On August 10, 2017, the Superintendence of Industry and Commerce presented a new regulation under the country's recently enacted international data transfer law. Specifically, the new circular explicitly sets forth the standards that must be considered when deciding if a country has an adequate data protection level, as well as a list of countries that have been deemed to meet such criteria. The circular also defines specific parameters for requesting a declaration of conformity from the Superintendence of Industry and Commerce.

In particular, the new regulation contains the following provisions:

 1. Standards for determining if data protection level is adequate:

To determine whether a country's data protection level is adequate, the following standards must be considered:

(i) the existence of binding regulations applicable to the processing of personal data;

(ii) the legal recognition of principles applicable to data processing, the rights of data subjects and the duties of both data controllers and processor;

(iii) the existence of judicial and administrative means and channels to ensure the effective enforcement of the law and the rights of data subjects; and

(iv) the existence of competent authorities in charge of supervising the processing of personal data and enforcing applicable legislation. Lastly, to ensure the legitimacy of the international data transfer, it is the obligation of data controllers to verify that the recipient country complies with the aforementioned standards.

2. Countries offering adequate levels of data protection:

According to the circular, the following countries are regarded as offering an appropriate level of data protection: Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Iceland, Italy, South Korea, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Peru, Poland, Portugal, Spain, Slovakia, Slovenia, United Kingdom, United States, Romania, Serbia, Sweden, and any countries that the European Commission regards as having an adequate level of data protection.

3. Procedures related to the request of declarations of conformity:

A data controller that is unable to justify an international data transfer through the standards of an adequate level of protection, the listing of countries offering an adequate level of protection, or certain exceptions established in the law, the data controller must request a declaration of conformity from the Superintendence of Industry and Commerce. To do so, the data controller must file a petition addressed to the Document Management and Physical Resources Group or send a request to contactenos@sic.gov.co, providing (in Spanish) the information described in the "Guide to request the declaration of conformity." The procedure for requesting a declaration of conformity is governed by the Contentious Administrative Code, specifically in relation to the general administrative procedure.

4. Tacit declarations of conformity:

Data controllers may execute a data transfer agreement or other legal instrument that guarantees the protection of personal data and establishes each party's obligations for ensuring compliance with the principles governing data processing. If the legal instrument contains the above-mentioned elements and the data controller declares the existence of such document, as well as the conditions of the international data transfer, before the Superintendence of Industry and Commerce, it will be presumed that the operation is viable and that it has a declaration of conformity. Notwithstanding the foregoing, the Superintendence of Industry and Commerce may at any time seek to verify the conditions of the international data transfer and may investigate and sanction non-compliance with Colombian privacy law.

In short, the current available options to legalize an international data transfer are:

  • Execute the data transfer in accordance to one of the exceptions established in Law 1581 of 2012; or
  • Verify that the recipient country is included in the list countries with adequate levels of data protection; or
  • Verify that the recipient country meets the standards of an adequate level of data protection; or
  • Request a declaration of conformity from the Superintendence of Industry and Commerce through a general administrative procedure; or
  • Execute a data transfer contract or other legal instrument according to the requirements established by the circular, and inform the Superintendence of Industry and Commerce about the operation to be made and the existence of the legal document.

According to the circular, data controllers should be able to demonstrate, at any time, that they have implemented adequate and effective measures to ensure the security and proper processing of the personal data that is being transferred abroad, even if such operation is carried out with respect to a country deemed to have an adequate level of data protection. In addition, the new regulation establishes that simple cross-border transits or redirection of data do not constitute international data transfers.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.