Truthfulness or quality • Transparency • Restricted access and circulation • Security • Confidentiality (See Law 1581 of 2012, Art. 4)
6. How is the processing of personal data regulated?	Data processing is regulated by the CGDP.
7. How are storage, security and retention of personal data regulated?	Data controllers and processors must implement technical, human, and administrative measures to ensure the security of personal data and prevent its adulteration, loss, unauthorized consultation, use, or access (Law 1581 of 2012, Art. 17, 18). Data must be retained only for as long as necessary to fulfil the purpose for which it was collected. There CGDP does not establish specific security requirements so it must be analyzed on a case-by-case basis.
8. What are the data subjects' rights under the data legislation?	• Right to know, update, and rectify their data • Right to request proof of consent • Right to be informed about data use • Right to file complaints with the Colombian DPA (Superintendencia de Industria y Comercio, SIC) • Right to revoke consent and/or request data deletion • Right to access their data free of charge
9. What are the consent requirements for data subjects?	The sole legal basis for processing data (including sensitive data) under the CGDP is consent from data subjects. For consent to be valid it has to be prior (before the processing takes place), express (through means where the data subject reveals her unequivocal intention) and informed (data subjects must be informed about (i) the name and contact details of the data controller; (ii) their rights and means to exercise them; (iii) where to consult the applicable data protection policy; (iv) that the authorization to process sensitive data is entirely optional; (v) the specific data that will be collected and processed –especially if sensitive data is involved, and (vi) how the data will be used and for what purposes. This information must be provided at the time of obtaining consent at the latest and additional considerations are warranted when incorporated by reference. In the case of minors, consent must be given by their legal representatives.
10. How is authorization for use of data handled?	Authorization must be obtained and documented by the data controller, who must be able to demonstrate that the data subject was informed of the purpose and their rights at the time of collection.
11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?	The CGDP establishes requirements for sharing or delivering personal data through transfer or through transmission (Commissioned processing of personal data). The transfer is understood as the delivery of personal data from one data controller to another, so that the recipient-data controller may process the personal data for its own purposes and subject to its own data processing policies. The transmission takes place whenever a data controller delivers personal data to a data processor, for the recipient-data processor to process the personal data for the attainment of a purpose of the data controller and under the latter’s data processing policies. The CGDP forbids the transfer of personal data to entities based in jurisdictions that do not provide adequate levels of protection for personal data, unless the data subject has delivered her prior, express and informed consent thereto. To evidence that a country has adequate levels of protection for personal data, the DPA must first issue a “declaration of conformity” in that sense (similar to an adequacy decision in the EU or the UK). In Directive 05 of 2017 (Circular Externa 05 de 2017), the SIC laid down a list of countries that, in its view, offer adequate levels of protection, including (i) countries that are part of the EU; (ii) countries that have been identified by the EU as offering an adequate level of data protection, and (iii) the following countries: Mexico, the Republic of Korea, Costa Rica, Serbia, Peru, Norway, Iceland and the US. The CGDP establishes that in scenarios where the data controller has not obtained consent from the data subject in order to transmit her data outside Colombia, the data controller would be exempted from obtaining such consent, even to jurisdictions that do not provide adequate levels of protection, if there is a data transmission agreement in place between the data controller in Colombia and the data processor abroad.
12. How are data "incidents" and "breaches" defined?	A data incident or breach is any event that compromises the security, confidentiality, integrity, or availability of personal data, including unauthorized access, loss, alteration, or disclosure.
13. Are there any notification requirements for incidents and/or data breaches?	Under the CGDP, notifications to the must be made once the data controller is aware of the full scope of the breach, including the data and data subjects affected. External Directive 003 of 2018 (Circular Externa 003 de 2018) issued by the SIC establishes an obligation for data controllers to report any data breach in the National Database Registry (“Registry”) within 15 business days from the moment the breach is detected and the relevant person or area within the entity has full information with regards to the scope of the breach. For entities not required to register their databases in the Registry, data breaches must still be reported to the SIC within 15 business days of detection and notification to the person responsible or area has full information with regards to the scope of the breach. In such cases, reports can be submitted via the SIC’s website or in writing. The CGDP does not establish an outright duty upon data controllers or data processors to inform affected data subjects about a breach or incident that involves their data. However, considering general duty of care they have with regards to the data’s integrity, availability and confidentiality that would require them to deploy reasonable measures to prevent harm upon data subjects, SIC guidelines have indicated that it is appropriate to inform data subjects about a breach that involves their data when the breach can bring harm upon data subjects –as would be the case with credit card information and national ID cards, which could lead to unauthorized credit card charges or identity theft, or special categories of personal data, such as data of minors or sensitive data (e.g., medical data), which are subject to an enhanced level of protection.
14. Who is/are the privacy regulator(s)?	The Superintendencia de Industria y Comercio (SIC)
15. What are the consequences of a data breach?	There are no specific sanctions for data breaches, however, the general sanctions established in the CGDP may apply (please refer to question 22. In case of a breach the obligations laid out in question 13 must be met.
16. How is electronic marketing regulated?	The CGDP establishes that all processing of personal data for marketing purposes must be based on prior, express, and informed consent from the data subject. This includes the use of personal data for sending electronic marketing communications such as emails, SMS, and messages via applications or web platforms. Data subjects must always be provided with a clear and effective mechanism to opt out of receiving such communications at any time. Law 2300 of 2023 introduces additional, specific requirements for commercial and advertising communications, further strengthening consumer rights and privacy in the context of electronic marketing: • Consent and Channel Selection: Producers and providers of goods and services must inform consumers of the available communication channels and obtain explicit authorization from the consumer regarding which channel(s) they wish to be contacted through for commercial or advertising purposes. The consumer’s choice must be respected, and no channel may be imposed. • Prohibition of Imposed Marketing: It is expressly prohibited to require consumers to accept the receipt of marketing messages as a condition for accessing goods, services, promotions, or entry to premises, except for communications strictly related to the product or service acquired. • Opt-Out Mechanism: Law 2300 mandates that senders of commercial messages must provide an agile, simple, and efficient mechanism for consumers to cancel the receipt of such messages at any time, unless there is a contractual obligation to remain in the database. • Excluded Numbers Registry: The law requires the implementation of a registry of excluded numbers (a “do not contact” list), which must be consulted by all providers before sending marketing communications. Inclusion in this list is voluntary and must not be used to discriminate against consumers in access to goods or services. • Time Restrictions: Law 2300 also restricts the hours during which marketing communications may be sent, prohibiting such messages during night hours, weekends, and public holidays, to protect the consumer’s right to privacy and tranquility. • Scope and Exceptions: The law does not apply to communications strictly necessary for confirming monetary transactions, savings, fraud alerts, or information expressly requested by the consumer
17. Are there sector-specific or industry-specific privacy requirements?	Yes. For example, Law 1266 of 2008 applies to financial, credit, and commercial data. Sectoral regulations may pose additional requirements, especially in health, education, and finance.
18. What are the requirements for appointing Data Protection Officers or similar roles?	Data controllers must have a specific person or area in charge of handling data subject’s request. While not mandatory, organizations are strongly recommended to appoint a Data Protection Officer (DPO) to oversee compliance, especially in larger or higher-risk organizations.
19. What are the record-keeping and documentation obligations?	The CGDP does not include record-keeping or documentation obligations besides keeping a copy of the authorization given by data subjects. However, due to the purpose principle, data controllers must only retain data for as long as necessary to fulfill the authorized purpose.
20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?	There is no obligation to conduct DPIAs in the CGDP. However, External Directive 002 of 2024 (Circular Externa 002 de 2024) issued by the SIC with regards to data processing in AI does state that a DPIA must be conducted prior to the design, development or design of AI if it is likely that the processing will entail a high risk to the rights and freedoms of data subjects. The Directive does not establish specific requirements for DPIAs.
21. What are the requirements for third-party vendor management and data sharing?	There are no specific requirements in the CGDP, however, sectorial regulations may apply, and it must be analyzed on a case-by-case basis.
22. What are the penalties and enforcement mechanisms for non-compliance?	Failure to comply with the CGDP may result in administrative penalties, which include fines of up to approximately 2,000 wages (COP$2,847,000,000 / USD$ 694,390). Additionally, the SIC might declare the suspension of operations regarding the processing of personal data and permanent shutdown of operations regarding data processing. These penalties may be imposed on both the data controller/processor and the managers and employees involved in the processing of personal data.
23. What are the ongoing compliance and audit requirements?	Although the CGDP does not contemplate specific compliance and audit requirements data controllers and processers must note that the SIC has legal power to perform IRL’s and administrative visits at any given moment.
24. Are there any recent developments or expected reforms?	No, the CGDP is not expected to be amended or changed in the near future.

Global Data Privacy Guide

Back XLS

1. What is the key legislation?

The principal legislation governing data protection in Colombia is the Law 1581 de 2012, which establishes the general regime for the protection of personal data and Law 1266 of 2008 which regulates the special regime for financial information. These laws are complemented by regulatory decrees, notably Decree 1074 de 2015. Together know as the Colombian General Data Protection Regime (CGDP).

2. What are the key decisions applying that legislation?

Constitutional Court decisions such as C-748-2011 and C-1011-2008, which confirm the constitutionality of Laws 1266 of 2008 a1581 of 2012 and determined the fundamental nature of data protection and habeas data in Colombia are the most notable decision that determine the application of the most important legislation.

1. How are “personal data” and “sensitive data” defined?

• Personal Data: Any information linked or that can be associated with one or more determined or determinable natural persons (Law 1581 of 2012, Art. 3; Decree 1074 of 2015, Art. 2.2.2.25.1.1).
• Sensitive Data: Data that affect the privacy of the data subject or whose misuse can lead to discrimination, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, membership in unions, social organizations, health data, sexual life, and biometric data (Law 1581 of 2012, Art. 5; Decree 1074 of 2015, Art. 2.2.2.25.2.6).

2. How is the defined data protected?

Data must be processed in accordance with principles of legality, purpose, freedom, truthfulness, transparency, restricted access and circulation, security, and confidentiality (Decree 1074 of 2015, Art. 2.2.2.25.2.1). Sensitive data is subject to stricter requirements, including explicit consent and additional security measures (Decree 1074 of 2015, Art. 2.2.2.25.2.6).

3. Who is subject to privacy obligations?

All natural and legal persons, public or private, who process personal data in Colombia or whose data processing affects individuals located in Colombia, are subject to the law. This includes data controllers (responsables) and data processors (encargados).

4. How is “data processing” defined?

Processing is any operation or set of operations on personal data, such as collection, storage, use, circulation, or deletion (Ley 1581 de 2012, Art. 3).

5. What are the principles applicable to personal data processing?

• Legality
• Purpose
• Freedom
• Truthfulness or quality
• Transparency
• Restricted access and circulation
• Security
• Confidentiality
(See Law 1581 of 2012, Art. 4)

6. How is the processing of personal data regulated?

Data processing is regulated by the CGDP.

7. How are storage, security and retention of personal data regulated?

Data controllers and processors must implement technical, human, and administrative measures to ensure the security of personal data and prevent its adulteration, loss, unauthorized consultation, use, or access (Law 1581 of 2012, Art. 17, 18). Data must be retained only for as long as necessary to fulfil the purpose for which it was collected. There CGDP does not establish specific security requirements so it must be analyzed on a case-by-case basis.

8. What are the data subjects' rights under the data legislation?

• Right to know, update, and rectify their data
• Right to request proof of consent
• Right to be informed about data use
• Right to file complaints with the Colombian DPA (Superintendencia de Industria y Comercio, SIC)
• Right to revoke consent and/or request data deletion
• Right to access their data free of charge

9. What are the consent requirements for data subjects?

The sole legal basis for processing data (including sensitive data) under the CGDP is consent from data subjects. For consent to be valid it has to be prior (before the processing takes place), express (through means where the data subject reveals her unequivocal intention) and informed (data subjects must be informed about (i) the name and contact details of the data controller; (ii) their rights and means to exercise them; (iii) where to consult the applicable data protection policy; (iv) that the authorization to process sensitive data is entirely optional; (v) the specific data that will be collected and processed –especially if sensitive data is involved, and (vi) how the data will be used and for what purposes. This information must be provided at the time of obtaining consent at the latest and additional considerations are warranted when incorporated by reference. In the case of minors, consent must be given by their legal representatives.

10. How is authorization for use of data handled?

Authorization must be obtained and documented by the data controller, who must be able to demonstrate that the data subject was informed of the purpose and their rights at the time of collection.

11. Are cross-border data transfers regulated? If so, what are the restrictions on cross-border data transfers?

The CGDP establishes requirements for sharing or delivering personal data through transfer or through transmission (Commissioned processing of personal data). The transfer is understood as the delivery of personal data from one data controller to another, so that the recipient-data controller may process the personal data for its own purposes and subject to its own data processing policies. The transmission takes place whenever a data controller delivers personal data to a data processor, for the recipient-data processor to process the personal data for the attainment of a purpose of the data controller and under the latter’s data processing policies.
The CGDP forbids the transfer of personal data to entities based in jurisdictions that do not provide adequate levels of protection for personal data, unless the data subject has delivered her prior, express and informed consent thereto. To evidence that a country has adequate levels of protection for personal data, the DPA must first issue a “declaration of conformity” in that sense (similar to an adequacy decision in the EU or the UK).
In Directive 05 of 2017 (Circular Externa 05 de 2017), the SIC laid down a list of countries that, in its view, offer adequate levels of protection, including (i) countries that are part of the EU; (ii) countries that have been identified by the EU as offering an adequate level of data protection, and (iii) the following countries: Mexico, the Republic of Korea, Costa Rica, Serbia, Peru, Norway, Iceland and the US.
The CGDP establishes that in scenarios where the data controller has not obtained consent from the data subject in order to transmit her data outside Colombia, the data controller would be exempted from obtaining such consent, even to jurisdictions that do not provide adequate levels of protection, if there is a data transmission agreement in place between the data controller in Colombia and the data processor abroad.

12. How are data "incidents" and "breaches" defined?

A data incident or breach is any event that compromises the security, confidentiality, integrity, or availability of personal data, including unauthorized access, loss, alteration, or disclosure.

13. Are there any notification requirements for incidents and/or data breaches?

Under the CGDP, notifications to the must be made once the data controller is aware of the full scope of the breach, including the data and data subjects affected. External Directive 003 of 2018 (Circular Externa 003 de 2018) issued by the SIC establishes an obligation for data controllers to report any data breach in the National Database Registry (“Registry”) within 15 business days from the moment the breach is detected and the relevant person or area within the entity has full information with regards to the scope of the breach. For entities not required to register their databases in the Registry, data breaches must still be reported to the SIC within 15 business days of detection and notification to the person responsible or area has full information with regards to the scope of the breach. In such cases, reports can be submitted via the SIC’s website or in writing.
The CGDP does not establish an outright duty upon data controllers or data processors to inform affected data subjects about a breach or incident that involves their data. However, considering general duty of care they have with regards to the data’s integrity, availability and confidentiality that would require them to deploy reasonable measures to prevent harm upon data subjects, SIC guidelines have indicated that it is appropriate to inform data subjects about a breach that involves their data when the breach can bring harm upon data subjects –as would be the case with credit card information and national ID cards, which could lead to unauthorized credit card charges or identity theft, or special categories of personal data, such as data of minors or sensitive data (e.g., medical data), which are subject to an enhanced level of protection.

14. Who is/are the privacy regulator(s)?

The Superintendencia de Industria y Comercio (SIC)

15. What are the consequences of a data breach?

There are no specific sanctions for data breaches, however, the general sanctions established in the CGDP may apply (please refer to question 22. In case of a breach the obligations laid out in question 13 must be met.

16. How is electronic marketing regulated?

The CGDP establishes that all processing of personal data for marketing purposes must be based on prior, express, and informed consent from the data subject. This includes the use of personal data for sending electronic marketing communications such as emails, SMS, and messages via applications or web platforms. Data subjects must always be provided with a clear and effective mechanism to opt out of receiving such communications at any time.
Law 2300 of 2023 introduces additional, specific requirements for commercial and advertising communications, further strengthening consumer rights and privacy in the context of electronic marketing:
• Consent and Channel Selection: Producers and providers of goods and services must inform consumers of the available communication channels and obtain explicit authorization from the consumer regarding which channel(s) they wish to be contacted through for commercial or advertising purposes. The consumer’s choice must be respected, and no channel may be imposed.

• Prohibition of Imposed Marketing: It is expressly prohibited to require consumers to accept the receipt of marketing messages as a condition for accessing goods, services, promotions, or entry to premises, except for communications strictly related to the product or service acquired.
• Opt-Out Mechanism: Law 2300 mandates that senders of commercial messages must provide an agile, simple, and efficient mechanism for consumers to cancel the receipt of such messages at any time, unless there is a contractual obligation to remain in the database.

• Excluded Numbers Registry: The law requires the implementation of a registry of excluded numbers (a “do not contact” list), which must be consulted by all providers before sending marketing communications. Inclusion in this list is voluntary and must not be used to discriminate against consumers in access to goods or services.

• Time Restrictions: Law 2300 also restricts the hours during which marketing communications may be sent, prohibiting such messages during night hours, weekends, and public holidays, to protect the consumer’s right to privacy and tranquility.

• Scope and Exceptions: The law does not apply to communications strictly necessary for confirming monetary transactions, savings, fraud alerts, or information expressly requested by the consumer

17. Are there sector-specific or industry-specific privacy requirements?

Yes. For example, Law 1266 of 2008 applies to financial, credit, and commercial data. Sectoral regulations may pose additional requirements, especially in health, education, and finance.

18. What are the requirements for appointing Data Protection Officers or similar roles?

Data controllers must have a specific person or area in charge of handling data subject’s request. While not mandatory, organizations are strongly recommended to appoint a Data Protection Officer (DPO) to oversee compliance, especially in larger or higher-risk organizations.

19. What are the record-keeping and documentation obligations?

The CGDP does not include record-keeping or documentation obligations besides keeping a copy of the authorization given by data subjects. However, due to the purpose principle, data controllers must only retain data for as long as necessary to fulfill the authorized purpose.

20. What are the requirements for conducting Data Protection Impact Assessments (DPIAs)?

There is no obligation to conduct DPIAs in the CGDP. However, External Directive 002 of 2024 (Circular Externa 002 de 2024) issued by the SIC with regards to data processing in AI does state that a DPIA must be conducted prior to the design, development or design of AI if it is likely that the processing will entail a high risk to the rights and freedoms of data subjects. The Directive does not establish specific requirements for DPIAs.

21. What are the requirements for third-party vendor management and data sharing?

There are no specific requirements in the CGDP, however, sectorial regulations may apply, and it must be analyzed on a case-by-case basis.

22. What are the penalties and enforcement mechanisms for non-compliance?

Failure to comply with the CGDP may result in administrative penalties, which include fines of up to approximately 2,000 wages (COP$2,847,000,000 / USD$ 694,390). Additionally, the SIC might declare the suspension of operations regarding the processing of personal data and permanent shutdown of operations regarding data processing. These penalties may be imposed on both the data controller/processor and the managers and employees involved in the processing of personal data.

23. What are the ongoing compliance and audit requirements?

Although the CGDP does not contemplate specific compliance and audit requirements data controllers and processers must note that the SIC has legal power to perform IRL’s and administrative visits at any given moment.

24. Are there any recent developments or expected reforms?

No, the CGDP is not expected to be amended or changed in the near future.